Cyber Security – Are you protected against USB drives from all sources?

Here’s important cyber security news from Bryce Austin of TCE Strategy about something we rarely give a second thought to – USB storage devices:

“This has been a very exciting month in the world of cybersecurity!

… the USA Secret Service has a bit of egg on its face after inspecting a USB drive from a Chinese national who was arrested inside President Trump’s Mar-a-Lago resort. The USB drive immediately began installing malicious files on the computer it was plugged into (USB drives are a well-known vulnerability, as the act of plugging them in is enough to allow files to be executed on a computer using exploits called BadUSB and USBHarpoon). Details about the particular Secret Service computer that was used to examine the USB drive in question have not been released. If that computer was stand-alone (no network, no Internet, no connections to anything other than a keyboard, monitor and mouse), then the Secret Service followed basic cybersecurity best practices. An even better idea would have been to use specialized equipment that is not a true fully-functioning computer, but rather a piece of hardware specifically designed to interrogate USB drives without risk of infecting a traditional computer operating system. If the USB drive in question was plugged into a networked computer, then it would be a breach of the most basic of cybersecurity protocols. I have had the honor of speaking at Secret Service events in the past, and I’m choosing to take the stance that the Secret Service likely followed reasonable cybersecurity protocols, and that this issue is being overblown. It would be in the public best interest for more details to be released so that private companies can learn from this event.

In addition to a cybersecurity-focused publication (Ars Technia), I’ve included two articles below from larger media outlets (USA Today and Fox News). It is regrettable that best practices when handling USB drives receives so little attention.

The takeaway from this event is simple: don’t plug in USB drives without having a good, strong history as to where it has been and who has used it. Think of USB drives like prescription drugs – do you really want to swallow a pill that you aren’t 99.999% sure it is what it claims to be? Of course not. Don’t let your computer swallow a poison pill either. Throw out USB drives that have any reasonable chance of being infected with malware.

https://arstechnica.com/tech-policy/2019/04/chinese-woman-arrested-at-trump-resort-had-hidden-camera-detector-8000-in-cash/

https://www.foxnews.com/us/woman-arrested-at-mar-a-lago-club-with-2-chinese-passports-malware-feds-say

https://www.usatoday.com/story/news/politics/2019/04/03/mar-lago-arrest/3356751002/

https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/

Until next month, stay safe!”


About Bryce Austin:

Bryce Austin, CEO of TCE Strategy, provides CIO and CISO advisory level services and is a keynote speaker around the globe. Please click here to talk to Bryce about how he can help your organization.

About Helene Segura, M.A. Ed., CPO®

As The Inefficiency Assassin™, Time Management Fixer Helene Segura empowers professionals on the go with the tools to slay lost time. Personal inefficiency at work leads to increased stress levels, lower morale, higher absenteeism, more turnover – and rising spending on employee health care and hiring. Why not improve productivity, decrease stress levels, and increase profits instead?The author of four books – two of which were Amazon best-sellers – Helene Segura has been the featured organization expert in more than 200 media interviews. She has coached hundreds of clients to productivity success and performance improvement by applying neuroscience and behavioral modification techniques to wipe out destructive, time-wasting habits.Helene turns time management on its head by sharing both client case studies and pop culture examples to teach her mind-bending framework for decreasing interruptions, distractions and procrastination so that companies can spend more time generating revenue.

Leave a Comment