December 07, 2011, 11:10 AM — An analysis of USB memory sticks lost on trains in Sydney revealed that two thirds of them were infected with one or more strains of malware and none was secured with an encryption solution.
The experiment was done by antivirus firm Sophos, which acquired three bags of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales.
According to Sophos, the analysis was performed on 50 USB sticks that ranged from 256MB to 8GB in size and revealed that 33, or 66%, of them were infected, some with multiple types of malware.
One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.
"If you're a Windows user, don't assume that you can automatically trust everything that comes from your Apple-loving friends," said Paul Ducklin, Sophos' head of technology for the Asia Pacific region. "And even if you're one of those Mac users who is opposed to the concept of anti-virus software, consider softening your stance as a service to the community as a whole," he added.
Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.
"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.
"The malware involved was mostly very prevalent, general-purpose, zombie stuff," Ducklin explained. The security expert believes that this method of malware distribution is not even viable because most lost USB sticks are being handed into lost property rather than being plugged into computers by users.
"Sadly, I think the malware prevalence tells a simple story of poor PC hygiene," Ducklin concluded. This is also the reason for none of the USB sticks being encrypted or password-protected.
The Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.
Fortunately, none of the files contained overly sensitive material like government secrets, weapon designs, law enforcement data, credit-card details or other similar information that has been found on lost memory sticks before.