John Strand on Verizon store customer terminals:
As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.
When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.
To my horror, all of the Verizon stores in my area were set up the exact same way.
The moral of this story is not to use public terminals wherever you may find them, as the people who set them up
may not know what they are doing. (Read back through this year’s Philosecurity posts for more examples.)