Lost USB keys an easy target for criminals wanting personal data

Sophos study finds two-thirds of keys recovered from Sydney trains contain malware

Tax deductions, photo albums and Web source codes were just some of the kinds of personal information Sophos found on 50 USB keys purchased in a RailCorp lost property auction in Sydney.

The study was conducted to see what the potential cost is of someone finding a lost USB key, and if Sydney-siders are taking adequate measures to secure their technology.

Paul Ducklin, head of technology at Sophos Asia Pacific, said in a statement that the information security company didn’t have to dig too far on the keys to find a good deal of personal information about many of the people who had lost their keys, including information about their friends and family.

Other information that was found included university assignments, AutoCAD drawings of work projects and a job application.

Another concern was that 33 of the keys were infected by malware, with a total of 62 infected files found.

While the team didn’t uncover any Apple OS X malware, nine of the keys appeared to belong to Macintosh users and seven of those were infected.

“In other words, if you’re a Windows user, don’t assume that you can automatically trust everything from your Apple-loving friends,” Ducklin said.

“And even if you’re one of those Mac users who is opposed to the concept of anti-virus software, consider softening your stance as a service to the community as a whole.”

However, the biggest surprise for the Sophos team was that none of the keys were encrypted, or appeared to contain any encrypted files.

“All the devices were openly readable at sector level without any decryption, were directly mountable as FAT volumes without a password and consisted of plaintext files in a conventional directory structure,” he said.

Ducklin warned that people should not be lulled into thinking that their personal data is unimportant.

“Information about you is worth money to cyber criminals and the crooks don’t need to be directly involved in identity theft themselves. There’s an underground market for selling on personably identifiable information of all sorts,” he said.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the Computerworld newsletter!

Error: Please check your email address.

Tags sophosUSB keysinformation securityPaul Ducklin

More about AppleSophos

CIO
ARN
Techworld
CMO