philosecurity

John Strand is the author of this week’s article. John is the owner of Black Hills Information Security and a member of PaulDotCom Security Weekly. He is also a SANS Instructor and a regular presenter at various security conferences.

Last week I was plucking around at my local Verizon Wireless store looking for a power adapter for my i760. Apparently, this task is far harder then I thought it would be. The gentleman behind the counter said, “Whoa! That is a very old phone.”

I bought it last year.

Anyway, he disappeared into the back like he was hunting for the store’s last mogwai and left me, alone, in the store with their demo EVDO computer terminal.

So I started playing around with the Windows XP system they allow their customers to test the EVDO speed. Which I think is a great idea. However, there was a sign that said, “Please, check your email here!!” I don’t think so.

So I got curious as to what kind of security they put on these systems. I was hoping for at least a partially locked down terminal. At the very least, I was sure they would not leave an open system logged in with Administrator privileges for the whole world to use.

I was wrong.

As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.

 
When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.

To my horror, all of the Verizon stores in my area were set up the exact same way.

There are two issues here. First, these terminals are insecure by design and replicated. Second, they encourage their potential customers to use these insecure systems to do potentially sensitive activities.

Why should Verizon care? The single biggest thing I can think of is liability. If you’re an attacker why would you keep your illegal files on your system? It seems so much better to store them on a random Verizon demo system. Next, think about the consistency. It is trivial to dump the password hashes from a system when you have Administrator access to the box. Where else are those passwords used?

The point is that we need to start securing things even if you don’t think there is a need. There are liability issues that come with having open systems so insecure. Further, it is just these types of things that can be catastrophic for an organization. The sad part is many organizations would say they never saw it coming.

We can say it again and again, organizations need to be a bit more protective of their customers data. Also, I think it would be a step in the right direction to not openly suggest that customers should check their email.

Until then… Buyer beware.