I attended a computer crimes investigator training yesterday, and the subject was “Bad USB” attacks.  Sitting there listening to real-life tales from detectives and private industry network security professionals, I cringed every time I heard a story of a helpful someone who plugged a “lost” USB device into their computer.  Again, I was hoping that this is something that doesn’t happen anymore, but apparently it still does.

Without getting into boring technical details, here’s why you still shouldn’t do that:

A USB stick can imitate a keyboard once it’s plugged into your computer.  As a “keyboard”, it can start typing commands to put malicious programs onto your computer, to “call home” with your sensitive data (send it to someone who’s stealing your information”, set up a new virtual network and jump around on your entire office’s systems….

The tales I heard were recent stories of folks who found USB sticks on a plane, on a chair, in their office, and then plugged them in to a computer.

What you should do if you find a USB stick:  Hand it off to your IT team.  Hopefully, they will have a separate “sandbox” environment to check it.

If you’d like to read more, here’s a good article on the topic:  Tech Republic