When you use a shared PC, sometimes you get to share other people’s passwords. Especially when people are kind of led to believe they’re safe.
I was wandering around the security landscape last week and was at a client’s business which is quite large and has kiosk PCs for employees and visitors to use to access the open Internet (they lock social networking and other stuff down pretty tight on the business network, so usually you see lines of people tapping away at the rows of kiosk PCs).
I visit this client regularly, so I’ve used these PCs several times in the past. The browser is fairly well locked down (unlike the library I’ve visited out-of-state twice and wrote about in Always Attack the Lone Reed and then again in the Comments under that post here).
Are Password/Cookies Saved?
Because I’m curious, a couple times I’ve logged into my an email account of mine (a throw-away account) and other websites from these kiosk PCs, clicked the SAVE PASSWORD box, and then closed the browser without logging off and so on. I then tried to access the email account and websites again without logging in, but could not. Evidently, the cookie was being discarded or never saved in the first place. While I never like to use public networks, especially on a “foreign” PC, I felt a little better. Sometimes, you have no choice when you need to contact someone or check something personal on the Internet.
Two brief notes…First, sorry that I haven’t been around lately. Way too busy, so thanks for all of you who dropped by during my hiatus. Second, by “kiosk PC”, I’m just referring to a shared desktop or laptop that is available to anyone who walks up. Nothing fancy.
Really LinkedIn
However, one day last week I sat down at one of these PCs and found myself logged into someone’s LinkedIn account. Very interesting. Since the browser is locked down and I was in a VERY public place, I couldn’t be nosing around and trying my usual tricks because 1) I was on business and couldn’t risk it, and 2) I know those kiosks are heavily logged and monitored, and 3) I didn’t have permission or a GOOJ card, and I do honor the code of ethics required by the certifications I hold (for those of you who noticed I didn’t list the code of ethics first, nice catch).
One other thing…the reason I felt the company leads people to believe they are safe using the shared PCs is because of the company’s reputation for information security (remember, “reputation” can be different than reality) and that the browser is so locked down and “appears” to not save passwords.
Anyway, I checked to see if the lucky person was an IT person (I hold them to a higher standard even though many of them–including most IT auditors–don’t know any better), and it was a financial analyst. I thought about linking them to some undesirable people, changing their password, and hundreds of other mean tricks. I wanted to call them from a conference room phone and warn them, but I’ve learned that can get you in more trouble than not (some conference rooms have hidden cameras, much like the ones spammers mention in blog comments).
Dilemma
While I pondered my dilemma, I recalled that most clueless people (those of you who have done tech support know what I mean) will stay clueless regardless of the warnings and education you give them. Those are the people who think that no one cares about their data and accounts and that the world is fun of such nice people (I describe this kind of thinking and how to counter it in What’s the Fuss?).
So instead of playing tricks on this user, I played the good Samaritan and logged them out. Unfortunately, they will make the mistake again and the next time, an evil genie might take advantage of them.
What Probably Happened
I think what happened is that the user didn’t close the browser and simply returned to the initial splash (home) page. Since the browser wasn’t closed, the cookies were not auto-deleted. If you configure the browser to deny all cookies, some websites will not allow you to log in. At the very least, the company should put a banner on the home page saying, CLOSE BROWSER WHEN DONE, but you know most people wouldn’t do it anyway.
So always log off websites and close your browser on shared PCs, and offer your prayers regularly (what, you don’t think God cares about computer security?)
Can You Do Better?
What would you have done in my situation or a similar situation? Or have you done?
ITauditSecurity 