Friday, June 16, 2006

Don't Just Plug Random Crap Into Your Computer

From Techdirt:

There's been a lot of talk about how iPods and other portable devices pose a security risk to companies, as employees may store important company documents of them. Now there's fear that such devices could upload malware and infect corporate systems. A team of security specialists recently demonstrated exactly how such an attack might work. First they collected a bunch of cheap USB drives, the type a company might give out for free as a promotion. After loading malware onto them, they simply scattered a bunch of them around the parking lot of a bank at 6:00 AM, when nobody was watching. As the employees got to work, they found the drives just sitting there, and one by one plugged them into their computers as they day went on. What's funny is that the employees knew there was going to be a security test happening, and yet they still didn't find it suspicious that several USB drives just happened to be in the parking lot when they got to work. It's unfortunate, but it seems that the typical office employee just doesn't understand or care about security. Recall the studies suggesting how easy it is to get employees to give up their passwords in exchange for a cheap gift. While that lesson may seem obvious, just wait for the fearmongering about USB drives, totally missing the point.

Enough said. It is human nature and actually very difficult to overcome. Users (employees) require constant security awareness training. I've seen it in action. Users keep picking easy to guess passwords and give them away with ease. They'll plug in anything and install software or open any cute card they receive by email. A never ending battle.

1 comment:

  1. Anonymous2:13 PM EDT

    Does that mean that just the act of plugging these things into a (Windows) computer is enough to infect a machine? Who's dumb idea was that?

    ReplyDelete