This is the third and final (for now) installment of the honey stick project that Scott Wright is working on. Those of you at RSA – I know Scott welcomes the contribution of USB drives and such for this project. If you are at RSA, you can give them to me and I will get them to Scott when I see him in May. Until then, happy reading — Michael
The First Drop
Having designed a simple mechanism for tracking the use of “found” Mobile Storage Devices, and an experimental framework with which to apply some scientific analysis, it was time to put out the bait. I was actually nervous the first time I left a Honey Stick in a public place. I felt like everyone was watching me, suspicious of what I was doing. I was in a fairly busy coffee shop attached to a book store. It had a table where people could do work, so after ordering my coffee and biscotti (this could get to be a much more expensive experiment than I had planned!), I clumsily reached and dropped the first USB stick on the table as I swept my garbage into a pile and stood up to wander off…
If I had time, I had planned to find a vantage point and watch to see what would happen as people discovered the orphaned device. However, this was not a good time. So, I decided to return the next day and see if anyone had turned it in. Believe it or not, they had. So, I decided to adjust my experiment to attempt recovery at the nearest logical point where one might turn in things to a lost and found. I would give them 24 hours before returning, in case the staff were curious at the end of their shift. However, the next few drop-points did not have the same results, and it was sometimes too far out of my way to return the next day, so I decided to just leave the sticks where they were for the long term. Besides, if they ended up in the lost and found, a month may pass, but it might still be possible for somebody to find it and give it a try.
There was one other initial device that I did discover had been turned in to the establishment’s proprietor. This was at a diner.
The amusing downside of recovering turned-in devices was that I could no longer trust them! According to my own preaching, they may have been loaded with a virus. So, in order to re-use them, I would have to carefully sanitize them on an isolated computer with non-sensitive information on it. Not really worth it at this point.
Stream 0 Results
You can track the current results at any time on the Honey Stick website Stream 0 Results page at:
But, to summarize here, after having dropped 19 Honey Sticks, 37% of them were clearly inserted by the finders into their computers. Is this a surprise? I don’t know. It’s not as high as the 75% of the employees who picked up and inserted similar devices during the penetration test reported in the 2006 Dark Reading story. But, one thing I’ve discovered is that there are many variables that can influence the results. Clearly, just dropping the devices in a location that has a convenient authority figure makes it easy for a finder to be a “good samaritan” and get on with their day.
Another subtle factor is the amount of privacy in the finder’s situation. If there are 10 people within view of you when you pick up the device off a chair, shelf or floor, you risk them watching you to see if you will keep it or turn it in. As far as you know the owner might be sitting nearby, and just realizing that they’ve lost the device. It’s very risky. On the other hand, a phone booth, elevator or washroom can provide enough privacy that nobody else will see you pick it up (except for the security cameras, right?). I think these types of locations are working better to allow people to follow their curiosity when they see one.
And what of the “return to owner” feature I mentioned in Part 2 (a file entitled “owner_contact_info.txt”)? Not counting the two devices that I physically recovered from proprietors’ lost and founds, 2 of the other 17 devices dropped resulted in the finders calling me to let me know they had found it. One found it in an office building elevator, and another found it in a city bus transit station. Interestingly, when I spoke to them, I found out one of the finders had inserted the device, ran a virus scanner, then explored the device to find the owner information. As far as I can tell, they did not open any other files on the device. It’s nice to know we have some honest, smart people in Ottawa! I don’t know how harshly I should rate them for inserting the device just to find the owner information. They may have known how to disable auto-run features in Windows (using the Shift Key during insertion, I believe prevents it).
Where to go From Here?
I now have a sponsor who is willing to purchase and donate another 30 devices to the project. I would like to thank Mike Sues, president of Rigel Kent Security, an ethical hacking and penetration testing company here in Ottawa, for this donation, allowing me to carry on the study. Mike has some good ideas on how we might be able to target other experiments to measure security awareness in the general public.
It would be nice to see what kind of responses I can get from other cities. A few colleagues have indicated that they would be willing to drop devices as they travel on road trips to various cities. In addition to Ottawa, I’ve left a few at the Mont Tremblant ski resort near Montreal, and in Toronto. In the next month, I hope to have some finding their way to the San Francisco, Las Vegas, and a few other towns across North America. I can ship the devices pre-configured, or send a zipped archive (the file sizes are very small) to people willing to supply their own devices.
It would also be exciting to have others contributing their efforts and/or funding to grow the project. The only thing I may ask is that, for the integrity of the project, people make a commitment not to alter the files on the devices, and not to try to hack the site where I gather the stats. Remember, the idea is to raise the public’s awareness of the risks that come with some of the most powerful and simple new technologies that are becoming a routine part of our lives.
So far, I’ve been pleasantly surprised by the response I’m getting from people. I encourage bloggers to write about the project and link to the site once in a while (that URL again, is http://www.honeystickproject.com). A big thanks to Michael, the Security Catalyst, for giving me space to blather on here. So, be careful the next time you pick up a seemingly abandoned USB stick. You may become part of the experiment! Let’s hope we don’t detect you opening a file called “naughty-things.html”.