I’d heard the story years ago of a group that ran an infection test to prove a point. They put their benign virus on a bunch of branded USB sticks, put them in a fishbowl, walked into the target company and asked the receptionist if they could leave it there for people “as part of a promotional campaign.” They got over three-quarters of the computers in the office.
If a company wants to ratchet up security, it’s not as simple as banning all thumb drives. To be extra careful, you’d have to ban iPods, cameras, and every other USB-based doohickey—all of those devices are capable of carrying Stuxnet-like viruses, too. I asked Sean Sullivan, of F-Secure, if he could imagine any failsafe IT policy that would have worked to thwart Stuxnet. “Well, in our malware test machines, sometimes we put glue in the USB ports,” he joked.