Network News

X My Profile
View More Activity

When Security Companies Fail

SAN FRANCISCO: Security Fix has long pontificated on the necessity of Microsoft Windows users setting up their machines to run under "limited user" accounts. It is considered a fairly effective method for warding off spyware and virus infections on your average Windows PC.


Irony knows no bounds ... less-than-secure kiosks at the RSA Security Conference. (Brian Krebs)

The advice is not some "secret sauce" that Security Fix dreamed up. It is well known that running Windows under a user account that does not have the right to install software by default is a key safeguard for fortifying Windows machines.

So it came as a great surprise to me to discover a security gaffe at the RSA Security conference here -- one of the premiere computer security conferences in the industry. The kiosks of Microsoft Windows XP machines set up as a way for attendees to freely access e-mail from the conference floor were running under the all-powerful "administrator" account. In short, anyone could have used the terminals to download a free software program that records every keystroke typed on the terminals. That record would be extremely useful for spying on the Internet communications of executives at some of the most recognizable computer security firms in the industry.

I spent about 20 minutes watching the activity at these booths, as executives checked their e-mail messages there or logged on to their PCs remotely. Had I spent a bit more than 10 seconds at the terminals, I could have downloaded software that would let me steal user names and passwords from some of the more important companies in the information security community.

It certainly is somewhat crazy that these security practices occur at a respected security conference. But it is also revealing that so many security professionals find it acceptable to access their personal data on unfamiliar public terminals without conducting even rudimentary checks on the host system's integrity.

By Brian Krebs  |  February 7, 2007; 7:28 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Support OpenID
Next: FTC Issues Fraud and ID Theft Data for 2006

Comments

I am not surprised at all. First, many executives may not be all that tech-savvy with their personal use of computers -- regardless of the industry. People at that level rely on their support staff to keep them and their information assets secure. Second, the level of perceived trust and 'safe community' at the aforementioned security conference was likely high.

Social engineering 101: when a perceived level of trust is high, the risk of abuse of that trust is also high.

Until each one of those individuals is burned by information theft or loss, I sincerely doubt that their behaviors will change all that much.

Posted by: C.B. | February 7, 2007 9:48 AM | Report abuse

Yes, that's bad, although there are any number of ways to spy on such systems if you are so inclined.

All traffic can be read (and interpreted and stored) from the wire at any point along the way.

Hardware key loggers can be installed between the keyboard and the machine.

If the system or the network has already been configured to snoop on users, it doesn't make any difference who you log on as.

Posted by: stefan caunter | February 7, 2007 9:51 AM | Report abuse

Apologies for the spam, but I'd like to comment on how those executive are trained and supported by their own organizations: How they could be let loose in the wild without secure options for communicating back to their organizations, it is difficult to comprehend.

Each one of those execs could have a secured laptop or other portable device that connects back to their own network via encrypted VPN. If carrying a laptop into the public is too much of a risk or too burdensome, why not provide these execs with a customized OS-bootable optical disk/flash drive and get rid of the risk of HD-based key-stroke loggers?

Additionally, those execs should be trained to recognize the risks of using public Internet access points.

Lastly, if the executives' respective IT departments and/or the executives are that cavalier about their own private/confidential information, it makes a person wonder how effectively their clients' information is guarded.

Posted by: C.B. | February 7, 2007 10:58 AM | Report abuse

I am also not feeling surprised that the kiosk security is even ignored by security giant in the market after the Card System case.

Firstly of all, the reason is that the policy and standard is there but noone is forced to follow. the hardening of kiosk is not a kind of compliance or regulation.

Secondly, the set up/installation/configuration are outsourced to another external party. We cannot imagine there will be a staff from RSA to take a security assessment on those kiosks (just kidding) or, for baseline control, there will be a secure configuration/installation guiden to third vendor. Meanwhile, the focus is conveying the conference, not the security of the workstations, people and environment. These are always the management point of view. However, if we consider it carefully, if my corp. is in security industry, the provision of facilities should be examined carefully. It is related to the corporate image indeed.
However, I do appreciate the response and notification framework in US if there is an incidence, it is much more transparent compared with that in Hong Kong.

