There’s often a press room at IT conferences with space where vendors can leave press releases with the latest announcements from their companies. More recently many firms chose USB sticks or cards, not only to save paper but also because the devices can include Web-ready JPGs or videos that can be plugged into reporters’ laptops for uploading with their stories.
Smart reporters leave these devices alone, not knowing where they came from. Ditto with the dozens of USB keys being distributed on trade show floors. It’s not merely that attackers can deliberately seed malware this way, sometimes even legitimate companies can be unknowingly stung.
That’s what happened to the American Dental Association, which recently distributed 37,000 credit-card sized USB cards to members for updating dental procedure codes on office management software.
As outlined by security writer Brian Krebs last week, one person who got the ADA-marked card was curious, looked at one of the files on the flash drive and found it tries to open a Web page used to distribute malware. The card was legitimate, but the ADA had been victimized by the Chinese company that made the devices. Whether it was deliberate or accidental isn’t known.
After being warned, the ADA told Krebs that it investigated and found only a small percentage cards were infected. The association suspects that one of the manufacturers’ duplicating machines was infected during a production run for another customer, which in turn infected the ADA’s run. In its defence, the ADA says it did perform random quality assurance tests on the devices before distribution. Obviously those tests weren’t rigorous enough.
The lesson for CISOs and CMOs is that while unique ways of making their brands memorable, USB devices are terrific vehicles for spreading malware without strict quality control. What a great way to infect PCs of high-tech people: Distribute free USB keys at an IT trade show! Guess what was being handed out at the RSA Conference two months ago — and think of the percentage of infosec pros who where there (100 per cent). And if you’re conspiratorial, what a great way to infect PCs of high income earners, like dentists.
Organizations are always looking for ways to market their brands. Pens, cellphone stands, rubber exercise balls and cloths for wiping glasses are popular, but so ordinary. USB cards are unique, memorable and convenient — put one in a wallet or a business card holder rather than fumble with a conventional USB key. One Toronto manufacturer is marketing a “paper USB brochure” — a page that includes a tear off USB stick, which combines the benefits of two media. It even offers to track the number of people who plug in the devices to give customers analytics.
This isn’t to say that these marketing tools aren’t useful. But marketing has to work with the security team to ensure strict control of code and quality assurance so the brand isn’t memorable for the wrong reason.