Originally uploaded by amphybian
It’s that time of year again, the Toronto Autoshow! For the past few years, I haven’t been able to go to the show due to school work or just sheer laziness. But this year I was able to go and see two very sexy cars: the Mercedes-Benz SL65 Black series (the picture above doesn’t do it justice) and the 2009 BMW z4. Make sure you check out those cars if you go this year! I think they’re both located in the south hall.
Aside for the nice cars, I’ve also noticed an increase of computer terminals at the show booths. They’re usually used to showcase some fancy Flash animation or to let people look at the manufacturer’s website. Being the complete geek that I am, I decided to fiddle around with some of the terminals.
The first one that I played with was at the Rogers Centre hall; I forgot which booth. The security on those terminals was horrible. First, you could alt+tab to the desktop. Then, if you open the Start menu, you’ll see that the name of the user account is Admin. They didn’t even create a restricted user account for the terminal! Hell, I was even able to play a round of Solitaire!! They also had some pretty interesting programs, stuff mostly to do with Apache and ODB. However, I was pleasantly surprised when I looked down at the task bar, the system used Firefox as its browser!
The second terminal was a bit fancier. It used a custom keyboard that had a lot of the shortcut keys removed: windows button, alt, and f-keys. Although its not completely secure, at least it served as stronger deterrent to would-be alt-tabbers. However, some Windows fan boy out there probably knows some awesome shortcut that will open up another window.
So what’s the moral of the story? Secure your public terminals! It might not sound like a big deal, but someone could very quickly and very easily install some nasty software. In the best case, someone puts up an embarrassing picture and you can sit back and watch as the sales team runs around like headless chickens. In the worst case, someone loads up a key logger or even remote access software to gain access to the terminal. With admin privileges, an attacker could hide this software pretty deep. Plus, I’d be willing to bet that they don’t do deep cleaning or system restores on these terminals. If the attacker is really lucky, then the terminal is actually rented, and you’ll be able to get even more info from different users. Anyways, you guys get the idea.
James Ma