I offer here some friendly advice about public kiosk systems. Now, I define a kiosk system as any system provided for public use. I realize that most of us, when we think of kiosks think of those systems set up with a fixed interface to allow us to find a store in the mall, or check to see if a book at Barnes and Noble is in stock.
I’m being a bit more general when I talk about kiosk systems, however. I am speaking of systems provided for public use to allow people to check email, browse the web, or update their Facebook page. I am talking about systems found in libraries, hotel lobbies, and sometimes airport terminals. Sometimes you have to pay a fee to use them, but quite often they’re just sitting out there for anyone to use.
Seeing these systems I have to ask myself the following question: Who maintains them? Some are provided by a 3rd-party company as a service. Other systems are probably are set up by roaming hotel or library personnel. Perhaps they get pre-configured at headquarters and sent out to all the “branches.” Regardless, as I see them sitting there all dusty and abused with coffee cup rings on case, I have to wonder if these battered systems are ever again touched by the IT guys after their original setup. Oh sure, if a hard drive fails or coffee gets spilled into the keyboard someone will eventually come along and fix it. But these are not my concerns.
About three years ago I was waiting in a hotel lobby for my wife when I noticed one of these systems and, given my compulsive tendency to fiddle with things, I sat down at the keyboard and started looking around. I noticed stuff almost immediately. Shortcuts to games–obviously not installed with the original software–filled the desktop. I checked the internet cache and was not terribly surprised. Porn and gaming sites were apparently often visited on this system.
The web browser seemed very slow to come up, and when it finally appeared on the screen I started seeing quite a number of pop-up ads. This system was riddled with ad-ware and probably various kinds malware as well. I looked on the tray for some indication of anti-virus software. An expired version of Norton or something similar had been installed, but was never purchased.
However, the biggest surprise was still to come. A quick check of the Windows XP system settings revealed that the user account I was currently using, and that which dozens if not hundreds had used before me, had administrative rights on that system. This explained the seemingly endless list of software that others freely installed. The system was a dangerous mess, and it seems to be the “norm” among those publicly available. These systems should ALWAYS be avoided. What follows are my reasons…
First of all, giving average user administrative rights is like giving a kid a baseball bat to play with in a glass shop. I don’t say this to be insulting, I’m just stating a fact. Malware can do irreparable damage to an operating system when it runs under an account with access to all the system files and the registry. It’s common sense, but many who set up such systems are too lazy or apathetic to care. It’s much easier just to give everyone administrative rights so that nobody bothers you to install something or change a setting. Let them do it. It’s easier.
A few years ago I did IT administrative work for a securities trading company. I stood firm with regards to administrative rights. Normal user accounts were not members of the local administrative group on systems. I never took the position, however, of withholding these rights as some sort of personal power trip, nor did I tell people I thought they’d break their systems. I was always quick to explain about malware and how I was trying to protect them. Heck, I even created secondary administrative accounts they could use if they needed it. I bent over backwards, but it was never enough for some.
One lady was in constant gripe mode about not having administrative rights. I explained, and still she complained. One day, she brought her home system in and asked if I could have a look. It had gotten slow. I took it home that evening and spent an entire weekend removing dozens…no..hundreds of instances of malware. When I brought it back, I asked her “why did your home system have so much malware and your work system does not?” Her immediate answer was “Antivirus software is better on the work system” to which I replied “Nope.” I explained that her system was such a mess because she ran this system normally with administrative rights, giving malware much more to work with. She thanked me, gave me a case of Guinness for my work, and continued to complain, but perhaps a little less vehemently.
The point is that any system where users regularly do their day-to-day activities with administrative rights is on borrowed time. It’s like silly putty or that toy slime you sometimes buy (ok sometimes “I” buy). Once you drop it on the carpet you might as well toss it as you’ll never get out all the nasty bits that it picks up. A kiosk system sitting in a lobby with administrative rights will pick up every bit of digital nastiness out there.
If I were evil, I believe I’d infect kiosk systems with keylogging software, collecting all the user names and passwords for every person logging in to Paypal, Facebook, or even their bank accounts. Such logins are ripe for the harvest on kiosk systems. Keyloggers come in two varieties. Software keyloggers collect all the keystrokes through memory-resident software and then transmits this data to a 3rd party. Hardware keyloggers are devices installed between the keyboard and the system. While hardware keyloggers require the bad guy to retrieve the device at a later time, they are also nearly impossible to detect unless they are visibly noticed.
To further exacerbate the problem, often these kiosk systems are connected to the same network as everything else in the hotel. Imagine, if you will, a bit of nasty code running in memory on the kiosk system that scans the network looking for additional victims. A kiosk system could be a launching point for an attack on your laptop as you use the wireless network at the hotel, not to mention the hotel’s point of sale system and business related servers and databases. A clever virus could be written to constantly make reservations for all rooms or cancel such. Of course, I’m just thinking out loud here. 
If you run a hotel or library and have such systems, here’s a couple of excellent ideas. Hint: Read all three, but pay special attention to the first two. There’s a pop quiz at the end.
1. Use a live CD, not a hard drive. Boot the system to an Ubuntu or Knoppix Live CD and let people browse all they want. At the end of the day, reboot the system. Nothing in memory will reside, and you’ll provide a cleaner computing experience. It’s a little slower to operate from a live CD to be sure, but worth it.
2. Re-image the system daily. Create a basic system image and use this to restore the system every evening or when problems occur. This will put you back at square one every day. There really is no excuse for not at least doing this on kiosk systems.The process can even be automated to happen at night with very little effort.
