Leon Fisk writes:

On Sat, 25 Apr 2009 07:19:45 -0700 (PDT), Jim Wilkins
wrote:

snip
My home system is one example, this PC is only used for the Internet,
the other ones are off line. I copy stuff onto them with virus-scanned
flash drives but don't bring it back out. I do all banking in person
and haven't ever visited their web site.

That doesn't really matter, if your bank provides (most do)
online access your info is vulnerable whether you choose to
participate or not (shrug).

I can't remember where I saw it, might have been here.
Someone dropped a few flash sticks/usb drives in the parking
lot of the place they wanted access to. Employees picked
them up and then inserted them into their work computer to
see what was on them. You can guess the rest...

I saw that report too.

You can create a custom U3 USB stick that executes exploits when
inserted. See the switchblade project.

Smart security experts disable autorun on ALL drives : CDROMS, DVDS
USB, and Net shares. That should help.

But in this case, the attack was even simpler. The USB drives had a
"install" icon, and the users installed the software to see what it does.