The Lurking Threats in Free Services
It is a common trend that public institutions such as universities, libraries or similar offices offer free facilities to the public such as providing public computers with internet connection. Generally a USB port is recognized as a standard feature on any computer and public computers are no different. The difference lies in the security implemented on these USB ports.
I recall an incident which happened a few years ago in a photocopy shop in Germany which was well frequented by students from a nearby university.
The shop offered public computers with free internet connection; however, the main reason for having these computers was to offer a cheap print out service for any common electronic file on the printer machines that were owned by the shop owner.
The USB port was essential on these public computers because it allowed customer to plug in the USB stick which would contain the document that they wished to print out; however, none of these public computers had any security protection in place such as Antivirus and/or Endpoint Security software.
Commonly students would print out legitimate documents such as their assignments or thesis. So when someone brought a Trojan on a USB stick and deployed this malware on one of the public computers by inserting his USB stick into the USB port, nobody noticed the incident.
The Trojan quickly spread on all the public computers that were connected via a shared network. Furthermore, it copied itself on every USB stick connected through a USB port.
Legitimate documents on the USB stick had been duplicated and sent to the email addresses of different recipients. This all happened because of the Trojan however students blamed the security leak on the photocopy shop owner.
Which leads to the question: who is ultimately responsible for the damage caused by the Trojan?
As a result of this a dispute occurred between the victims and the photocopy shop owner over the issue of security.
One must remember that sometimes free services can be risky, especially when no security prevention measurements have been implemented. And if you want to offer free services to your customers it’s important to offer secure services – security software does not cost much and will help to prevent situations such as the one described above which could have easily been avoided.
I completely agree with what you’re saying, and I think the title is a bit misleading in that the problem here is not restricted to only free services. The same issue can just as easily exist if such as service was paid for.
Whenever a business offers computer usage to customers, be it for printing or other uses, one has to be extra careful to ensure that the system is secure not just for the business itself but also for the customers. This includes logical security but also physical security. Such systems require protection not just against malicious software but also against hardware-based keyloggers as well as Rouge Access points.
I thought that Antivirus software and whatever preferred Endpoint Security Point software would be mandatory for public use PCs by now. Unfortunately, this doesn’t seem to be the case at all. As for me, I just tend to work straight off my laptop in times of emergency and simply hook my system up to the shop’s remote internet cables. Saves me the paranoia of compromising any of my own data.
I managed to follow this article back from another one posted on “how to safely secure a public PC”. Interesting anecdote about the German internet shop. Although it isn’t a unique occurrence, the frightening thing to note is how often it happens to public computer centers clear across the world. With the proliferation of hundreds of thousands of malware over years, you would’ve thought that these business center had wizened up and implemented better security.
It just goes to show that nothing’s free: even a PC that’s slated for public use. I’ve fallen into the trap of getting my own hardware infected after a short stint at the local computer shop. You really can’t be too careful about these things. If internet shop owners were to implement better security on their systems, they’d best well advertise it to their potential customers. I think the additional security would definitely be a worthy advantage over the competition.
To aid with security, I’ve seen publicly used computer stations implement a sort of “closed system” that manages, monitors and evaluates incoming and outgoing files. It sounds a bit complicated, but the heart of the system is actual quite simple. Users aren’t allowed to use flash or USB drives, downloading isn’t allowed and only a key set of files are allowed to be opened. Flash and USB drives are opened on a remote station accessed only by the system admin, whose content can be moved to the unit of the user. The files can then be accessed from there. That way, all outside data devices is monitored through a single hub to minimize threats and system vulnerabilities.
@freddie melanon
I have learned my lesson by completely avoiding free use public PCs altogether. Nowadays, I simply bring my laptop with me everywhere I go (most especially abroad) for work. I’ve also worked out a plan with my mobile service that I’m connected everywhere I go. When working with public PCs, you can never be sure of the security system they use. Might as well be safe and use your own.
@JP Adler
I guess, the fact of the matter is that not all individuals may have access (or even own) their own laptops or mobile workstations. It’s true that netbooks and laptops have dropped in cost over the last three or four years, but average end-users that include students in that demographic still rely heavily on public use computers. It’s these audiences that need to be educated on the safe practices of public PC use, for their own protection.
As an additional (or even primary) form of security, would it be possible for a system to simply remove any possibility of writing, modifying or installing any new files into the hard drive. It would be much like administrative jurisdiction, but in this case, it’s not just applied to protected, administrative and/or system folders. If the purpose of public PC users is simply to go online, browse and check their mail, then I wouldn’t see any problems with implementing a system such as this one.