USB temptation: OS or user security issue?
A Western Australian security exercise, which saw USB sticks left in public places with software on them to phone home when used, has been mirrored in part in the US with similar results.
In the Western Australian test, eight of fifteen agencies failed the test. Agency staff found and connected the USB sticks to their computers, allowing the devices to access their agency's network and phone home.
Earlier this week, Bloomberg revealed that the US Department of Defence had followed part of the WA auditor-general's exercise, releasing computer disks and USB sticks in the parking lots of government buildings and private contractors to see how well its security would hold up.
Like Australia's poor performance, 60 per cent of the US devices picked up found their way into government and private contractor computers.
While many are quick to point to humans as the weakest link in security, BT chief security of technology Bruce Schneier said in a blog post that it was only natural for people to plug USB sticks and computer disks into computers.
"Of course people plugged in USB sticks and computer disks. It's like '75 per cent of people who picked up a discarded newspaper on the bus read it.' What else are people supposed to do with them?"
He said that that people weren't being idiots when they plugged USBs into PCs, as that was what the sticks were for.
"Maybe it would be if the response is: 60 per cent of people tried to play the USB sticks like ocarinas, or tried to make omelettes out of the computer disks. But not if they plugged them into their computers. That's what they're for," he said.
The problem, according to Schneier, is the operating system, which should be more picky about what media it associates with.
"The problem isn't that people are idiots ... The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer," he said.
Hacklabs director Chris Gatford agreed that the problem is the operating system, and said that Microsoft had made changes to minimise the impact of plugging in rogue USB sticks in 2009, which stopped software running automatically from USB sticks when plugged in.
He said that this helped reduce the problem; however, he pointed out that the update didn't stop people from being naturally curious.
While it is unknown whether the exercise carried out in the US automatically executed malware when USB sticks were inserted, it was certainly not the case in Australia. Users had to make the conscious choice to run potentially dangerous programs.
According to the report (PDF) released by the auditor-general, "these [Australian] USBs did not contain auto-executing malware but instead relied on a social approach. An individual would have to pick up the USB [device], plug it in, then make the decision to read a file and then run a program."
"End-users still need to understand the security risks of removable media (just as many of us learned in the 90s about virus infection from good old floppy disks). Often (due to human nature) examples of how this affected the IT security posture at an organisation is needed to persuade a change in user behaviour/thought processes," Gatford said.
What do you think? Is it a case of PEBKAC — problem exists between keyboard and chair — or is the operating system the issue?