Beware security vendors (or anyone) bearing gifts with a USB plug
There apparently is a rule-book somewhere that says “Never give a woman a gift with a cord or a handle, unless it is a purse filled with money…” The rationale is that the gesture will very likely be taken the wrong way by the recipient, possibly with thoughts of, “You expect me to do housework for the rest of my life?”
Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…
Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”. (more…)
Data never dies, and we’ve already told the aliens where we are…
Nobody really knows what the long term effects of data loss are. The main differences between losing data and losing solid assets are:
- Data can be copied, or even broadcasted, instantaneously to many locations around the world. Once the bytes are out of the bag, you’ll never be able to round up all the copies. Just ask any celebrity who has had lies and slander written about them in the tabloids. You might get a retraction printed by the original source, but it’s too late.
- Public data often gets indexed for free. If it’s on a server connected to the Internet, there’s a good chance it will get indexed by Google or any one of the dozens of search engine crawlers. This means that it can be found by anyone, with the right search query.
You can start to get the feel for how common data breaches are becoming by scanning through the history at the Data Breach Blog of SC Magazine (click HERE), the Breach Blog (click HERE), or simply doing a search on things like “data breach”, “breach disclosure”, or similar terms in places like Google News. (more…)