Log Out, Log Out - I repeat, LOG OUT!

Friday, October 08, 2010

Robert Siciliano


One of the most common yet under-reported causes of data breaches is users’ failure to properly log out of public PCs.

Is your work computer accessible to others, perhaps after business hours? How about your home computer? Does its use extend beyond your immediate family, to your kids’ friends or babysitters, for example?

Do you ever log in to a hotel’s business center PC, or take advantage of free Internet at a bank of sponsored PCs at a conference? Or pay per minute at an Internet café?

Maybe you’re you a college student; do you use the PCs in the computer lab, or friends’ PCs?

Any shared PC is at an increased risk for spyware, viruses, and other malicious activities of a criminal hacker, the PCs administrator, or just the dude that happened to use the computer before you. But many people increase their vulnerability simply by failing to log out.

A few months ago, my sister-in-law used my family’s PC, logging in to her Facebook account. After she left, I checked Facebook myself, and quickly realized I was still logged in to her account.

To teach her a lesson, I changed her profile picture to something she didn’t appreciate. (Being my sister-in-law, she forgave me.)

This past weekend at a conference, a colleague borrowed my laptop to check his email. Four days later, after having turned the laptop on and off a half dozen times, I attempted to check my own email and found myself still logged in to his Gmail account.

In this instance, I quickly logged out, since Gmail notifies users when their accounts are open at multiple IP addresses, and I wasn’t about to hack a colleague.

Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and will do so indefinitely.

This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

I’m not entirely sure if my colleague left Gmail’s “Stay signed in” box checked, if Gmail left a cookie on my laptop, or if my operating system remembered him. Either way, he was hackable.

Protect Yourself

I may log in to a PC that is not mine once or twice a year. And when I do, I make sure I log out of any program I logged in to.

On the rare occasion that I use someone else’s computer to log in to an account containing sensitive data, I make an effort to change the password. Generally, though, I lug around my own laptop wherever I go, and I use an iPhone.

Never check a “Remember me” box, and if it’s selected by default, remember to uncheck it.

If you get an auto-complete pop-up while logging in, read it carefully and be sure to click the “no” option.

Some PC administrators install password managers that prompt the user to save login credentials. If you are on someone else’s PC and get this kind of pop-up, read it carefully before just clicking buttons to dismiss the pop-up.

Most importantly, PLEASE, for heaven’s sake, LOG OUT. Do I need to repeat myself?

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another data breach on Fox News. Disclosures

Possibly Related Articles:
Security Awareness
Security Awareness
Post Rating I Like this!
Jamie Adams Excellent!!! This drives me crazy! I saw a case where a sysadmin left himself logged in as root and something got thrown on his keyboard and "bad" things happened. Rare, yes but nonetheless dangerous. This is why so many operating system/application security guidelines have session management rules such as timeouts and screen locks.

What about classified systems, human resources (Privacy Act 1974), and health care systems which people leave information up on their screen and walk away?

Raymond Cassick @Jamie,

I can't tell you how many times I have remoted into a machine and found that someone had already logged in and left their session open. Or how many places simply allow all admins to log in using the generic root or administrator accounts. It seems that so many people today just have no view of security.

I have always been a fan of smart cards with tethers but they do get in the way when you have to move between multiple racks or terminals, that can get messy. I would almost think that some type of desk proximity sensor might be a good idea... Just sit at the desk and have a sensor built into the front edge picks up an RFID tag in your badge and ask for your second mode of auth. Walk away and as soon as you are out of range your screen locks.

BUT, it always comes down to the USER really. Unless people are aware and willing to be a participant in security and compliance then no matter how good the system is you are always going to have opportunity for breaches and leaks.
Raymond Cassick Actually, I have an additional question here... What is your feeling about allowing the Windows log-on box to remember the last log-on name and pre-populate that. I have to admit that I understand the security reason for it, but I have SEEN it used by shoulder surfers before as a way to get passwords. I can't count the number of times that I have seen folks walk up to a machine and expect to just have to enter their password but are sitting at the user-name box instead and are entering their password as plain text now instead of masked by stars.
Jamie Adams @Raymond... I like your quote "Unless people are aware and willing to be a participant in security and compliance then no matter how good the system..."

This is so true. There are so many brilliant people working in information security and on some very complicated issues -- worms, bots, anti-virus, social engineering, etc... BUT ALL OF THAT is useless when users (or untrained/undisciplined) SysAdmins leave the front door open.

Perhaps I am a bit of a "simpleton", but I write a lot about those fundamentals which are often overshadowed by the glitz and glam of the idea of foreign nations waging war in cyberspace. I like articles like this one because it reminds us of the fundamentals... of the role everyday users and SysAdmins can assume.
Bryan Miller Raymond, as a pen tester I love it when organizations allow the last login name to be displayed. It gives me 50% of what I need to get into at least one system. If I guess the password I'll start looking for Citrix or other remote access programs.
Anthonie Ruighaver I have seen at least one paper on the use of a mobile phone with bluetooth as a proximity sensor. Would work well with laptops as most of them have bluetooth.
The real problem is, however, the use of passwords and the lack of detective controls for compromised passwords. It is high time that this traditional authentication method is augmented by other authentication methods and security mechanisms. My phone could be used as a supplementary authentication (using bluetooth). When no connection can be established to my phone for this extra authentication, a simple sms message to me warning me that someone logged into my account using my password would do wonders.
Anthonie Ruighaver And here is a link to my paper on ubiquitous security, that details a variant on this authentication scheme using USB sticks.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.