IT Security: Why Do We Bother?

IT Security is hard work. You need to be careful, diligent and just a little paranoid. Then along comes something that makes you wonder why you bother.


I humbly present for your consideration:

The Kiosk Machine From HellTM

3/2/2003: The Discovery

Walking home, a colleague and myself came across a travel terminal attached to a bus station in Guildford. This is a dedicated kiosk machine who’s sole purpose in life is to run some software which enables confused travellers to discover, through it’s touch sensitive screen, that there is no meaningful bus service in Guildford. This seemed to have crashed and our eyes were drawn to a nice empty Windows desktop.

Now there is only so much you can do without a keyboard, particularly when the touch screen is slightly misaligned and your fingers are getting cold, but we were able to discover the following:

  • It ran Windows 2000 Professional.
  • It was logged on as Administrator!
  • The Start menu contained all the usual stuff you get with W2K plus some extras which we did not recognise. It certainly did not look like a minimal install, never mind a hardened one.
  • It seemed to be running MS SQL Server in the System Tray! We did not check whether it was patched.
  • Attempting to start IE brought up a dial-up connection dialogue with settings filled in and a password saved. This was for an ordinary retail ISP. Mindful of the Computer Misuse Act, we did not actually try connecting so we don’t know whether it would actually have connected to the internet. I would hate to think what it might have done if it had.

At this point we decided to do the owners of this abomination a favour they probably did not deserve and reboot the damn thing. On rebooting (past a Compaq BIOS) it logged in automatically, presumably as Administrator, without a password and then started the “There no buses in Guildford” program.

We moved on, uncertain whether to laugh or cry.

20/2/2003: The Relapse

The Kiosk Machine From Hell TM had crashed it’s application again. This time the screen was not so nice and empty and it was clear that someone else had been playing with it. They had left MS 3D Pinball running. They could have done a lot worse if they had wanted to.

This gave me an opportunity to check out something that it had not occurred to me to try the first time. Remember I said that “there is only so much you can do without a keyboard”? Well, that isn’t quite true. You see, Windows comes with an optional Screen Keyboard application so that disabled users can type using their mouse (or whatever pointing device they can use). This is all very laudable but it opens up immense scope for abuse on a kiosk machine. Of course, nobody would be stupid enough to install it on a kiosk machine. Would they?

Yep. They would.

Suggestions For A Cure

Setting up a kiosk machine is not rocket science. The first trick is to replace the graphical shell of the operating system with the kiosk application. This means that there is no desktop to break into. Should the kiosk application crash then the machine will either restart it or reboot. Either way, you are OK. Even so, you should not be running the kiosk software as Administrator or root. If anybody manages to find an exploitable buffer overflow you want them to get as little control as possible. You should also remove all unnecessary software from the machine. Windows is not the ideal OS for hardening (as this is called) but it is possible to get rid of stupid risks like the screen keyboard and MS SQL Server.

If you want the machine to phone in for data updates, don’t do this with a retail ISP where an attacker could get full internet access and wreak havoc in your name. Set up a dial-up server on a DMZ (DeMilitarised Zone) on your network. Set up your firewall so that your main network can push updated data in to the DMZ but nobody in the DMZ can do anything except read the data already there. Bingo! The worst that anybody can do now is dial in and steal your bus timetables, as if you’d care about that.

14/5/2003: Third Time Unlucky

Oh dear. It has crashed again and the Windows desktop is showing. This time the touch-screen alignment is so far off that it is impossible to access anything on the leftmost 5 cm of the screen. This obviously prevents a therapeutic reboot via the Start menu. It is running an application called “Kiosk Manager” in the system tray although what this actually does is not clear. It certainly doesn’t seem to be managing the kiosk in any meaningful way.

Originally written: 21/05/2003.

Advertisements

May 21, 2003. IT, Migrated, Security, Silly.

One Comment

  1. danielrigal replied:

    If you like this sort of thing then I recommend http://thedailywtf.com/. This covers all sorts of IT related ineptitude. It is both entertaining and educational.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback URI

%d bloggers like this: