Recently ESET held a partner’s conference in Cyprus. As I was walking down the Street in Cyprus I saw the following sign:
Hey, what a deal!!! Free internet access AND a laptop to use while you are there!!!
So, I did the respectable thing. I ordered a beer in addition to asking if I could use the laptop. If you try this, remember not to spill the beer on the laptop.
I started looking around on the laptop and discovered that it was running Windows XP with Internet Explorer 6.0. That’s not good, but it gets worse…
I ran the ESET free online scanner and found no threats, so I decided to run MalwareBytes on it as well. This is where it starts to get a bit interesting.
Malwarebytes didn’t actually find any malware, despite the appearances, but it did find three registry entries of concern. The first is that notification of missing antivirus software is disabled. The second is that notification that the firewall is disabled has been turned off, and the third is that notification that automatic updates is disabled has been turned off as well. Yes, the loaner laptop had no antivirus, no firewall, and was not receiving any security updates at all. I believe that was a deliberate configuration decision by the owners of the laptops at the sports bar.
So, I did some more poking around and I found that I had full administrative access to the laptop. I could add myself as an administrator and change the password for the built in administrator account if I wanted to.
Now, as bad as this looks, there is a mitigating factor. It is likely that the laptop is reimaged frequently, perhaps each day. I believe this to be the case due to the lack of current history and temporary internet files. Still, If I was a bad guy, I could come in to the sports bar in the morning, install spyware, and obtain user names and passwords for the accounts that other users log into during the day. The real point here is that when using a public computer, you don’t know what is installed on it so never access your email, social networking accounts, or anything that requires a password unless you plan to share that information with the world.
Note: I did not change the administrator password, the administrator account I added was deleted, and the laptop was returned configured exactly as I borrowed it.
Director of Technical Education