Unattended PC is a security risk

Discussion in 'other security issues & news' started by Smokey, Oct 16, 2005.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    If you leave your car running with the doors unlocked, somebody can take off with it. If you leave your PC while it is still turned on and you're still logged in, somebody could sit down and at your desk and mess with it.

    That seems obvious to me, but apparently it isn't that obvious to everybody. The technology researchers at Gartner felt the need to call out "the risks of insider attacks associated with employees leaving their PCs unattended with active sessions running."

    According to Gartner, a significant number of unauthorised access events occur when someone sits down at another user's computer. The analysts suggest businesses use "timeouts" for all PCs to ensure that users are automatically logged out or that PCs are locked, to minimize the risk of insider attacks.

    "Someone else must have sat at my PC" is a typical defense to accusations of improper online behavior, according to Gartner. This excuse won't fly if companies take measures, it said.


    Story by Joris Evers, News.Com
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I notice some people at work use screensavers w/passsword - is this considered pretty safe? In these cases, the person is away for a little break or other short period of time.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  3. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    Windows + L ;)
     
  4. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    It's not safe.

    The password can be bypassed by restarting the computer:eek:
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    ??

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I hadn't thought about that. But if the user has a password to permit booting, no one else can (easily) get in... I think...

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    Locking Windows
     
  8. Well if the guy has physical access,and they are determined they can do all kinds of ****. Even if it is not on!
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Exactly... I don't get all this talk about what people in your office can do to your PC while you're not there... protecting a computer with a logon password, no matter how strong, is just utterly worthless if the attacker has physical access. Physical access means that he can WITH NO PROBLEM WHATSOEVER read and modify the data on the computer, he just needs to take the disk and attach it to another PC. You would need at least to have a whole-disk encryption protection and to physically check that everything is in the right place every time to provide some kind of protection against people who can physically access your PC.
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    It's all about making it more trouble than it's worth for the backstabbing coworker or curious janitor (in an office situation). Make them really have to work for it.
    A lockable case, security cable attached to the desk, and a BIOS boot and setup password are not super high security. But they will cause enough trouble for malcontents with physical access as to make them look for an easier target.
    At the very least it will slow them down.
    If the data is sensitive, definately encrypt it.
    You can also put the hard drive in a mobile rack and take it with you.
    These measures are cheap to implement and cause little inconvenience in day to day operations.
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    While I can not disagree with the physical access comments....I would have no problem at all answering your question that a screensaver in the work environment I am in is more than adequate and I would gander a guess that it is more than adequate for most work environments.
     
Loading...
Thread Status:
Not open for further replies.