Cybersecurity quiz winners rewarded with malware-infected USB sticks

It is a truth universally acknowledged in the infosecurity community, that giving away free USB sticks only leads to trouble.

On countless occasions we’ve seen businesses embarrassed as they hand out thumb drives which are not only stuffed to the brim with marketing material, but are also unwittingly hiding malware.

And yet, companies continue to put the public at risk by giving away cheap USB sticks at trade shows, with often little consideration as to what may also be lurking on the device.

In perhaps the most ironic example of “Danger USB!” yet, we hear that Taiwan’s cybercrime-fighting investigators recently handed out malware-infected USB sticks to… winners of a cybersecurity quiz.

Taiwan’s Criminal Investigation Bureau has apologised after handing out 54 infected flash drives at a data security expo hosted by the government from 11-15 December. An event which had the noble aim of raising awareness of cybercrime. Ho hum!

As local media reports, distribution of the 8GB devices was halted on the afternoon of 12 December after early winners of the quiz warned that their anti-virus software had warned them that the drives contained malware.

The Windows-based malware was designed to steal personal information from infected PCs and send it via an IP address based in Poland to parties unknown.

However, it seems unlikely that Taiwan’s computer crime-busting cops, or the event itself, were deliberately targeted by hackers. Instead, as is often the case, there is a more down-to-earth explanation for what happened – and why only 54 of the 250 giveaway USB drives are believed to contain the malware.

According to the Criminal Investigation Bureau, the infections have been traced back to a single PC at an external contractor. It seems that a random sample of the USB drives were plugged into the infected PC in order to test their storage capacity, and the malware was unwittingly transmitted to 54 of them at that time.

It’s the kind of security goof that is all-too-familiar. Readers with long memories may recall that, in 2010, IBM handed out USB sticks at the AusCERT security conference infected by not one… but two pieces of malware.

Seven years later, IBM found itself in the embarrassing position of having to admit that it had shipped malware-infected USB sticks to enterprise customers.

How can you protect yourself from unsolicited, unwanted USB sticks? Well, there’s one simple fool-proof method that guarantees your computer won’t become infected.

No prizes if you guessed correctly. Simply throw it in the rubbish bin.



This is a Security Bloggers Network syndicated blog post authored by Graham Cluley. Read the original post at: HOTforSecurity