Reports are filtering through that delegates at the annual Australian AusCERT security conference were given USB sticks replete with malware. It would appear that the Oz telco Telstra handed out the memory sticks, unware of the malware payload, during a security tutorial of all things.
The malware apparently took advantage of the Windows autorun feature in order to transfer itself onto whatever host the stick got plugged into, well whatever Windows host that is. As luck would have it, the particular malware in question is only rated as being a low risk according to McAfee which has examined one of the rogue devices.
Being a journalist who specializes in IT security pretty much these days, and so who gets to attend a lot of security conferences, I cannot say I am altogether surprised. I have lost count of the number of such events where I have been able to quickly scan and detect numerous unsecured wireless networks and where 'researchers' attend with the express intention of finding such security holes and jumping in with both feet to see what resources can be compromised. Often it is the people who should know best who seem most liable to suffer from complacency, and security conferences are a great example of this genre of should have known better syndrome.
I was at a huge security conference in Europe last year where the press room had open terminals for use by journalists to file reports, check email and do whatever research needed doing in the press room between interviews. Sitting down to take my place after a very high profile and very highly respected IT security writer I was bemused to find myself able to access his Gmail web based email account in its entirety as he had forgotten that this was a public terminal and therefore had not flushed the browser cache to delete his login data. I fired up the default IE browser, navigated over to Gmail and found myself sitting at his login prompt with autocomplete happily going about completing his login information for me.
I have seen USB memory sticks used in all sorts of security exploits as well, not least in the case of so called 'seeding' where infected sticks are left on desks or even pavements in strategic locations, just waiting for the one employee of the target organization who cannot resist the urge to see what is on there to insert it into a desktop machine.
So you could say I am not easily surprised, but what does surprise and rather shock me about this particular case in Australia is that the USB sticks being distributed by a large telco were apparently pre-owned, second-hand ones. I mean, how cheap do you have to be to use pre-owned USB sticks? These things are so cheap brand new that you will be finding them in Xmas crackers soon...