You Should Treat Public Computers Like Public Bathrooms: With a Little Fear

What's to come?
July 15 2014 5:46 PM

You Should Treat Public Computers Like Public Bathrooms

With a little fear.

Public Computer.
Sure, it looks like a harmless public computer. But be afraid—be very, very afraid.

Image courtesy of Shutterstock.

When I was in college, the main campus library had several computers set up on the first floor for public use, and invariably, whenever I used one, a previous user had not logged out of her Gmail account. So when I tried to load my account, I would instead find myself staring at the entire contents of someone else’s inbox. Of course, I would then log that person out and sign myself in—but those brief moments when I had complete access to another person’s email were terrifying nonetheless. How could people be so careless with something as valuable as their email account? And then, inevitably, after my own session, I would make it halfway across campus and suddenly begin worrying that I might have forgotten to log myself out—the same way you might worry you forgot to turn off the stove, or lock the door before leaving your house—and so I would trek back up to the library and check.

I still fear public computers, a terror that was only reinforced by the July 10 advisory that the Secret Service and the National Cybersecurity and Communications Integration Center issued about keyloggers on hotel business center machines. The advisory, first reported by security researcher Brian Krebs, was directed at the hospitality industry and warned of cases in which people who had registered at hotels with stolen credit cards downloaded keylogging software onto the computers in the hotels’ business centers. 

The software would then capture every keystroke entered on those public machines—including the usernames and passwords entered by unsuspecting hotel guests, as well as the content of any emails or documents they wrote on those machines. The log of these keystrokes would be emailed to the person who had installed the malicious program, providing the hacker with a wealth of data on the business center users. “The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers,” according to the advisory.

Advertisement

This, of course, is a far more serious—and nefarious—threat than college students who forget to log out of their Gmail accounts and thereby give strangers access to their email, but both risks stem from a common problem in computer security: our tendency to treat public computers like personal ones and, more broadly, to ignore the physical dimension of cybersecurity.

Krebs points out that while there are ways that hotels can try to make it more difficult for people to download keyloggers on their computers—by restricting users’ ability to install programs, for instance—there’s a limited amount that can be done to improve the security of public computers, especially if they’re to provide any valuable services to users. Or, as Krebs puts it, “if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer.”

Basic safeguards are still worth taking, if only to restrict the set of potential perpetrators to “skilled attackers.” The advisory noted:

The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low-cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s [sic] information.

It doesn’t take much skill to find keylogging software online and install it on a public machine. You don’t need to know how computers work, you don’t need to be an expert coder, you just need to be dishonest—and have access to a computer that other people use. This is data theft at its easiest—and perhaps also at its easiest to overlook.

In cybersecurity research, we think a lot about the variety of threats that can flow over networks and the silent, nonphysical ways that computers can be accessed and penetrated and entered—via email, Web pages, and other means. These sorts of crimes present a whole host of new security problems that are worth studying and addressing in light of the fact that the principles and assumptions of physical security no longer apply. The very notion of “access,” in fact, changes radically in this context—and the language we use to talk about cybersecurity breaches, in which attackers successfully “penetrate” machines, or get “inside” computers, reinforces how thoroughly physical ideas have been co-opted and given virtual meanings in this space.

TODAY IN SLATE

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Students Aren’t Going to College Football Games as Much Anymore

And schools are getting worried.

Global Marches Demand Action on Climate Change

Politics

Blacks Don’t Have a Corporal Punishment Problem

Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology. 

Why a Sketch of Chelsea Manning Is Stirring Up Controversy

How Worried Should Poland, the Baltic States, and Georgia Be About a Russian Invasion?

Moneybox
Sept. 19 2014 1:11 PM Americans' Inexplicable Aversion to the 1990s
  News & Politics
Weigel
Sept. 20 2014 11:13 AM -30-
  Business
Business Insider
Sept. 20 2014 6:30 AM The Man Making Bill Gates Richer
  Life
Quora
Sept. 20 2014 7:27 AM How Do Plants Grow Aboard the International Space Station?
  Double X
The XX Factor
Sept. 19 2014 11:33 AM Planned Parenthood Is About to Make It a Lot Easier to Get Birth Control
  Slate Plus
Tv Club
Sept. 21 2014 1:15 PM The Slate Doctor Who Podcast: Episode 5  A spoiler-filled discussion of "Time Heist."
  Arts
Brow Beat
Sept. 21 2014 2:00 PM Colin Farrell Will Star in True Detective’s Second Season
  Technology
Future Tense
Sept. 19 2014 5:03 PM White House Chief Information Officer Will Run U.S. Ebola Response
  Health & Science
Bad Astronomy
Sept. 21 2014 8:00 AM An Astronaut’s Guided Video Tour of Earth
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.