Thumb Drive Security Peril at US Justice Department


My friend Allan Holmes at Government Executive Magazine posted an interesting blog entry today.

Allan writes that according to a July 9th group e-mail sent by the security department at the Executive Office for U.S. Attorneys in Washington, two "stray" thumb drives were found on the ninth floor of the Bicentennial Building on E Street in downtown Washington DC, where the U.S. Attorneys Executive Office operates. The drives, one found in the men's restroom and another on a facsimile machine, would, once attached to a computer, secretly steal "certain system information" off the computer and transmit it out of the Justice Department. The e-mail read:

"Please be advised that two USB thumb drives were discovered on the 9th Floor of the Bicentennial Building. One was discovered in the Men's restroom yesterday afternoon. Another was found this morning on a facsimile machine. The drives contain malicious code that automatically and silently executes when the drive is plugged into a system. The code captures certain system information and transmits it out of DOJ."

As Allan and others point out, what a tempting way to break through security - brilliant in the simplicity of its seduction.

How tempted would you be if you saw an 8GB drive apparently lost by someone to find out what was on it?

Makes you wonder how easy it would be for someone to just seed a bunch of infected thumb drives around company or government office buildings, or say at restaurants or bars where employees gather. Just think of the damage you could do around a university - do you believe students would think twice? How about department stores as well? Conferences and trade shows hand out thumb drives all the time - think of the damage that could be done there.

Allan told me that another way would be to just drop of some nondescript drive on someone's desk - they would probably just assume it was theirs.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City