Zhang wrote a note and put up flyers about the theft, which was picked up by ABC News and which a friend of his posted to his Facebook page, and which was then posted to Reddit and many other websites beyond that. He offered $1000 to the thieves for the data, telling them exactly where on the disk they could find it, giving them the password, and telling them they could keep the computer already; he just wanted to graduate.
Now, in honor of the “Everything Wrong With … in X Minutes” CinemaSins YouTube movie spoofs (and they’re hysterical), here’s everything wrong with this story.
We learned about “dead drops” (at least, those who didn’t know about them already) a few weeks ago with General Petraeus got caught exchanging messages with his mistress by leaving messages in draft form in a shared Gmail account. But there’s another kind that offers a lot more possibilities — and risks.
It all started in October, 2010, when Berlin-based media artist Aram Bartholl came up with the idea as an art project: Install a USB flash drive in a wall, and people could freely upload and download art from it. He started out with five USB dead drops in New York, and posted a website with instructions, including an instructional video.
“Dead Drops is an anonymous, offline, peer to peer file-sharing network in public space,” reads the Dead Drop Manifesto. “Anyone can access a Dead Drop and everyone may install a Dead Drop in their neighborhood/city. A Dead Drop must be public accessible. A Dead Drop inside closed buildings or private places with limited or temporary access is not a Dead Drop. A real Dead Drop mounts as read and writeable mass storage drive without any custom software. Dead Drops don’t need to be synced or connected to each other. Each Dead Drop is singular in its existence. A very beautiful Dead Drop shows only the metal sheath enclosed type-A USB plug and is cemented into walls.You would hardly notice it. Dead Drops don’t need any cables or wireless technology. Your knees on the ground or a dirty jacket on the wall is what it takes share files offline. A Dead Drop is a naked piece of passively powered Universal Serial Bus technology embedded into the city, the only true public space. In an era of growing clouds and fancy new devices without access to local files we need to rethink the freedom and distribution of data.”
The idea exploded, and soon there were USB flash drives poking out of walls (and dogs) all over the world. Srsly, there’s more than 1100 of the things out there, according to the most recent map, ranging from New York to Toronto (where it contains porn and recipes) to New Zealand. (And those are just the public ones.) There’s also apps to tell you where Dead Drops are, as well as a Flickr set and a Twitter feed. (In addition, there’s wireless ones and DVD ones being set up as well.)
Certainly the serendipity of these little data glory holes is high. It’s basically superduper high-tech geocaching. Just think of the data, good and bad, that could be exchanged: Pictures, movies, building plans for terrorists, porn, Anonymous plans, Wikileaks data… They’re even being used to generate fiction. Honestly, I’m surprised it hasn’t shown up in a Will Smith movie yet.
Needless to say, the whole process, like any USB stick, is fraught. What keeps people from downloading something like a virus (which was raised as a concern almost immediately) or child porn onto their laptops? (I cringe every time I see a picture of someone with their laptop plugged into one of these things, and hope that at least it’s a junk laptop devoted to the purpose.)
For that matter, what keeps someone from uploading a virus, and from there spreading it around the world? Recall that the Stuxnut virus was spread through USB flash drives enticingly scattered around. Set up something like this at Burning Man with a virus and you could shut down all of Silicon Valley by mid-September.
On the other hand, in a day and age where governments are shutting down the entire Internet in their countries, the notion of a way for rebels to exchange information in this clandestine way sounds pretty darn cool. What a great way for Mr. Phelps to get information — though of course you’d have to make sure that the government hadn’t set up its own USB dead drop to try to catch you. Or for people trapped in a country to get information outside the country — post a code message to Twitter and wait for someone with a tablet and a USB port to come along.
Or maybe I’ve just seen Red Dawn too many times.]]>
“On July 14, 2012, MD Anderson learned that on July 13 a trainee lost an unencrypted portable hard drive (a USB thumb drive) on an MD Anderson employee shuttle bus,” the company reported earlier this month. “We immediately began a search for the device and conducted a thorough investigation. Unfortunately, the USB thumb drive has not been located.” In the thank goodness for small favors department, the data did not include Social Security numbers. Some 2,200 patients were affected.
