O2 sends infected USBs to customers
Victoria Prewer looks at the danger of freebies – and the importance of supply chain security
We’ve all heard about the dangers of opening an email we don’t recognise, or just clicking on links and attachments without stopping to check that they’re actually safe.
Doing so can easily infect our computers with viruses and malware, but it’s not the only risk: even using a free USB stick can pose a threat, as some O2 customers recently found out.
USB drives are reusable memory storage devices no more than a few inches long that plug into a computer’s USB port and are commonly referred to as flash drives or memory sticks. O2 distributed promotional USB embedded pens to some of its customers, including Amethyst, shortly followed by an email with the title “Urgent: Information about potential virus.”
In the message, the mobile network provider revealed that some of the USB embedded pens contained a virus which infects program files and web files on computers running Windows 2000, Windows 95, Windows 98, Windows ME, Windows NT, Windows Server 2003, Windows Vista and Windows XP.
It also stated “If your computer is also a web server, the virus can also attack anyone who visits your website. The virus has the ability to install new programs onto your system including updated versions of itself and programs that might grant the virus’s author remote control over your computer.”
O2 has advised customers not to use the USB pens, but if they have and their anti-virus flagged a risk, to follow the instructions given by the anti-virus software and to then remove and dispose of the USB. Obviously, Amethyst had chosen not to use the USB pen, but it is not yet known how many other customers did or were affected.
USB drives have become so small and inexpensive to produce that nowadays they are often given out as promotional ‘freebies.’ According to Norton.com the reason for their popularity is because they can store so much data; some models can now store up to 20 gigabytes. The more ubiquitous they become, the greater the chances they’ll get lost or stolen or be used to spread malicious programs.
If someone plugs an infected USB drive into their home computer they could inadvertently upload malware and potentially cripple the machine. If they connect to their office network, then the virus can upload and replicate itself on the network.
The anti-virus software on your computer should always be kept up-to-date, so if you end up using a device that attempts to load a virus on your computer, you will be protected. In its email to customers, O2 warned that its infected USB pens contained a Windows-specific virus that may not be picked up by out-of-date Anti-Virus software.
The best advice seems to be that if you don’t know or trust where a free USB stick has come from, don’t use it. O2 is a well-known and seemingly trusted organisation, but even it’s not immune. In its email to customers, O2 blamed the problem on “a supplier issue”, adding that it had “notified the relevant organisations.”
A supply chain is a system of supplier organisations involved in handling, distributing, manufacturing and processing goods in order to move resources from a vendor into the hands of the final consumer. In reference to cyber-security, a supply chain attack can involve physically tampering with electronics (computers, ATMs, power systems, factory data networks etc.) in order, for example, to install malware for the purpose of bringing harm to a player further down the supply chain network.
O2’s blunder highlights the importance of Supply Chain Security; the measures undertaken to improve the security of a supply chain at every stage. Knowing who is in your supply chain is vital, because not knowing makes it impossible to assess and manage the security risks.
In an investigative feature published last year, ComputerWeekly.com revealed that a growing number of cyber breaches involve the exploitation of security weaknesses in supply chains.
It argued that most organisations find it hard to know where to start, but the best place for businesses to begin is with themselves, before looking to extend those good practices into the supply chain.
The article also stresses that although businesses are increasingly recognising the importance of information security, security within supply chains is still widely overlooked. In 2016, this still seems to be the case.