In the same vein as spammers who depend on your clicking on or replying to their messages to feed their voracious appetites for valid email addresses and traffic, you should be aware of a fast-growing, yet less obvious risk.

With the growth in small, low-cost, high capacity Mobile Storage Devices (e.g. USB Drives, MP3 Players, Cameras, PDAs), it is inevitable that the things will get lost. So, when you see one abandoned at a phone booth, on a bench or in a hallway, the scenario may seem harmless enough — a memory stick fell out of a pocket, or was left there by accident. But at the risk of sounding paranoid, don’t do the obvious.

Don’t pick it up and put it into your laptop or work computer. That may be just what its owner wants you to do. Here’s what the scenario might really be.

Hackers have learned that there are certain types of USB Memory Drives that have been configured to fool your computer into launching a program upon insertion into a computer WITHOUT NOTIFYING YOU ABOUT IT.

In fact, they can start keyloggers or trojan horse programs resident on the device itself. There is a good article on the technical aspects of these devices HERE.

It is a good policy to make sure all office users are aware that they should only insert authorized hardware devices into your organization’s computers. The above scenario is just one of the risks that can arise.

In an effort to better understand the awareness of the general public, and the tendancy for people’s curiosity to get the better of them, I’ve started a little experiment called the Honey Stick Project (click HERE).

The idea is to plant unmarked Mobile Storage Devices (USB drives) in publicly accessible locations and see if the people who find them will plug them into a computer on their network and use them.

Don’t worry, the devices I use do not contain any executable programs at all… only data files that cause the computer to launch natively installed programs, such as the default browser, MS Word or Adobe Acrobat. If the links in the files are loaded, my website detects it in the logs. For those who do use the devices, they get a little note that advises them of what the experiment is about. No private data is collected, only the fact that certain files or links were followed.

The goal is to generate some statistics about the risky computing habits of people in the general public. I can also use the same techniques to run targeted tests within an organization’s facility to see how aware they are of this type of risk.

For more information, you can visit the Honey Stick Project — or HSP — website (at http://www.honeystickproject.com) where I have posted the latest stats, as well as some articles on the risks of Mobile Storage Devices. I have been getting a lot of help from security colleagues around the world.  Recently, Michael Santarcangelo (The Security Catalyst) allowed me some space to write a 3 part series about the HSP on his blog (click HERE), and Mike Sues of Rigel Kent Security (click HERE) supplied me with a whack of new USB drives to use in HSP experiment.

So, when you see a lonely USB device sitting abandoned in a public place, don’t plug it in. The best thing to do is turn it in to the nearest lost and found. The last thing you need is to have it suck all your important data off your hard drive and ship it off without you knowing about it.