One of my responsibilities is security awareness training, and I am
currently in the process of establishing a baseline. This will allow me
to evaluate the effectiveness of any future efforts that I am going to develop. Whenever you embark on something like implementing a new program, make sure that you establish baselines. Without them, you will have no way to evaluate the effectiveness of your efforts. But, I digress.
Today, I re-confirmed that most attacks against IT infrastructure are just too simple to pull off when the attacker targets the users, rather than the technology. Today, I did an experiment using low-tech methods.
I went down to some public terminals, typically used by students when
they have some time to kill. Whenever someone left their terminal, I
walked over to see what I could find. Most were smart enough to close
their browsers before they left, but very few went so far to clear their browser's cache, or even actually
log out of the application they were using.
Most web applications use a session-based cookie to authenticate a user and to establish a context. That session will be destroyed automatically when the last window of a browser closes. A well-written web application will then require the user to re-authenticate themselves. Note that many web applications are friendly enough that they will cache the user's identity, even across sessions. The login field is typically already populated, providing an attacker with useful information.
These particular kiosks are iMacs. Macs are interesting things in that windows completely disappear when they are minimized, except of course when you know where to look. I initiated by attack by starting an instance of Safari and an instance of Firefox, and I minimized both.
Next, I walked away from the browser and let students use the kiosk. Those students did their thing (usually browsing Facebook or MySpace) and then closed their window, but not their browser. As a result, the session states were maintained and I had full access to accounts logged in to these social networking sites, and even the occasional Google Checkout or eBay account.
Of course, I immediately logged the user out when I established that she was logged in and after I had taken a photo of the screen. I also made sure not to capture (or even look at) any personally identifiable information.
Please note that our policies allowed me to do this. My job function requires me to monitor the use of IT resources, and to establish information security program, and establishing a baseline is part of that process. While connected to our network, or while using equipment that we own, no user has a "reasonable expectation of privacy.
How do you defend against this? Clear "private data" when you leave a browser in a public space. This will not defend against key loggers, but it will make it a lot harder for people to hijack your session.
Another thing that I found interesting is that nobody approached me to find out what I was doing there. I was very open about the fact that I would walk immediately over after someone left, play with their browser, and even take photos of their screen using the camera built-in to my cell phone.