More silliness on the cybersecurity front – USB flash drives

Will this idiocy never stop?!? First, Blue Cross and Blue Shield (and apparently, other insurance companies) are sending out USB devices en masse and telling people to put those USB sticks into their devices…. Which means all a hacker has to do  now is send out similar notices with his own malware on cheap USB drives to infect any computer he/she wishes. I can’t BEGIN to tell you how ridiculous this is!:

https://twitter.com/og_tjg/status/884756210267893761

Next, because of all the numb-nuts out there doing these kinds of things, corporations are now shutting down USB ports on devices altogether:

https://community.spiceworks.com/topic/430901-usb-lockdown-thoughts-ideas

So of course, the next thing that happens is someone re-purposes the old dongle as an “identity” security device…. using the USB port (the most hackable interface on a device)!:

http://money.cnn.com/2017/07/06/technology/gadgets/yubikey-security-key/index.html

Hackers are thrilled, because they need only simulate the appearance of one of these USB “security” devices to use the USB ports now re-enabled by some corporations for “security” purposes to, again, hack any device they wish…

Just so you know, hackers can purchase custom USB flash drives in small capacities in bulk for as little as twenty-five cents or less, with another nickel for custom printing. The hard part was(!) to get people into the habit of sticking USB drives from outside sources into their devices… Thanks to the folks above, that problem has now been solved (sigh). As to how cheaply flash devices can be had:

http://www.dhgate.com/product/real-metal-mini-usb-flash-drives-128m-1g/399821475.html#s1-4-1b;srp|1034336997

To illustrate how someone could easily game their way onto any Fortune 500 company device they wish (we’ll assume for our purposes here the Fortune 500 company uses Blue Cross Blue Shield as their health insurer) , the hacker first need only to identify an employee with the access they want and then use a faked Blue Cross Blue Shield “followup” letter with an enclosed USB stick to get the employee to install the malware via that stick onto his company-issued laptop.

Thanks,

F. Scott Deaver

2017-07-12T10:16:04+00:00July 12th, 2017|