Think before plugging in USB drives

Published July 6, 2007
By Steve Walker
Computer Systems Corp. information assurance office

VANCE AIR FORCE BASE, Okla. -- The "insider" threat is real. Stolen laptops and hacked databases are not the only sources of stolen sensitive information. It was an employee of Coca-Cola who conspired to sell trade secrets to PepsiCo. It was a DuPont employee who downloaded and stole proprietary information valued at $400,000,000 (yes that is $400 million).

Along with the intentional theft of information, there also is a real possibility for unintentional theft of information. With the growing need/desire to do more and to work harder, many people take work home with them. So, the solution is a little device known as a USB (Universal Serial Bus) thumb drive. Taking this little device a step further and adding an interface and a earphone or headphone jack you will have an MP3 player. And let's not forget if you add a lens and shutter you have a digital camera. All of these items use flash memory. So, you may ask, what is the big deal? Well, here is a real-life story that will illustrate the big deal.

A security exercise/test was conducted by a consulting firm under contract with a credit union. The consulting firm took 20 USB thumb drives and loaded some images along with a Trojan horse program on them. Then they simply scattered them on the ground in the parking lot and smoking areas around the credit union. The Trojan horse was initiated when one of the image files were opened. The Trojan was designed to simply collect computer specific information along with logins and passwords. The program then would e-mail the collected information back to the consulting firm. Within a few hours, 15 of the 20 thumb drives had been found and plugged into credit union computers. While the users browsed through the images, the Trojan horse was initiated and it began to collect the information and then it sent the e-mail to the firm. The data that was exfiltrated allowed the firm to compromise the credit union's systems as well as other systems.

Imagine for a moment, you were one of the employees who obeyed all the rules and didn't stick one of these thumb drives into your work computer. And it was a "bad guy" who put the drives there to start with, not a consulting firm hired by your employer. You instead took the drive home and put it in your home computer ... No big deal, huh? Well, I don't know about you, but I pay my bills online, not to mention accessing my bank and credit card accounts online. I guess now it is pretty big deal.

The lesson learned: Don't put any removable media into your system if you don't know the origin of it. I would recommend you disable the "Autorun" feature on all but the C-drive on your home computers (this has been done for the government systems on the network). To do this will take a little work on your part but it isn't too difficult. Go to www.microsoft.com and do a search for "tweakUI." Download tweakUI.exe and install it. When you run Tweak UI, you'll be able to turn the "Autorun" option off on your drives.

For more about information security, contact Steve Walker or Dave Loveless at the information assurance office, 213-7300 or 213-6231.