The Singapore summit was the focus of news stories this week. The media descended on Singapore to capture all of the news. When journalists started posting pictures of the contents of the gift bags that they were given at the summit by a company associated with the local government, cybersecurity experts from around the world started tweeting and alerting them about one of the contents of the gift bag.
We have all been to conferences and events where we walk out with a gift bag. This particularly gift bag given specifically to the media included: a guidebook, a trial subscription to the local paper, a water bottle, and a fan that could be plugged into a USB port.
The responses by security experts were actually frantic alarms to the media. They urged the media not to plug in the fans. Why? Because they could be filled with malware and could exfiltrate data.
One guy tweeted, “So, um, summit journalists. Do not plug this in. Do not keep it. Drop it in a public trash can or send it to your friendly neighborhood security researcher. Call any computer science department and donate it for a class exercise…” Another said “If you are a journalist at a summit with the North Koreans and someone gives you a USB fan, please do not plug it into your laptop. COME ON.”
It reminds me of the piece we posted on May 5, 2016 after The American Dental Association mailed 37,000 flash drives to its members that were supposed to include new billing codes, but in fact the USB drives also included malware. When the dentists put the flashdrives into their systems, they were directed to a web page that was a known web page that distributed malware, which allowed criminals full access to their system. The flashdrives were manufactured in China.
That was two years ago, and the same distribution methods are being used to dupe people into putting infected USBs into their laptops.
Tip for the week: beware of all USB drives. Especially when you are in Singapore with North Koreans, who are notorious for hacking and cyber fraud.