Posted on 04/11/2016 2:26:42 PM PDT by markomalley
A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs.
Researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan, spread 297 USB drives around the Urbana-Champaign campus. They found that 48 percent of the drives were picked up and plugged into a computer, some within minutes of being dropped.
"The security community has long held the belief that users can be socially engineered into picking up and plugging in seemingly lost USB flash drives they find," the researchers reported this month.
"Unfortunately, whether driven by altruistic motives or human curiosity, the user unknowingly opens their organization to an internal attack when they connect the drive a physical Trojan horse."
The study dropped USB sticks containing HTML files that had img
tags embedded; opening the files fetched the image from a remote server, allowing the researchers to track the USB drives' use and rough location. It's obviously not a perfect means to detect usage, but close enough. And, yes, we're talking about people students and staff who hang around a uni campus.
The drives were usually picked up within hours of being left in the lot, with one being opened just six minutes after being dropped off. Overall, 48 per cent of the drives were picked up and plugged into a PC.
Additionally, the study found that just 16 per cent of users bothered to scan the drives with anti-virus software before loading the files; 68 per cent of the respondents said they took no precautions whatsoever before plugging in the drives.
The users said that, for the most part, they were acting in good faith. 68 per cent of the users said they were only accessing the drive in order to find its owner, though a "handful" of respondents said they were planning to keep the USB drive for themselves.
This led the researchers to believe that an attacker would have no problem spreading malware in an organization by simply dropping an infected USB drive in a public place.
"We hope that by bringing these details to light, we remind the security community that some of the simplest attacks remain realistic threats," the researchers said.
"There is still much work needed to understand the dynamics of social engineering, develop technical defenses, and learn how to effectively teach users how to protect themselves." ®
You’d do it you were hungry
In Haiti when my ships unloaded little kids would scoop up dry rice by the handful off the cargo hold floor and eat it
you are set up to look at possibly corrupted USB-drives most people are not.
I never leave usb drives out - not knowing what might be placed on them when I am not around.
Oddly enough, the vast majority of “found” USB drives are not lost by our employees, rather, it is the factory equipment contractors.
I’ve had a couple of free dinners on the contractor’s dime.
Stop using deception in these “studies “.
That is like picking up a lit cigarette butt off the street and putting it in your mouth.
(A kid on my street growing up used to do that. He was a little “touched.”)
Yep. I would never pick it up to start with so no urge to plug it in. Lol
I came across a graphic picture on the Internet (you can find anything, unfortunately) that detailed how to build an explosive into a USB stick. It is detonated by plugging it in, by the voltage supplied in a USB port. Thankfully I haven't heard of any incidents in the news. But just beware that there are pranksters who may go too far in the pranks they perform.
Didn't see any obvious leaks in that condom either.
"Unfortunately, whether driven by altruistic motives or human curiosity, the user unknowingly opens their organization to an internal attack when they connect the drive a physical Trojan horse."
Aaaaaand I'll stop here.
DoD stopped use of USB drives over 5 years ago because they are made by Chinese
Too Bad the DOS, HLS, etc. cannot figure out what is compromised.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.