The next time you find a lost USB key, bear in mind Paul Ducklin's little experiment before you plug it into your computer. He picked up 50 USB keys that were found on the Sydney RailCorp train network and discovered 66 per cent of them contained malware.
Ducklin, who works for Sophos Asia-Pacific as its head of technology, went to RailCorp's lost property auction this year with the aim to pick up some USB keys to play with and see what could be unearthed.
Armed with about $400, he and his team thought there would be enough to buy at least 100 USB keys, but after competitive bidding and a couple of dud devices, they found their luck and research money only took them as far as 50 USB keys. Ducklin noted that ignoring the data on the devices, he could have bought brand-new USB keys for about half of what they had paid.
Nevertheless, he and his team found that two thirds of the USB keys were infected with malware. From the 50 devices, Ducklin and his team found 62 malware-infected files. One key had six infected files, with four different variants of malware on it.
While none of the identified malware affected Apple's OS X platform, nine of the USB keys appeared to have been used extensively on Macs and seven of those USB keys carried infected files.
"If you're a Windows user, don't assume that you can automatically trust everything that comes from your Apple-loving friends. And even if you're one of those Mac users who is opposed to the concept of antivirus software, consider softening your stance as a service to the community as a whole," Ducklin wrote in his report.
Ducklin also crushed any hopes that sensitive data had been floating around on the railway system.
"There were no visible plans for nuclear submarines, no insider trading tips, no credit card dumps, no criminal plots and no US State Department cables dating back to the 1970s," he wrote, but added that he and his team took the ethical approach and only looked at what was directly accessible.
"We decided to err on the side of caution and to try to avoid learning too much about the original owners of the keys.
"So, we didn't dig anywhere near as deep as an unethical hacker or a serious investigator would have. In particular, we didn't analyse every byte of every file, or search systematically for keywords across slack space, or try to reconstruct deleted files."
Despite this, Ducklin said that from the information gleaned from the USB keys, they were able to capture a lot of personal information about who had lost the devices as well as the original owners' families, friends and colleagues.
The files that Ducklin found on the devices were mostly images, followed by source code, web files, documents and programs.
- Lists of tax deductions
- Minutes of an activists' meeting
- School and university assignments
- AutoCAD drawings of work projects
- Photo albums of family and friends
- A CV and job application
- Software and web source code
Despite the amount of personal information and possible intellectual property that Ducklin was able to uncovered, he noted that not a single USB key employed any sort of encryption or appeared to contain any encrypted files.
"This study serves as a timely reminder that any information about you is worth money to cyber criminals, no matter who you are," Ducklin warned.
"And don't forget the crooks don't need to be directly involved in identity theft themselves — there's an underground market for selling on personally identifiable information of all sorts."