These laptops are a cause for concern because of the belief that they may have been intended as a way to get inside the states’ firewalls and secured systems. As security becomes tighter and more sophisticated, hackers have begun to use different methods to get into a system. Recently, criminals have tried leaving USB devices containing viruses and malware outside of office buildings or around company areas in the hopes that someone would plug them into a computer to see what was on them. Many Windows systems automatically run such programs when they are inserted, and if the USB device contained malware, it might be able to infiltrate a system. The cost of the laptops ordered by criminals would be miniscule compared to the value of hacking into secure government databases.
In the present situation, the offices have handled the situation well by being aware that the laptops were not ordered by their office, not turning them on or connecting them to their network and informing authorities immediately. Similar procedures should be followed in future both by government and private companies. It is important that whoever is in charge of installing new computers into a system be aware of computer orders placed by their organization. In the case of USB devices that are found, they should never be inserted into a computer connected to a company network and be allowed to autorun. While it is tempting to see a free laptop or USB device as a lucky find or nice gift, it is important to be aware of malicious intent that may be hidden in this new type of Trojan horse.
Sources: McMillan, Robert. “FBI investigating laptops sent to US governors.” August 27, 2009.
http://www.computerworld.com/s/article/9137213/FBI_investigating_laptops_sent_to_US_governors?taxonomyId=17
Knezevich, Alison. “Police investigate mystery computer delivery to Manchin’s offce.” West Virginia Gazette. Aug. 24, 2009. http://wvgazette.com/News/politics/200908240818
Posts
This is a very interesting story that leaves me wondering whether it is truly an attempt to breach the security of those government offices, as the news article implies. The other theory floating around in my head is that it might be a mistake that was made by people attempting to steal laptops by ordering them with a fake purchase order and either they or the company reversed the shipping and billing addresses. I suppose time will tell.
ReplyDeleteThough it is possible that the culprits were looking to steal the laptops, it is pretty unusual that the same thing would happen to government offices in 10 different states. Luckily, government offices are trained to be on the lookout for schemes just like this and would know not to even turn the laptops on. A security breach such as this could have caused serious damage if done for malicious reasons.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI think the scarier thing for me as a reader is the section containing to the USB drives that are used to hack into computer systems simply by being inserted into any computer. Imagine if something like that could happen at Notre Dame, where USB drives are constantly lost and found. One student finds one of these malicious USB drives, plugs it into the computer to erase the memory on it, only to find that he programmed a virus that will infiltrate the whole Notre Dame security and technology system. As we talked about in class, Notre Dame has a centralized access security system where one password can grant access to all of the student files. One virus would cause all of these files to become corrupt and would wreck havoc on the information systems. This could be a serious problem to prevent and nearly impossible to find the culprit simply because the malicious software would be instituted by a student with bad luck.
ReplyDeleteThis story would put more of a scare into Americans if this plan of using free suspicious laptops was realistic. Our security system at times has shown flaws but their is no shot that these laptops would be taken into these government buildings with out being backround checked for a source or reported and checked. I also agree that this was an attempt by people to steal laptops with a fake purchase order. On a smaller scale for example college campuses this malicious usb threat is very realistic and could lead to the loss of precious academic and financial information. I think these threats are very realistic and dangerous but like i said on a smaller scale not such a large one as the U.S. government.
ReplyDeleteI agree that it would probably be pretty difficult to infiltrate the U.S. government with suspicious free laptops without setting off at least a few red flags, especially if the offices did not order them in the first place. On the other hand, a seemingly misplaced or lost USB would generate a lot less suspicious than a lot of free laptops, namely in a busy workplace where people may lose small items all the time. I think that this form of exploiting security obstacles (via USB sticks as opposed to free laptops) is very realistic and therefore worrisome, due to its subtlety. I think that this sort of attack could be identified as a form of (very passive) social engineering, since the attacker relies on the action of the victim to initiate the attack (e.g. plugging in the USB into the computer, which would then release the malware into the system). In spite of tighter and more numerous security measures that are used in government workplaces, I think that this method of attack is subtle enough to escape immediate notice (at least more often that we'd like, anyways -- people and their actions can be rather difficult to monitor all the time).
ReplyDeleteWhen reading this the first thing that came to mind was microsofts COFFEE (Computer Online Forensic Evidence Extractor). It's a modified USB drive that the FBI uses to extract forensics information from computers. If one of these was altered to send data as soon as it was extracted this could be devastating for any company or institution. Credit Card numbers, Social Security numbers, records, etc. would be available to a hacker to be sold on the black market.
ReplyDeleteI am still inclined to believe this free laptop scare could have more malicious intentions than we would like to believe. While it is good that government offices are on now on the lookout for suspicious computer acquisitions, like with many security breaches, it is difficult to determine the full extent of this scheme. Although federal and state offices most likely have set safeguards when acquiring new hardware, an attack like this could more easily target local county and city governments. With increasingly tight budgets, local agencies may be less hesitant to replace outdated equipment without verifying the source of these orders. Nevertheless, these networks contain all sorts of sensitive information from criminal records to driver’s license files. Even if FBI locates the majority of these suspicious laptops, it only takes one computer to gain access to an entire network.
ReplyDeleteIn response to Will Harford's comment, it is interesting if you took the issues of this article into a different context. What if a student did lose a USB drive and found one similar-looking to it? Of course, the government is trained to deal with these kinds of threats, but at a smaller scale, universities and other communities may have more difficulty and less preparation in dealing with such a matter.
ReplyDeleteFrom a personal opinion, I always see advertisements to get free laptops online, which is another issue but similar to this one. The idea of a free laptop is suspicious unless it was truly given to you physically and, better yet, without the use of personal information. Nothing is really free in the real world.
As I sit on my computer in SAFE MODE, after trying to battle the "Blue Screen of Death" for two days, I can't help but thinking of how these machines that are supposed to make our lives so much easier tend to make it so much more complicated. This example just shows the myriad of vulnerabilities that opens up as a result of our digital lives. To draw from one of my favorite sources - Disney - it's like the apple in Snow White. Something that seems just fine causes you so much trouble. And, to be honest, I had never thought of something as simple as a flash drive that I would find in a computer cluster actually being something for malicious purposes. I've definitely found a USB drive before and stuck it into a computer to see who it belonged to. To me, this is actually quite ingenious. People still generally tend to trust people. I think that this is still a good thing for our population. But, it's true that one of the best way to exploit people is to exploit that trust. Like we talked about in class: social engineering and people are an incredibly effective way to defeat even very strict technical security. As long as the humans are still in the equation, they will always be a weak link. Fortunately for malicious hackers, I don't see robots taking over the world anytime soon.
ReplyDelete