Author: David Laster – Director of Software Solutions at GraVoc
Picture this: You just got back to the office from a networking event or conference where you received several promotional USB drives from different companies. Thinking nothing of it, you plug one into your computer to see what information is stored on it and BOOM just like that you and your entire company have been compromised. What are the hidden dangers of plugging a random USB drive into your computer?
Flying back home from the GP User Group Summit 2018 in Phoenix, I asked myself the above question and started thinking about all of those USB sticks that the independent software vendors (ISVs) gave me at a number of impressive booths they had on the trade show floor. To be frankly honest, I was somewhat dismayed to have walked away with far fewer sheets of glossy marketing paper listing the specific products and summary descriptions each of the vendors offered than I expected. Call me old-fashioned about this, but I’m Ok with that because that type of marketing works for me. I understand – lugging or direct-shipping crates and boxes of glossy paper is nobody’s idea of a good time or use of funds, not to mention the ‘waste’ when people ultimately leave it at the hotel or eventually throw it away?! So yes – in the end – I am onboard with digital documentation.
BUT…what if ANY of those USB sticks I have to now go out of my way to get the documentation off of has malware or spyware or any other kind of malicious file on it? I mean, I trust the ISVs and the products themselves – they do great work and provide incredible functionality for our GP customers. Would it be possible for any of these exciting digital marketing tools to harm my laptop – or even worse – our new internal SharePoint site or the network when I upload them there and share with others? I simply wasn’t comfortable running the risk especially after hearing horror stories of incidents that have happened in the past.
When USB Swag Goes Wrong
A perfect example of when USB swag can go wrong is the IBM incident. Back in 2010, IBM unknowingly handed out infected USB drives to attendees at the Australian Conference AusCERT. Anyone who visited the IBM booth was given a free USB drive that contained malware. For those that plugged in the infected USB, they were compromised. In an apology email, IBM wrote:
At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected. The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008. The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically. Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.
Inspecting trade show USBs
Fortunately, we have an important, separate and complementary customer-facing practice here at GraVoc that deals solely with Information Security. They also help train all staff internally on good digital best practices, but it is up me – the individual – to live up to them. As a member of the Software Solutions practice, I had the luxury of being able to take the 6 USB sticks I brought home from Arizona directly to them and presented my dilemma – “I and my team need the info, but don’t want to run the risk of plugging these into my laptop. What should I do?” The Information Security team took the USB devices and spent a few hours checking over them on special equipment using a variety of special processes to ensure my safety and the safety of our computers. All 6 of them checked out OK for me…. this time.
However, not every company has their own Information Security department. It will be up to the employees to be able to identify potential risks. Business owners and IT heads need to train their employees on the possible hidden dangers of storage devices and what could be lurking within them. Properly trained staff members adds an extra security layer to your organization that will help prevent possible breaches.
For more information on how storage devices can be hacked or for services on training your staff members on the importance of security risks, check out our Information Security services.
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.
GraVoc won a Silver Medal for Cybersecurity and a Bronze Medal for Web Design in Banker & Tradesman’s Best of 2023 readers’ choice awards!