Sophos CityRail memory key adventures


My Yuki fig with a memory key

Speak of the devil, security research firm Sophos performed a study on fifty USB keys they purchansed from a New South Wales RailCorp lost property auction. Personally, I didn't find the results too shocking.

(Starting in 2009 I got into the habit of always taking tech hardware photos with Yuki in them. This time I tried to use really harsh light to make her look sinister, did it work?)

Report rhymes with… port. That was inspired.

Sophos icon

From the report on Sophos Naked Security, a must read blog that you must read.

Lost USB keys have 66% chance of malware
by Paul Ducklin on December 7, 2011

We ended up with Lots 671, 672 and 674: bags containing a motley assortment of 20, 21 and 16 keys respectively. For this rag-tag collection of 57 USB sticks, we paid $409.96 once the auctioneer’s 16.5% fee was added in. We could have bought brand-new for slightly less than half that price.

The data on drives are more valuable than the drives themselves now. Not surprising.

Five of the keys were broken, including the two novelty items in the set (a car and a Lego-like block). Two of the rest were unreliable, so we excluded them, although one gave up just enough data to reveal an Autorun worm but little else.

That left a conveniently-round number of 50 devices in the test.

The study revealed that two-thirds were infected with malware, and quickly uncovered information about many of the former owners of the devices, their family, friends and colleagues.

Disturbingly, none of the owners had used any sort of encryption to secure their files against unauthorised snoopers.

In perhaps a socioligically optimistic way, the Sophos team in Sydney were "surprised" at the prevelence of malware. To be honest, I would have been more surprised if fewer of the memory keys contained malware.

Professor Mal Ware of some dodgy uni thing

Windows logo

As I've reiterated here many times, Windows itself can be a usable operating system provided it's thoroughly patched and well maintained. Unfortunately, for most people the chore of doing so is simply still too great, and those who think otherwise are kidding themselves. Nerds are not typical users.

These findings can also be seen as further proof that despite the increased prevalence of network attacks, sneakernet infections are still alive and well. I can still remember the first time I brought home an infected floppy disk from school and our McAfee AntiVirus for Windows 95 had a fit. Chernobyl W32, I'm looking at you. Hey, that rhymed.

Pointless nostalgia aside though, the prevelence of these worms on memory keys only adds further evidence for their effectiveness as an attack vector. Stuxnet is but one contemporary example of malware using this system, which conveniently avoids firewalls and other such network intrusion detection.

He would be Professor Person Aldata

TrueCrypt icon by Renderhead44

As for the personal data they contain, it's also no surprise to me people are so cavalier, and don't use encryption of any sort. I use TrueCrypt and/or GnuPG on my memory keys and external hard drives I intend to use for anything other than media transfer (ahem), but again I'm not a typical use case, and assuming you're reading my blog, you're probably not either.

Either everyone becomes more adept at understanding the need for encryption and how to use it, or people stop losing things, or encryption software becomes easier/more transparent for users. I can predict which of the three already is more feasible, but will it happen?

Finally, it appears we can also draw some other conclusions. Those who take public transport in New South Wales — trains in particular — lose infested memory keys on a regular basis. Is it the fact they take train that's the cause of them having malware on their memory keys? I report, you decide!

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.