From keychains to t-shirts, to even just pens and pencils, every brand knows that freebies are always an effective marketing technique. And why not? Free stuff is great! Especially when you’re living that student life, sometimes they can be a godsend. And sometimes outside of a table trying to sell some idea or product life will give you some unexpected bonuses, a penny in a parking lot or a nice G-2 pen on the floor in a hallway, I’m not ashamed that I like those as well, small as they are. But what about something like a thumb stick? Most of us know that the value in such a thing isn’t as simple as an ink pen’s value, there could be dozens of hours of work on there and we can all appreciate late nights polishing up a paper. So naturally we want to find out who it belongs to and return it, but without a name on the outside what other way is there to find the owner than to inspect the computer files contained within? But while there may just be some homework assignments and miscellaneous pictures on there, there could just as easily be something far more dangerous. This threat is not as spoken about as your run of the mill scams and phishes, but can be even more dangerous and difficult to stop, so much so that even the United States Department of Defense had difficulty with it.
The Worm that Ate the Pentagon
That was what the media dubbed it back in 2008, when the National Security Agency’s Advanced Networks Operations team detected a computer virus called “agent.btz”, as reported by Blake Stilwell of We Are The Mighty. The virus in question was a type known as a ‘worm’, identified by its capability to propagate itself with no human interaction and spread to any linked device while remaining active on the originally infected computers. And much like their parasitic counterparts, it is possible for a worm to reinfect a computer multiple times, slowing it down and eventually rendering it totally unusable! The Department of Defense launched an investigation and determined that the worm had originated on a USB flash drive left in a parking lot in a military installation within the Middle East. An unnamed military member picked it up, and inserted it into a DoD computer, and managed to infect not only several unclassified networks throughout the military, but also the SIPRNet (the Secret Internet Protocol Router Network, ie - the military’s own classified internet) as well as the Joint Worldwide Intelligence Communication System used by the US’ top intelligence agencies. The worm was so stealthy, that it was only discovered when it started to “beacon” out to its creator, asking for follow-on instructions. At that point there was no way to tell if, or what, information had been leaked! The effort to resolve this computer virus was massive, resulting in not only the military’s ban on all USB thumb drives but the establishment of an entirely new Military Unified Command, the US Cyber Command. The situation was not resolved until well into 2009.
So, you can see that even the most well-funded defense agency in the world was laid low for years by the simple, seemingly innocuous, act of inserting an unknown thumb drive into a computer, likely in an innocent attempt to find its owner. If the resources of the US Federal government took that long and had to put that much effort into solving a single incident, how long would it take and how much damage would be done to a state government to do so? A company? A University? A household?
So what should be done with unattended USB storage media?
Any unattended flash drive or hard drive discovered on campus should be turned into the Washburn University IT service desk in Bennett Hall, or to the Washburn Police Department. Never plug an unknown hard drive into your own computer or a university computer to determine its contents. Remember, doing so could lead to:
- Malware and Viruses - One of the most significant risks of using unknown USB devices is the potential for malware and viruses. Malicious actors may intentionally infect USB drives with harmful software designed to exploit vulnerabilities in your computer's operating system. When a compromised USB stick is connected to a computer, these malicious programs can spread, corrupt files, steal sensitive data, or grant unauthorized access to your system.
- Data Breach and Identity Theft - Plugging an unfamiliar USB drive into your computer can lead to severe consequences such as data breaches and identity theft. Malware on the device may be programmed to collect personal information, including passwords, financial data, or login credentials, which can then be exploited for fraudulent activities or unauthorized access to online accounts.
- Unauthorized Access and Backdoors - Unknown USB sticks can also be used to introduce backdoors or gain unauthorized access to your computer or network. Malicious actors may exploit vulnerabilities in your operating system, allowing them to control your computer remotely or use it as a launchpad for further attacks. This can compromise your privacy, lead to data loss, or even result in your computer being used for illegal activities without your knowledge.
- Physical Damage - In addition to digital risks, there is also a chance of physical damage when plugging in unknown USB sticks. Some USB drives may be designed to deliver a high voltage shock or damage the USB port, potentially rendering your computer inoperable. This type of attack is less common, but highlights the importance of exercising caution with unfamiliar devices.
Thank you for staying vigilant!
--WU ITS Information Security
www.washburn.edu/cybersecurity