You left WHAT on that USB drive?!

Back in 2011, Sophos picked up a stash of USB keys from a lost property auction as an experiment. It turned out that they were a scary bunch of sticks: 66% of them contained malware, and not a single one was encrypted.

Well, the more things change, the more things USB drive-related remain hair-raising…

A new study found that you don’t just run a good chance of catching something from second-hand drives: you also run the risk of getting an eyeful of sensitive data that the previous owner may or may not have even bothered to drag to the trash – not that that would actually delete the data, mind you, but at least it’s an attempt.

The study, done by the University of Hertfordshire and commissioned by a consumer product comparison website called Comparitech, looked at what could be found on second-hand drives picked up on eBay, in second-hand shops and through traditional auctions.

The researchers found that about two-thirds of second-hand USB memory sticks bought in the US and the UK have recoverable and sometimes sensitive data. In one-fifth of the devices studied, the past owner could be identified.

They bought 200 USB drives – 100 in the US and 100 in the UK – between January and May 2018.

People in the US who offload their sticks turned out to at least be aware of the need to erase their data, with only one of the drives showing no sign of an erasure attempt. In the UK, however, 19 of the devices showing no sign of attempted cleansing.

That said, researchers couldn’t recover any data from 16 of the UK devices and 18 in the US, having been properly wiped.

47 of the UK USB stick owners and 64 of US owners tried to delete their data, but didn’t succeed and the data could easily be retrieved by the researchers.

Sir, you need to zip up your unerased stick

The treasure trove of data included quite sensitive material. The researchers found nude images of a middle-aged man, for one thing, along with far more.

Some other notable findings on the drives:

  • Photos of bundles of money and shotguns plus a search warrant giving the name of the person to be searched, a forfeiture submission for the seizure of drugs giving the name of the person that had their property seized.
  • Chemical, fire, and power safety documents for a project in Cardiff, Wales, along with risk assessment documents and the name of the drive’s owner.
  • Lab reports for a petrochemical company, with the name and Social Insurance Number of the USB drive’s owner.
  • Documents containing the stock exchange dealings of a trader along with their passport and addresses in France and the UK for the past six years.
  • Wage slips and tax statements with name, address, and contact details.
  • Photos of a soldier – including a deployment screening sheet containing his home and duty addresses.
  • A resume and filled-out W-4 tax form with full name and address.

With the contact details they recovered, the researchers could identify, and could have contacted, the former device owners of 20 of the US sticks and 22 of the UK sticks.

They didn’t, though, leaving the people who left their sensitive data on the drives none the wiser about their personals floating around and their poor security hygiene.

Trashcans: More like shelves than furnaces

The research suggests that many people don’t understand the risks of leaving data on USB drives before selling them, and that those who do understand the risks don’t understand how to erase data so it can’t be recovered.

We’ve all gone through the ritual dragging of files into the trash can, or highlighting them and hitting the “Delete” key, and then selecting “Empty Trash.” Those steps don’t permanently erase data from a USB drive, though. Neither does one-pass reformatting of storage media. The research found that…

Eight USB sticks in the US and 16 in the UK had been reformatted, but the data could be recovered “with minimal effort.”

To fully erase data, you have to overwrite the storage area where it’s residing. Comparitech offers this guide on how to do so.