When Security Companies Fail. SAN FRANCISCO: Security Fix has long pontificated on the necessity of Microsoft Windows users setting up their machines to run under "limited user" accounts. It is considered a fairly effective method for warding off spyware and virus infections on your average Windows PC.
Irony knows no bounds ... less-than-secure kiosks at the RSA Security Conference. (Brian Krebs)
The advice is not some "secret sauce" that Security Fix dreamed up. It is well known that running Windows under a user account that does not have the right to install software by default is a key safeguard for fortifying Windows machines.
So it came as a great surprise to me to discover a security gaffe at the RSA Security conference here -- one of the premiere computer security conferences in the industry. The kiosks of Microsoft Windows XP machines set up as a way for attendees to freely access e-mail from the conference floor were running under the all-powerful "administrator" account. In short, anyone could have used the terminals to download a free software program that records every keystroke typed on the terminals. That record would be extremely useful for spying on the Internet communications of executives at some of the most recognizable computer security firms in the industry.
I spent about 20 minutes watching the activity at these booths, as executives checked their e-mail messages there or logged on to their PCs remotely. Had I spent a bit more than 10 seconds at the terminals, I could have downloaded software that would let me steal user names and passwords from some of the more important companies in the information security community.
It certainly is somewhat crazy that these security practices occur at a respected security conference. But it is also revealing that so many security professionals find it acceptable to access their personal data on unfamiliar public terminals without conducting even rudimentary checks on the host system's integrity. [Security Fix]
1:35:08 PM 
|
