Happy New Year everyone. We begin this year’s HIPAA training with why the USB port is so dangerous for practices.

The USB port is extremely useful. In fact, the U in USB stands for Universal. It was designed to allow a wide variety of devices to be plugged into a computer using a single port. However, security was never a concern when designing the port and there is no built-in security for it. When something is plugged in, the computer will immediately attempt to make use of the device. For cameras, headsets, printers, scanners, etc., this isn’t a bad thing. The issue comes in when it is USB flash drives or other devices specially created to do harm.

Let’s tackle USB flash drives first. Windows is set to automatically run anything that is on a flash drive. This setting can be disabled, but often it isn’t as users want the convenience of plug-and-play. This means that when you plug a flash drive into a computer, it will run the software that is installed. If this is malware, then the computer will run the malware and it will infect your computer.

A common tactic of attackers targeting a specific company is to drop flash drives around the parking lot with enticing labels such as salary reports, company finance, private, etc. This increases the chances that if someone finds the drive, they will want to see what is on it. It piques the curiosity.

If you find a flash drive somewhere and you don’t know what’s on it, DO NOT PLUG IT INTO YOUR COMPUTER. Nothing that is on there is worth the risk you take.

The second area of concern is special devices that are made for attacks. These look just like normal flash drives but they fool the computer into thinking they are keyboards. Once inserted into a computer, they will execute commands stored on the device at speeds far faster than a human could ever type. These commands could install malicious software onto a computer in just a few seconds and steal documents and passwords. It only takes about 3-4 seconds for this to work. Because of this, unattended computers that aren’t locked are especially dangerous. It seems like a lot of adolescents are into “hacking” these days and want to play with what they are learning. They could plug this device into a practice computer and within 5 seconds, the computer would be compromised.

To make things worse, these devices, known as Rubber Duckies, aren’t hard to buy. They can be purchased from Amazon.

There are far more complex, albeit expensive, devices available. These are capable of a lot more attacks.

The point is that USB is equally dangerous for practices as it is useful. The best defense is to disable USB ports for flash drives. This will prevent the first type of attack we discussed. But for the second type, since Rubber Duckies pretend to be keyboards, it doesn’t help. The only defense there is to make sure all unattended computers are locked and/or USB ports are physically covered.

A final point I’d like to share is charging cables. There are cables called OMG cables that look just like a charging cord used for Android or Apple devices but they actually have tiny computers inside them. When you use them to charge your phone, the hacker can begin to attack your device. On top of that, these cables have built in WiFi so the attacker doesn’t have to be sitting next to you. This attack has been used at airports where travelers often need to share charging cables. NEVER USE SOMEONE ELSE’S CHARGING CABLE.

Stay safe out there and be very cautious with USB cables and devices.