Have you ever found a USB drive and plugged it in to see what is on it? It could contain malware or other destructive executables. SecurityTutoring.com tests human nature with its USB Project. USB drives are placed all over in places where they may be found by everyday people. When the devices are plugged in and launched, the results are logged.
Try looking here to see a table of results.
The USB Project in an on-going experiment to see how many people will:
- Pickup and keep a USB drive that was seemingly “lost”
- Insert it into a computer and allow it to mount
- Run specific files located on the USB drive
Of course it is not a “lost” drive. It was placed there. Students in my classes are given a USB drive and are challenged to think of ways to have their drive phone home to signal success. Here are some of the factors that lead to success:
Put a paper or other label on it, indicating something that would make a stranger curious. Salaries, DEA Report or “Confidential” have worked well in the past. “Wife’s Bikini Pictures” and the like don’t work. My guess is that it is viewed as unseemly and therefore potentially dangerous.
The USB drive does not collect any sensitive information. The HTML file and scripts only log the date/time when a hit is received and the text label applied to the files. The text label simply allow us to identify the originator (student) for the USB. The launch line in the HTML file is:
Once at this site, the browser is immediately referred to cnn.com.
The output looks like this:
Hit on Portable Media 2014-08-11 22:50:19 US Eastern time. Country=US, City=LOS ALAMOS, Location: Hot Rocks Cafe, USB Drive media, Identifier: HATIM