The lost property data dump

When Sophos decided to buy a stash of USB keys lost on Sydney trains, it was surprised at just how much people were willing to pay for the chance of discovering hidden data. In reality, malware was a much more likely find.

The prepositionless Rail Corporation New South Wales, more commonly known as RailCorp, is one of the oldest continuously-operating railways in the world.

Despite reshuffling, reorganisation, renaming and various fragmentations and privatisations over the years, passenger services in the Greater Sydney metro area (CityRail) and further afield (CountryLink) operate on a network which celebrated its 150th anniversary back in 2005.

The railway system serves a sprawling conurbation of some five million people in and around Sydney, plus a state bigger than Texas beyond that.

With travellers packed into crowded double-decker trains for the rush-hour commute, you can imagine how much personal property gets lost each year.

2011 was no exception. One commuter, who was never traced, even managed to leave behind a rare and valuable 1865 Franz Diener violin, causing wags to remark that it may actually have been lost when still brand new, but delayed for 146 years by trackwork on the North Shore line.

Unsurprisingly, USB keys are lost on RailCorp trains quite literally by the bucket-load.

With a current retail price in Sydney of less that AU$7 (about £4.50) for a 4GB device, replacing a USB key costs less than a pint of beer.

But what about the cost of losing a USB key's worth of data? Just as interestingly, what about the cost of finding a lost or discarded key?

We wanted to find out, so we attended this year's lost property auction and bought up a collection of pre-owned USB sticks.

Here's what happened.

We had $400 to spend, which we assumed would be enough to buy at least 100 keys to play with. But the auctioneer was in good form, and the mood on the floor was upbeat and competitive.

So our first surprise was the price.

We ended up with Lots 671, 672 and 674: bags containing a motley assortment of 20, 21 and 16 keys respectively. For this rag-tag collection of 57 USB sticks, we paid $409.96 once the auctioneer's 16.5 per cent fee was added in. We could have bought brand-new for slightly less than half that price.

Five of the keys were broken, including the two novelty items in the set (a car and a Lego-like block). Two of the rest were unreliable, so we excluded them, although one gave up just enough data to reveal an Autorun worm but little else.

That left a conveniently-round number of 50 devices in the test.

If you're precise and statistically minded, you'll be happy to know that the total capacity of the 50 devices was 137,454,133,760 bytes. The mean was 2,749,082,675 bytes and the median key capacity was 2,019,557,376 (2GBbytes). The keys ranged from 256MB to 8GB.

All the keys had been formatted to contain a single FAT volume. Six were formatted like old-school floppies, with the entire device given over to the FAT volume. The remaining 44 had a Master Boot Record, like a hard disk, with a single active partition for the data.

Our second surprise was the prevalence of malware.

Two-thirds of the keys (33) were infected. We found 62 infected files in total. The worst key contained six infected files, representing four separate items of malware. The malware counts were as follows:

We didn't find any OS X malware. But nine of the keys appeared to belong to Macintosh owners (or at least had been used extensively on Macs); seven of these were infected.

In other words, if you're a Windows user, don't assume that you can automatically trust everything that comes from your Apple-loving friends. And even if you're one of those Mac users who is opposed to the concept of anti-virus software, consider softening your stance as a service to the community as a whole.

Our third surprise was something of a mixed blessing.

The good part is that we didn't find any obvious "smoking guns" on any of the 50 keys. There were no visible plans for nuclear submarines, no insider trading tips, no credit card dumps, no criminal plots, and no US State Department cables dating back to the 1970s.

Of course, this was an experiment rather than an intelligence-gathering exercise. Since we didn't spot anything on the surface that was obviously in the public interest to expose, we decided to err on the side of caution and to avoid learning too much about the original owners of the keys.

So, we didn't dig anywhere near as deep as an unethical hacker or a serious investigator would have. In particular, we didn't analyse every byte of every file, or search systematically for keywords across slack space, or try to reconstruct deleted files.

The bad part of this is that even with the most cursory automated analysis, we were able to reveal a good deal of personal information about many of the people who had lost these keys, and about their families, friends and colleagues.

One person went to the trouble of writing his name on his key in indelible ink, which tied up nicely with the name recorded in the Document Properties metadata in his Word and Powerpoint files.

We identified 4443 directly-accessible files on the 50 devices, broken down as follows:


The files included:

* Lists of tax deductions.
* Minutes of an activists' meeting.
* School and university assignments.
* AutoCAD drawings of work projects.
* Photo albums of family and friends.
* A CV and job application.
* Software and web source code.

Our fourth surprise was that none of the keys was encrypted, or appeared to contain any encrypted files.

All the devices were openly readable at sector level without any decryption, were directly mountable as FAT volumes without a password, and consisted of plaintext files in a conventional directory structure.

Don't be lulled into thinking that your personal data is unimportant unless you're a high-flying executive or have pots of money. Information about you is worth money to cybercriminals.

And the crooks don't need to be directly involved in identity theft themselves - there's an underground market for selling on personally identifiable information of all sorts.

Paul Ducklin is the Asia Pacific Head of Technology for security software company Sophos. You can read his blog here.

Related Articles