The American Dental Association (ADA) has inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide.

The organization sent out 37,000 of the devices to its members before a discussion on a security forum revealed that malware was present on at least some of the drives.

The drives contained a PDF file of dental procedure codes, but some of them, which were sourced from China, also had malicious code embedded that redirects recipients to a malware-serving website. The ultimate payload is used to gain control of a user's Windows computer.

The ADA told independent security researcher Brian Krebs that the supply chain is to blame, and that only a fraction of the drives are actually infected.

“Of note it is speculated that one of several duplicating machines in use at the manufacturer had become infected during a production run for another customer,” the ADA said. “That infected machine infected our clean image during one of our three production runs. Our random quality assurance testing did not catch any infected devices. Since this incident, the ADA has begun to review whether to continue to use physical media to distribute products.”

And review it they should. Despite our common assumption that a hard copy of anything is preferable to a download (and amid concerns as to the security of the cloud), it should be remembered that distributing malware by physical media was the first vector for computer viruses way back in the 1980s.

“Mailing physical media—no matter how official-looking it may appear—is no substitute for offering a secure download of any material,” said Tod Beardsley, security research manager at Rapid7, via email. “If you get a USB drive in the mail, it should not be trusted at all. There is no way to reliably determine a mailed USB drive's origin or contents before inserting it into a computer. This strategy continues to be popular today, since direct access to an end user machine bypasses all the network-based intrusion and malware detection systems IT organizations have put in place to protect their assets.”

Bob Ertl, senior director of product management at Accellion, echoed the sentiment: “There is very little excuse for using USB drives as a means of storing and sharing information. With industry-compliant cloud technologies readily available and affordable, organizations should abandon the USB drive once and for all.”

Krebs reported that most ADA members received instructions for a downloadable version of the PDF. The ADA shared a mail that it sent to members:

“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away. To give you access to an electronic version of the 2016 CDT manual, we are offering you the ability to download the PDF version of the 2016 CDT manual that was included on the flash drive.”

Ertl told Infosecurity that the whole situation violates best practices.

“Like sharing passwords, connecting untested thumb drives to information systems containing sensitive data like personal health information (PHI) violates the most fundamental rules of InfoSec,” he said. “The healthcare industry—which includes dentistry—is fraught with data breaches and the reason why is crystal clear: stolen PHI is worth as much as 50 times the value of a stolen credit card on the black market.”

Photo © Kotomiti Okuma