Similarly, on June 28, the company announced a previous breach. “On April 30, 2012, an unencrypted laptop computer was stolen from an MD Anderson faculty member’s home. The faculty member notified the local police department. MD Anderson was alerted to the theft on May 1, and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers. We have no reason to believe that the laptop was stolen for the information that it contained. We have been working with law enforcement, but to date the laptop has not been located.” Another 30,000 patient notifications.
This follows a 2006 notification incident where private health information and Social Security numbers of nearly 4,000 patients of were at risk after a laptop containing their insurance claims was stolen the previous November at the Atlanta home of an employee of PricewaterhouseCoopers, an accounting firm reviewing the patient claims.
It’s not uncommon that medical facilities lose data. It’s not even uncommon that they lose it more than once. But twice in a single year? Come on, people.
Security experts were unsympathetic.
“Wow, is that dumb,” international cyber security expert Bruce Schneier told the Houston Chronicle. “This isn’t complicated. This is kindergarten cryptography. And they didn’t do it. I’d be embarrassed if I were them. Of course, it’s not them whose privacy could be violated. It’s the innocent patients who trusted them. To be fair,” he said in an email, “the drive could simply be lost and will never be recovered. We don’t know that patient information was leaked. But it’s still shockingly stupid of the hospital.”
The center said it was beginning a several-month plan to encrypt all the computers at the hospital, and that 26,000 had been encrypted thus far. The hospital has also ordered 5,000 encrypted thumb drives. In addition, employees will receive training on thumb drives and security.
If nothing else, at least MD Anderson is apparently in good company. “According to a records search of the Privacy Rights Clearinghouse, which keeps a running tab on data breaches and the like, so far this year 387 357 medical-related records have been compromised in 68 reported incidents involving lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc,” writes IEEE Spectrum. “Last year there were 66 such breaches with 6 130 630 records compromised.”]]>
Ponemon, which performed the study on behalf of Kingston, a manufacturer of encrypted USB thumb drives, did not fully describe its methodology, but said it had surveyed 743 IT and IT security practitioners with an average of 10 years of relevant experience.
Interesting tidbits from the survey include the following:
This isn’t new; there’ve been numerous incidents of data loss via USB memory stick, either by losing them or by theft, ever since the handy little things came out. But those have been largely anecdotal reports, while this was a more broadly based survey.
And that’s just data going out. Another issue is that of malware coming in, also via thumb drive. Again, we have heard of anecdotal incidents, but the survey also reported that incoming security was an issue as well.
“The most recent example of how easily rogue USB drives can enter an organization can be seen in a Department of Homeland Security test in which USBs were ‘accidentally’ dropped in government parking lots. Without any identifying markings on the USB stick, 60% of employees plugged the drives into government computers. With a ‘valid’ government seal, the plug-in rate reached 90%.”
For example, the survey found that free USB sticks from conferences/trade shows, business meetings and similar events are used by 72% of employees ― even in organizations that mandate the use of secure USBs. And there’s not very many of those: Only 29% felt that their organizations had adequate policies to prevent USB misuse.
The report went on to list 10 USB security recommendations — which many or most organizations do not practice:
1. Providing employees with approved, quality USB drives for use in the workplace.
2. Creating policies and training programs that define acceptable and unacceptable uses of USB drives.
3. Making sure employees who have access to sensitive and confidential data only use secure USB drives.
4. Determining USB drive reliability and integrity before purchasing by confirming compliance with leading security standards and ensuring that there is no malicious code on these tools.
5. Deploying encryption for data stored on the USB drive.
6. Monitoring and tracking USB drives as part of asset management procedures.
7. Scanning devices for virus or malware infections.
8. Using passwords or locks.
9. Encrypting sensitive data on USB drives.
10. Having procedures in place to recover lost USB drives.