Skip to main content

No, Spotify, you shouldn’t have sent mysterious USB drives to journalists

Last week, Spotify sent out a number of USB drives to reporters with a note: “Play me.”

It’s not uncommon for reporters to to receive USB drives in the post. Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as videos that would otherwise be difficult to get into as many hands as possible.

But anyone with basic security training under their hat — which here at TechCrunch we do — will know to never plug in a USB drive without taking some precautions first.

Concerned but undeterred, we safely examined the contents of the drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. We examined the drive and found it was benign.

On the drive was a single audio file. “This is Alex Goldman, and you’ve just been hacked,” the file played.

The drive was just a promotion for a new Spotify podcast. Because of course it was.

The USB drive that Spotify sent journalists. (Image: TechCrunch)

Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move “amazingly tone deaf” to encourage reporters into plugging in the drives to their computers.

USB drives are not inherently malicious, but are known to be used in hacking campaigns — like power plants and nuclear enrichment plants — which are typically not connected to the internet. USB drives can harbor malware that can open and install backdoors on a victim’s computer, Williams said.

“The files on the USB itself may contain active content,” he said, which when opened can exploit a bug on an affected device.

A spokesperson for Spotify did not comment. Instead, it passed our request to Sunshine Sachs, a public relations firm that works for Spotify, which would not comment on the record beyond that “all reporters received an email stating this was on the way.”

Plugging in random USB drives is a bigger problem than you might think. Elie Bursztein, a Google security researcher, found in his own research that about half of all people will plug in random USB drives into their computer.

John Deere earlier this year caused a ruckus after it distributed a promotion drive that actively hijacked the computer’s keyboard. The drive contained code which when plugged in ran a script, opened the browser, and automatically typed in the company’s website. Even though the drive was not inherently malicious, the move was highly criticized as malware often acts in an automated, scripted way.

Given the threats that USB drives can pose, Homeland Security’s cybersecurity division CISA last month updated its guidance about USB drive security. Journalists are among those who are frequent targets by some governments, including targeted cyberattacks.

Remember: always take precautions when handling USB drives. And never plug one in unless you trust it.

No one, not even the Secret Service, should randomly plug in a strange USB stick



from TechCrunch https://ift.tt/35RQ826
via IFTTT
Labels:

Comments

Post a Comment

Popular posts from this blog

Max Q: Psyche(d)

In this issue: SpaceX launches NASA asteroid mission, news from Relativity Space and more. © 2023 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/h6Kjrde via IFTTT
Post a Comment
Read more

Max Q: Anomalous

Hello and welcome back to Max Q! Last week wasn’t the most successful for spaceflight missions. We’ll get into that a bit more below. In this issue: First up, a botched launch from Virgin Orbit… …followed by one from ABL Space Systems News from Rocket Lab, World View and more Virgin Orbit’s botched launch highlights shaky financial future After Virgin Orbit’s launch failure last Monday, during which the mission experienced an  “anomaly” that prevented the rocket from reaching orbit, I went back over the company’s financials — and things aren’t looking good. For Virgin Orbit, this year has likely been completely turned on its head. The company was aiming for three launches this year, but everything will remain grounded until the cause of the anomaly has been identified and resolved. It’s unclear how long that will take, but likely at least three months. Add this delay to Virgin’s dwindling cash reserves and you have a foundation that’s suddenly much shakier than before. ...
Post a Comment
Read more

What’s Stripe’s deal?

Welcome to  The Interchange ! If you received this in your inbox, thank you for signing up and your vote of confidence. If you’re reading this as a post on our site, sign up  here  so you can receive it directly in the future. Every week, I’ll take a look at the hottest fintech news of the previous week. This will include everything from funding rounds to trends to an analysis of a particular space to hot takes on a particular company or phenomenon. There’s a lot of fintech news out there and it’s my job to stay on top of it — and make sense of it — so you can stay in the know. —  Mary Ann Stripe eyes exit, reportedly tried raising at a lower valuation The big news in fintech this week revolved around payments giant Stripe . On January 26, my Equity Podcast co-host and overall amazingly talented reporter Natasha Mascarenhas and I teamed up to write about how Stripe had set a 12-month deadline for itself to go public, either through a direct listing or by pursuin...
Post a Comment
Read more