Look What I Found! A Flash Drive!

You are probably familiar with flash drives (a.k.a. USB drives, thumb drives, memory sticks, etc.). They are small things that you can plug into a slot in your computer that you can use to store data or to transfer data to another computer or device.

They have become quite inexpensive and you can buy one with a respectable amount of storage for $10 to $20, especially when they are on sale.

Before I say anything more about flash drives, I want to ask you a question about something completely different.

Imagine you were walking down a road. Nobody was around. You looked down and saw a $20 bill lying on the road. Would you pick it up and keep it? Remember, there is no way to determine who lost it. I think most people would pick it up and most people would feel free to spend it.

Now, let’s say that instead of the $20 bill, you found somebody’s wallet. What would you do? Some people would keep it and spend whatever money they found. I think most people would look inside the wallet to find some identification. If they could, they would likely try to contact the owner and return it. I don’t think that many people would leave it on the side of the road untouched, or pick it up and throw it away without looking inside.

Now, let’s say you happen to notice a flash drive that someone dropped. You didn’t see anyone drop it, you just find it lying there.

Images of various flash drives

What would you do?
Pick it up, excited that you just got yourself a free flash drive
Pick it up, with hopes of finding information on it that will identify the owner so you can return it to them
Pick it up, curious to find out if there was anything interesting or worthwhile on it
Pick it up and throw it away
Leave it lying there

 

Many people will pick it and many of those will plug it into their computer. That’s what you do with flash drives, right? But that could be a big mistake.

There are two ways this could be a problem. Both mean your computer may be infected and come under the control of a hacker.

When you plug a flash drive into your computer, the computer reads some of the information it contains to identify what is being plugged in. In addition, many computers will run a program when you plug the flash drive in. If there is an “autorun” file on the drive, that will be executed. This is the feature that allows a computer to start a CD or DVD when you place it in your computer’s DVD slot. It is the feature that brings up the “install” screen when you place the disc for software you buy into your computer. It is a useful feature. But it is also a way that computers are compromised.

That means that simply plugging the flash drive into your computer can infect/compromise your computer, without you having to ever look at what is on the drive, without your needing to open any files.

Even if there isn’t an “autorun” feature that gets activated, if you start searching the contents of the drive to see what is on it, or open any files, you have additional risk. If any of those files are malicious, your computer gets infected.

Here’s the rest of the story. It is a common tactic for hackers to place these flash drives in the parking lot, or elsewhere on the premises, of a business they want to hack. If they spread some of these around, it is just about guaranteed that somebody is going to find one and plug it into a computer. That’s all it takes for the hacker to gain access to the company’s information and computers. Only one person needs to take the bait.

Sometimes, the flash drive may have a label on it that says something like “Executive Salaries” or “Layoffs.” An employee that sees that label on the flash drive is going to want to see the information it contains. If there is no label on the drive, the names of the files might be similar to the labels referred to above. An employee who plugs the drive into their computer and sees files named
“PlannedLayoffs.xls”
“BudgetCuts.xls”
“Confidential-MergerDetails.doc”
would find it hard to resist taking a peek. After all, who wouldn’t want to know if they were about to lose their job?

If they open the files, they may find some information that looks appropriate to the name of the file. The hacker may have created some fake data so the files look legitimate, in an attempt to keep the employee from knowing that it is fake data. Or, the employee could receive an error when they try to open the file. Whatever the result, it’s too late once they attempt to open anything, even if they get a message saying it couldn’t be opened. And, remember, in many cases they don’t even have to open any files. Just plugging it in is all that is required. Game Over!

Obviously, not all flash drives will contain the malware to infect a computer. But it is a commonly-used technique. The best practice is: Don’t plug any “unknown” flash drives into your computer. Ever!

Now, lets switch gears again.

Do you like cookies? Do you have a favorite kind? Suppose your best friend gave you your favorite cookie. Would you eat it? Of course you would!

Now, what if you saw that cookie lying next to a dumpster at the entrance to an alley in a busy city. It’s covered with dirt and has some green slimy stuff on it. That slimy stuff isn’t frosting! Would you pick it up and eat it? I doubt it.

I’d like to propose a new model for thinking about flash drives. They are more like cookies than $20 bills. If you buy a flash drive or receive one from a trusted source, make good use of it. But, if you find one lying around, or if someone you don’t fully trust gives one to you, treat it like the cookie lying in the crud and slime on the street. Consider it contaminated. Don’t plug it in.

So, what’s the right answer to the question I asked earlier, about what to do if you find a flash drive?

If you find it outside your workplace, the best option is to report it to the computer security people at your organization. Hopefully, they are up-to-date on security threats and know it’s not safe. Whatever you do, don’t plug it in any computer or other system.

There is one more important thing to consider. If someone has a flash drive and wants to use it to transfer a document or a picture to your computer, be cautious. A lot of people’s computers are infected and they don’t realize it. If that flash drive was in an infected computer, it is possible that it is now infected as well. It may not be safe to plug it into yours. It would be better to transfer the file by e-mail. I’m not saying you should never plug in a drive, but you should recognize that, if the drive is infected, plugging it into your computer may infect your computer as well. At least you now know that it may not be safe.