3. If for some incredible reason points 1 and 2 are not available to you (which, if you’re honest, they ARE) then make sure that you have decent anti-virus software, keep the systems patched, and, above all, do NOT give the default account administrative rights. I do not recommend this point, however. It requires some ongoing “maintenance.” You may start off with good intentions, but eventually the cares and woes of your other responsibilities will distract you and before you know it the patches and virus signatures are out of date. Then there’s that time you make an “exception” and give someone admin rights for some strange reason and then forget to revoke them. Necessity may be the mother of invention, but laziness can be it’s favorite uncle. Make your life easier and do the smart thing: Use a Live CD or re-image the systems regularly.
There are other options as well. The use of thin clients such as Citrix may be available so that the OS is not really running on the system which you are using but instead a remote server. However, such solutions are usually costly and not within the budget of most.
So what if you’re a hotel customer or you want to use that library system? Don’t do it unless you know they are following one of my first two points above. But also don’t be afraid to bring along your own live CD and ask if you can use it. You may get strange looks or be viewed suspiciously. This is a good opportunity to introduce that library IT guy to the wonders of a clean, bootable, non-persistent environment.
If you “have” to use a kiosk without proper protection (and you never have to) then use common sense. Don’t visit sites to which you log in. If you happen to visit any such site, even on a safe system, make certain you log out completely. My wife’s family visited once and one of her relatives often used her computer for his facebook updates. Almost every time my wife sat down she found herself logged into his facebook account. (I had some really good ideas but she wouldn’t let me do anything.:-) ) Imagine a stranger sitting down at that kiosk system in the hotel finding himself logged into your online bank account or email.
Finally, I just want to say that Kiosk systems “can” be safe if those in charge follow best practice, but they should never be completely trusted. Besides, you’re on vacation. Give Facebook a rest and go to the beach.
Quiz: Which of the following is the least desirable option for keeping public systems “clean” in a hotel or library.
A) Use a live CD
B) Use a hard drive-based OS, but keep patches and anti-virus up to date.
C) Use a hard-drive based OS, but re-image or clone it daily.
The correct answer is B.
David H.
Symbiosis is a term commonly used to describe the relationship between two unlike organisms who interact in such a way as to provide benefits to one or both organisms, but usually not at the cost of the survival of one, as in contrast to a predatory or competitive relationship. Symbiosis usually falls into one of three categories, Parasitism, Commensualism, and Mutualism. Let’s define these terms for now in relation to natural science.
1. Parasitism- A symbiotic relationship where one organism benefits and the other is harmed. This is a well-known type of relationship is exhibited in the way a tapeworm feeds off nutrients in the digestive track or the way a mosquito feeds from the blood of the victim organism. Some parasitic relationships can be deadly and others more benign. But even if in a small way, one organism is adversely affected.
2, Commensalism - A symbiotic relationship where one organism benefits and the other is not significantly harmed or helped. A spider building a web on a plant is a good example. Some animals rely for their dwellings on the abandoned dens of others. Egrets are often seen walking around herds of cattle, eating insects stirred up by the activity.
3. Mutualism – This is perhaps the most interesting form of symbiosis. In this relationship, both organisms benefit from each other. Certain birds eat parasitic insects from the ears and mouths of larger animals. The clownfish and the anemone protect one another. Many examples could be given for this kind of symbiosis.
Now that we’ve defined our terms, we can now see how this applies to malware.
There has always been a symbiotic relationship between malware and the system which it infects. Historically, the symbiosis has take an parasitic form. A computer is infected by a virus, and the results have been corrupted/destroyed files, pop-ups, or a system which no longer even boots. The authors of malware were motivated by notoriety. Having their customized “you’ve been pwned!” graphic appear on the screens of millions of now incapacitated systems was their lofty goal.
The malware trend has shifted toward a more commensualistic symbiosis as the motivations behind its creation has shifted. Malware is written more for the purpose of financial gain than it is for notoriety and infamy. The contrast is stark. Attackers want to do nothing that would draw attention to their presence in your system. They would rather you carry on as usual while they use your bandwidth and processor power for their purposes. Doing harm or displaying banners is completely out of the question and counter-productive for their purposes.
This relationship has no benefit for the victim. On the contrary, the victim’s resources are being used by the attacker. In this respect, malware fails to completely rise above the level of parasite. But for the average user, these liberties being taken by the malware largely go unnoticed. It is usually not the end-user who notices the malware but instead network adminstrator who notices the strange amount of traffic traversing his perimeter. The user is adversly affected, but only slightly, and the less the attacker can affect your system and have attention drawn to his presence, the better. The attacker strives for a purely commensalistic symbiosis.
This brings up mutualism. Does Malware ever appear in this kind of symbiosis? To my knowledge, it does not. However, imagine, if you will, an end user carelessly clicking a link and being presented the following message:
“The software you are about to install will increase your system performance by at least 20 percent and protect you from many forms of malware.”
We see something similar to this with the fake Malware remove websites. The victim is presented with progress bars and drive letters making him think that the software is cleaning malware, when instead it’s installing very bad stuff. But this is not mutualism, in which both organisms truly benefit.
What if, however, the Malware actually DID increase system peformance? What if it did protect the system from other malware?
The real question is, if malware were installed on a system where it did add that system to a botnet and use resources, but it actually boosted performance or provided some other benefits to that user, would that user care?
In future, I will post more about this and the specific application for various kinds of malware.
David H.