I have enclosed my publications in ISC2 about Kiosk security and PISA (Professional Information Security Association)(www.pisa.org.hk) in the reference section.

References:
1. SECURITY RISK AND DEFENSE FOR INTERNET ACCESS KIOSKS, Dec 2004
URL: https://www.isc2.org/newsletter/Archives/200405_anthony_lai.html

2. Public PC Security: A User Behavior Approach in 4th Issue of PISA Journal
URL: http://www.pisa.org.hk/publication/journal/index.htm

Posted by: Anthony Lai, CISSP | February 7, 2007 11:28 AM | Report abuse

Great article, but where is the quote from the RSA Security Conference organizers, Brian?

Isn't anyone that was laid vulnerable at the conference outraged? Aren't the organizers of the conference mortified? Where are the quotes, even if it is a terse, "no comment?"

This is a big story. Someone should be fired over this in the conference organizer's office.

Maybe you should have lunch with one of the Post's investigative reports, just to get your reporter's skills back in shape.

On second thought, I will give you the benefit of the doubt: you're doing a follow up story, right?!?

Posted by: T. Kawles | February 7, 2007 12:05 PM | Report abuse

C.B:
My experience is that most folks hate hauling around laptops, bulky PDAs, and other gadgets just to check email or do simple document reading/editing. It's quite frankly a pain; you must now haul that thing wherever you go, bars, restaurants, and other social outings (until you get back to your room, or your car, to drop it off). Once you drop it off, now you worry if it'll be stolen, lost, whatever... If you decide to carry a laptop around, now you have that usually 5+lb gadget bag cutting into your shoulder, and/or giving you lower-back pain.

I'm a gadget geek, and hate the idea of hauling such crap around (even though I am guilty of doing it from time to time)... Trying to force your execs to...well...good luck with that.

As for bootable media, do you want to point out where that CD-ROM drive was on in the picture - as I sure don't see one. In-fact, even the smallest amount of experience with traveling will reveal that most kiosk equipment is locked up. For the very reason that folks do stupid things like boot from their own OS, or physically break the hardware (ohh, imagine what a hacker could do to the machine if they could boot their own OS to bypass XP/Vista's disk/access restrictions...).

Posted by: G.B. | February 7, 2007 12:39 PM | Report abuse

To G.B.: I hear you with the inconvenience and risk of carrying a fully-featured laptop from room-to-room and post-event social gatherings. That can add up to 10+ lbs when cables, peripherals and a carrying case are included.

And points conceded on kiosks being physically locked down and the potential for destructive actions via bootable OS media. Yet, I could not discern from the photo above where the workstation's CPU was located or if it was physically locked-down. [Mr. Krebs, Do you have more detail?]

The question still remains: at what point are the execs putting themselves and their respective organizations at risk and where is the compromise made? Most executives are held accountable (or so I have heard/read) for other aspects of their company operations, why not the integrity of their orgs' security?

#####

Addressing the actual kiosk security issue, locking those things down via OS and software mechanisms is the right thing to do. The challenge is assuring a security-aware user that the workstation in front of them is secure enough to use web-based mail systems (that hopefully use some level of encryption).

Posted by: C.B. | February 7, 2007 2:46 PM | Report abuse

Of course, maybe the vulnerability is really just a plot by the RSA company to demonstrate exactly why token based two-factor security is so much more effective than username - password based authentication. If everyone was using their tokens the keyloggers wouldn't be an issue of defeating access controls, they would capture the emails typed which is typically not going to be critical data.

Posted by: Kis | February 7, 2007 2:50 PM | Report abuse

Did you happen to see any of the executives using a solution to avoid the security hole? Say, an ultra-thin client on a USB stick?

I would hope that some of them were taking steps to safeguard their information.

It could be rather illuminating to have a short session at the end of the show to demonstrate just how easily their information could have been captured.

Posted by: Erik | February 7, 2007 3:16 PM | Report abuse

to C.B. -- the kiosks keep the actual computer locked away beneath, I believe, so that really wasn't an issue.

Posted by: Bk | February 7, 2007 3:30 PM | Report abuse

One can google lots of "work-at-home" (if you have a PC) opportunities. Some I have come across have to do with cash for taking surveys online. What site would you recommend to check the legitimacy of work-at-home and other online opportunities such as surveys?

Posted by: honeysug | February 7, 2007 3:45 PM | Report abuse

What's interesting is that back in the 80's we exchanged some of the most sensitive technical information known to mankind without any real threat to security based on a mutual respect and trust for each other. Users were primarily well educated and conducted themselves accordingly with a certain amount of civility. Unfortunately since the emergence of government intervention and commerical exploitation of this valuable resource computer security risks have become a significant threat to our personal individual freedom and liberty which can no longer be ignored. We need to be both vigilant and concerned when government agencies hack into private citizens computer systems with warrantless cause & without provocation simply to alter or distort the nature or purpose of such personal sensitive information in an attempt to gain political (financial) gain and/or complete dominance & control over society.
William TTaul Coleman

Posted by: WmTT | February 7, 2007 4:53 PM | Report abuse

C.B.:
Are we even sure a Microsoft platform can be sufficiently secured, or should execs be trained to use only kiosk platforms that have a proven track record of far better security (ie: Linux or Mac OSX)?

WmTT:
What? You have a lot more to worry about from script kiddies and organized crime, than some black-agency government agents going after your "private" information.

Posted by: G.B. | February 7, 2007 5:23 PM | Report abuse

It is dangerous to assume that just because a public computer is *currently* logged in as a limited user, that it is is somehow safe to use.

Frankly, I wouldn't use public terminals for anything more than casual Web surfing, even when currently locked down via a limited user account, because you have no idea who has had control of that computer at any time in the past and what they may have done.

Posted by: Sandi Hardmeier | February 7, 2007 6:02 PM | Report abuse

The matter regarding the Knowledge Center kiosks was brought to our attention and we fixed it immediately. Obviously we take security very seriously and were able to bring this matter to a speedy resolution.

Sandra Toms LaPedis
AVP/GM RSA Conferences

Posted by: Sandra Toms LaPedis | February 7, 2007 8:15 PM | Report abuse

"you have no idea who has had control of that computer at any time in the past and what they may have done."

Amen

Posted by: Dean | February 7, 2007 10:47 PM | Report abuse

Talk about security at RSA? Ten years ago, purely by accident, I crashed the conference one morning by taking a wrong turn in a hotel corridor. Finding a fine breakfast spread, telecomm services and swag freely available, I made RSA a morning habit for the rest of the conference. But here's the punchline: At the end of the conference, now a frequent visage, I was asked to complete an evaluation form about whether I liked the conference and the hospitality. I happily gave the conference a terrific review.

Posted by: Benjamin Bache | February 8, 2007 12:30 AM | Report abuse

I find myself in the same situation as those conference attendees several times a year.

What sort of checks could be or should be done? And if I find the security isn't all that secure, what do you recommend doing (other than not logging in to my bank account)?

Thanks.

Posted by: Roger Sperberg | February 8, 2007 9:04 AM | Report abuse

"All traffic can be read (and interpreted and stored) from the wire at any point along the way."


Not a very high probability issue, from a risk standpoint.

Posted by: Alex | February 8, 2007 2:27 PM | Report abuse

If you are going to flame the settings of the machines, you should at least get it right. The machines were running Solaris, not Windows XP. They are probably mis-configured as well, but it sort of shoots your reliability if you get the OS wrong.

Posted by: MSS | February 8, 2007 6:51 PM | Report abuse

The public kiosks on the show floor and near the press room were running Windows XP Sp2 and AVG 7.5 logged in with full administrator privs. These kiosks were clusters of 3 machines scattered in different parts of the conf hall. More here: http://blog.wired.com/27bstroke6/2007/02/rsa_conference_.html

Posted by: Eric S | February 8, 2007 7:24 PM | Report abuse

To Roger Sperberg:

That is just the problem. It almost every case like this, the only thing you can do to avoid exposing your use on that kiosk is to not use that kiosk.

Posted by: BG | February 9, 2007 2:17 PM | Report abuse

What kind of security expert finds what could be a significant security risk and then doesn't have the ethics to at least report it to the show organizers or vendor who's name is on the sign?

Posted by: WhiteHat | February 9, 2007 8:01 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company