Educause Security Discussion mailing list archives
Re: Computer Lab Security Risk Notification
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Mon, 12 Apr 2004 14:46:52 -0700
Hi Gary, #Do those of you who run labs allowing people #to install software post warnings that the #computers should not be trusted with sensitive #information unless they're refreshed? If users #can't refresh the image, do you post notices #along the lines of "use at own risk"? The issue of keystroke grabbers is a real one, but I'll share an alternative example of a lab-related privacy/authentication risk that I view as being more of an issue: -- IF you have a lab that uses Macs, AND -- You have users who (try to) "get out" of applications by closing application windows (rather than logging out properly and then fully closing their browser) THEN follow on users going onto that machine before session timeouts occur can typically create a new browser window and be live with the former user's session cookies intact. This is particularly a pain for common applications like institutional web email, where this is usually manifested as "I clicked on web email to login, and it brought up someone else's mailbox without making me login!" At least in that sort of case you can take steps to locally minimize the impact of this vulnerability by routinely doing a forced logout whenever someone comes in to your web email site the "normal" way (whatever that may practically mean in your particular site's context), and user education also helps, but the problem is tougher in the context of popular web sites you don't control. (Testing will confirm this is an issue for a number of popular commercial web email sites, as well as other sites that do cookie based auth.) The solution (I believe) is for the Mac to clean up/terminate the parent process if/when the last child browser window is closed. That is, there should be no "lingering live parent process" when the last browser window is closed IMHO. [And yes, I have mentioned this issue to Apple, some time ago] Regards, Joe ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Computer Lab Security Risk Notification Gary Flynn (Apr 12)
- <Possible follow-ups>
- Re: Computer Lab Security Risk Notification Joe St Sauver (Apr 12)