STRANGER DANGER – Don’t Insert Unknown USB Flash Drive in your Computer
Thursday, March 4, 2010 at 03:39PM
This is a Flash Drive: 
Why would someone (maybe you) who would never drink from an open bottle you found in a parking lot, take an abandoned/discarded/lost thumbdrive they stumble upon in a parking lot or the street and insert it in their computer? Well, that’s exactly what someone at CENTCOM did (click on the link to see why Centcom is so important).
From the NPR Show “Fresh Aire” (topic: Assessing The Threat of Cyberterrorism) Feb 10, 2010:
Terry Gross interviewed James Lewis. Who “directs the Technology and Public Policy Program at the Center for Strategic and International Studies. He was the project director for the Commission on Cybersecurity for the 44th Presidency, a project started in 2007 to make recommendations to the next president about cybersecurity.” The entire interview transcript is here.
GROSS: What are other favorite ways of attacking companies or individuals?
Mr. LEWIS: The high-end attacks will be more sophisticated and some of it involves what we call social engineering, right? So social engineering is, I get your e-mail address, I get some data about you, or maybe I find out your wife's name or your birthday or something and I send an e-mail - I get your contact list and I send an e-mail to all your friends. It looks like its from you and the header is: My birthday is coming up or something and it has the date. Inside that e-mail there might be embedded or contained some malicious package. The friend sees the e-mail, thinks it's from you, they click on they click on it and open it, hey presto, I've got him, right?
Works great and that's been used - that's, you know, it's a more labor intensive effort but it's used against high-value targets. The other one people know about now, I'm sort of upset it because it was so - it was such a wonderful technique that I'm upset it's become public now and people stopped doing it: Put some bad software on a thumb drive, you know, in three or four thumb drives, drive to the parking lot of the place youre targeting - DOD, some company, a bank - and scatter the thumb drives in the parking lot, right? Now, a good citizen picks up the thumb drive and...
GROSS: These are like little portable...
Mr. LEWIS: Yeah, the memory sticks.
GROSS: Portable memory sticks that you just plug into your computer.
Mr. LEWIS: Yeah.
GROSS: Right.
Mr. LEWIS: Throw - how much - it's not going to cost you that much. Throw four or five of them in the parking lot, someone will pick it up and plug it into their computer. And at that second, if they haven't taken certain precautions, and most people haven't, at that second you will implant your malicious software that will allow you to either take control or to exfiltrate data. So that's a good one too. People are learning about that one. That's how DOD got hacked last year. That's how CentCom classified networks got hacked so...
GROSS: That's how CentCom got hacked - that somebody picked up something from the parking lot and plugged it into their computer?
Mr. LEWIS: The other one I heard about is, of course...
GROSS: Wait, wait, is that true? That's how CentCom got hacked?
Mr. LEWIS: Yeah. It was a memory stick. It was funny for me because I gave a talk once to one of these defense contractor groups about cyber security and at the end they gave me a present for talking. It was a memory stick.
(Soundbite of laughter)
Mr. LEWIS: Made in China. I said you clearly haven't been listening.
(Soundbite of laughter)
Mr. LEWIS: I've heard the same things happened at Justice where somebody scattered them in the men's rooms and Justice was smart enough to figure out that - whoever found it was smart enough to figure out not to fall for the trap. But, you know, look, you've got intelligence agencies with 10,000 employees and multi, hundreds, million dollar budgets who spend every day trying to figure out some way around your defenses. You’re going to come up with something.