Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Computer Lab Security Risk Notification

From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Mon, 12 Apr 2004 14:46:52 -0700
Hi Gary,

#Do those of you who run labs allowing people
#to install software post warnings that the
#computers should not be trusted with sensitive
#information unless they're refreshed? If users
#can't refresh the image, do you post notices
#along the lines of "use at own risk"?

The issue of keystroke grabbers is a real one, but I'll share an alternative
example of a lab-related privacy/authentication risk that I view as being
more of an issue:

-- IF you have a lab that uses Macs, AND
-- You have users who (try to) "get out" of applications by closing
   application windows (rather than logging out properly and then fully
   closing their browser)

THEN follow on users going onto that machine before session timeouts occur
can typically create a new browser window and be live with the former user's
session cookies intact.

This is particularly a pain for common applications like institutional web
email, where this is usually manifested as "I clicked on web email to login,
and it brought up someone else's mailbox without making me login!"

At least in that sort of case you can take steps to locally minimize the
impact of this vulnerability by routinely doing a forced logout whenever
someone comes in to your web email site the "normal" way (whatever that may
practically mean in your particular site's context), and user education
also helps, but the problem is tougher in the context of popular web sites
you don't control. (Testing will confirm this is an issue for a number of
popular commercial web email sites, as well as other sites that do cookie
based auth.)

The solution (I believe) is for the Mac to clean up/terminate the parent
process if/when the last child browser window is closed. That is, there
should be no "lingering live parent process" when the last browser window
is closed IMHO.

[And yes, I have mentioned this issue to Apple, some time ago]

Regards,

Joe

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: