Public Computer Users Beware !

[drag0nsfyre]

Hey All,

I came across this article I found interesting and I thought that some of you might too. Since i know some of you are attending college or taking courses etc.

taken from the full story here

BOSTON -- A college student was indicted on Thursday on charges he placed software on dozens of computers that allowed him to secretly monitor what people were typing, and then stole around $2,000 using information he gleaned.

In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online.
According to an indictment by a Middlesex County grand jury, Boudreau compiled a database of personal information on about 4,800 faculty, staff and students at Boston College.

I guess i was under the impression that I wouldnt think schools would permit you to install a program as easily I know when i was taking a few classes, that was one thing you deffinantly could NOT do and they were very strict in keeping an eye on such things. guess I thought wrong

[instronics]

Alas this news is nothing new, and is a major threat nowadays for many public computers. Not only at colleges, but also airports, web cafes, and many other public computers. One of the main reasons is that the people in charge (admins) think only about securing their networks, or their computers for damage, and not the responsibility that they have towards their users. Its really not that hard to configure a computer that does not have the capability of installing or running applications that you do not specifically allow. Ofcourse its also not a problem finding that sort of malicous software (keyloggers), anyone with a searchengine can find many links to that sort of software. I have not spent much time with the issue of securing public computers yet, but i will have to start doing this soon. I would be happy to hear YOUR thoughts about how to secure public computers as much as possible without taking away too much comfort or making it too confusing for the users. The ways i can think of going about this threat is:

On public computers:

windows :

1 - Only giving restricted user access (not being able to install software or run applications that do not need installation)

2 - Removing any floppy or cd drives

3 - Making sure that no applications can be downloaded (proxies or backweb software)

4 - With the help of image software, reformatting the public computers on a daily basis and reinstalling it cleanly (such as Norton Ghost over a lan) etc...

*nix :

1 - Only giving restricted user access (not being able to install software or run applications that do not need installation)

2 - Removing any floppy or cd drives

3 - Making sure that no applications can be downloaded (proxies or backweb software)

4 - Deleting user accounts at the end of the day and recreating public user accounts.

5 - Removing any compilers, and also making sure that downloads are limited to certain file types.

All these tasks can be automated by the admins, so it would not take admins time todo that.

I guess that these examples do take away comfort and fun, but its not very easy to have security and comfort at the same time. Choose your poison. How whould you go about securing a public computer, if the users were your customers? Would you let them be free and happy, or piss them off with restrictions. Please tell

Cheers drag0nsfyre for this important post.

Cheers to all the other AO members.

//edit//

Keep in mind that since its public computers, erasing the users at the end of the day is not wrong, since the computers or the data does not belong to the users.

cheers.

[avenger_jcc]

another amazing but true fact:
If someone is stupid enough to have a administrator account on a NT based machine with no password, well you know how bad that is. But with a little thought and design, a script can be written to install VNC software to the machine, silently. its creepy. I know because I wrote a script to perform this across a lan, to multiple machines. then it hit me, what if I knew the password/there was no password for machines on the internet? *whistles innocently* the script I wrote could be modified so that one could install it on some strangers PC and literally watch. Moral of the story? NUMBERS AND LETTERS in your passwords, and change the name of the administrator account!