Steve Lamb's Blog

Security Matters

Kiosk PCs are not secure - Blimey, that was close!

Kiosk PCs are not secure - Blimey, that was close!

  • Comments 2
  • Likes

As James mentioned in his excellent post detailing his travel misery we're at an internal ("TechReady 5") conference in Seattle.

The network in our hotel is cr*p suboptimal. Browsing the web generally works OK. Accessing anything else is a disaster. Sometimes I can connect Outlook via RPC over HTTP but generally I can't. It's soooo frustrating.

The conference facility is pretty nice. Microsoft have provided kiosk PCs for the purpose of submitting session evaluations and many people are using them for general Internet access too. Earlier today I was asked to contribute a couple of paragraphs to an upcoming magazine publication. I picked up the request via my Windows Mobile phone in between sessions this morning. I headed back to the hotel at lunchtime to write my prose. It's a really short notice piece so you can imagine my frustration when I couldn't get my message to sync to the server...

I returned to the conference centre in time to listen to the next session on my schedule. As I left the session I walked past a row of kiosk PCs. A browser session was open on screen inviting me to enter my corporate credentials to submit my session evaluation. I was about to browse to Outlook Web Access (or whatever it's called today!) to access my email when I realised what I was about to do - commit a security sin! I HAVE NO REASON TO TRUST the security of the kiosk machine OR the network it's connected to. The conference centre is large and has many points of access hence I don't trust that everyone there is actually a Microsoft employee. The physical security staff seem pretty attentive though I can think of a number of ways someone with enough enthusiasm could wander past them unchallenged.

My biggest concern was that a miscreant could have fitted a hardware keylogger to the machine and I didn't have physical access to the back of the machine to find out. Equally well there could have been a software keylogger on there.

STEP AWAY FROM THE MACHINE!

At my next opportunity I returned to the hotel, picked up my laptop and headed to a wonderful coffee shop that provided free Internet access and delightful coffee. In such an environment I COULD TRUST the client machine and without being REALLY PARANOID could accept that I DIDN'T NEED TO TRUST the network.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment