If you were sent a USB stick anonymously through the post, would you plug it into your computer?
Hopefully, not if you're a regular reader of blogs like Hot for Security. After all, you're probably all too familiar with stories of how malware has been accidentally shipped on flash drives by multinational companies, shoved through letterboxes, or even used to fry your computer's innards within seconds.
Perhaps most famously of all, the Stuxnet malware was planted at the Natanz uranium enrichment facility in Iran via a booby-trapped USB stick.
So most of us know to steer well clear of unknown USB flash drives - fearing it might be the precursor of a concerted attempt to hack your organisation, or your IT department's attempt to find out who in the office wasn't following safe computing practices.
But imagine that you're not someone well-versed in computer security. Imagine you're journalist Lenín Artieda, at Ecuadorian TV station Ecuavisa, who, on the morning of Thursday, 16 March, received an envelope through the post containing a USB flash drive.
You might very well plug in the device through curiosity. And that, of course, is a big mistake.
Not because the journalist's computer was infected by malware. But rather because upon the device being inserted into the reporter's PC, it exploded.
According to reports, Artieda was unharmed and moved to somewhere safe after the incident.
That reporter does not appear to have been seriously injured, but more devices were sent to other journalists - some accompanied by threatening messages.
For instance, TC Television journalist Mauricio Ayora, popularly known as 'Caterva', also received a USB drive.
It's hard to imagine that Caterva's interest wouldn't have been piqued by the curious delivery, but fortunately, at his place of work, there were strict rules regarding connected devices to computers - and so it was left to one side until after news of the attack against the first journalist reached their offices.
Police carried out a controlled detonation of one of the devices sent to TC Television, prosecutors confirmed.
Meanwhile, at the offices of TV channel Telemazonas, journalist Milton Perez also received a USB stick - this time accompanied by an intriguing note:
ESTA INFORMACIÓN VA A DESENMASCARAR AL CORREÍSMO. SI CREE QUE ES DE UTILIDAD, PODEMOS LLEGAR A UN ACUERDO Y LE ENVÍO LA SEGUNDA PARTE. YO ME COMUNICO CON USTED
For those who don't speak Spanish, that roughly translates to:
"This information will unmask (Ecuadorian political movement) Correísmo . If you think it's useful, we can come to an agreement and I'll send you the second part. I will communicate with you"
Sure enough, Perez plugged in the device, hoping to receive information for a juicy news story. There was no explosion because, perhaps by chance, the flash drive was not plugged in properly - but police later confirmed that it did contain explosive materials.
Physical attacks like this, carried out by USB stick, may be rare. But we know that digital attacks are commonplace - they're easy to pull off, and can be an effective way to get malicious code to execute on a company's network.
For your personal safety, and the safety of the data your store on your computer network, always be extremely wary of ever plugging in a USB device unless you can feel confident that it can be trusted.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024