Criminals in USB key espionage attempt against Dutch multinational. Or not.

Knowing that we’re interested in the use and abuse of USB keys, a keen-eyed Naked Security reader alerted us to an interesting-sounding story on a Dutch news site.

Under the headline Criminals in espionage attempt at DSM (a major Dutch materials and life sciences company), Elsevier.NL reports that this case involves crooks who “put USB sticks in the parking lot.”

The risks both of losing and of finding USB keys are clear – clear enough that Naked Security’s 2011 report into lost keys sold at auction by Sydney’s rail operator led to an official change in auction policy.

And, along with “did you hear that X% of people give out their passwords in return for Y” (where Y is something like a ballpoint pen or a chocolate bar), stories about successful USB-keys-in-the-parking-lot attacks have become often-heard anecdotes at seminars and conferences.

But do USB key attacks really work?

Or is this just some sort of current-day internet security meme?

On this account, Elsevier’s story piqued my interest.

Perhaps this would be an unambiguously documented case of a successful, real-world USB-driven intrusion by bona fide cybercriminals? (Please excuse the tautology.)

No such luck, fortunately. (Please excuse the oxymoron.)

There was a smoking gun, but the story:

  • points out that the employee who found the first USB key took it straight to IT,
  • fails to identify the malware except for dubbing it a keylogger,
  • and admits that the plan, for what it was worth, was an abject failure.

In short, this story could equally well have been headlined Sensible employee leaves Dutch multinational cyberintruders dead in the water.

So, to those of our readers who have complained that they’d like to read about security successes on Naked Security once in a while, rather than about breaches, disasters, successful exploits and the like: this one’s for you!

(For those cynics who wonder, like me, if putting infected USB keys in the parking lot could ever work – my penetration testing friends assure me that it works just fine. But they consider it infra dig to use the technique, because it implies they have failed to get in by more haxorious means.)


Images of chocolate bars and the big green tick courtesy of Shutterstock.