Yet another reason to be skeptical of found USB devices: Researchers from the security firm Sophos found that two-thirds of them may contain dangerous malware.
With his colleagues from Sophos' Sydney office, head of technology Paul Ducklin purchased 57 USB drives from the Rail Corporation New South Wales (RailCorp) Lost Property auction. After discarding seven of the USB drives for being either broken or malfunctioning, Ducklin and his crew were left with 50. They examined the contents of the lost USB drives, and found that 33 of them were infected with corrupted, malicious software.
Although Ducklin said the test was not as detailed as it could've been, "even with the most cursory automated analysis, we were able to reveal a good deal of personal information about many of the people who had lost these keys, and about their families, friends and colleagues."
Among the personal information the experts were able to retrieve off the lost USB keys were photo albums, minutes of an activist meeting, lists of tax deductions and software and Web source code.
Shockingly, not one of the USB drives tested was encrypted or appeared to contain any encrypted files, and all of the information stored on them could be read without any decryption.
A take-home lesson, Ducklin wrote, is to encrypt personal data you keep on a USB drive, and more importantly, try not to lose the device.
"Don't be lulled into thinking that your personal data is unimportant unless you're a high-flying executive or have pots of money," he wrote. "Information about you is worth money to cybercriminals. And the crooks don't need to be directly involved in identity theft themselves — there's an underground market for selling personally identifiable information of all sorts."