The Lurking Threats In Free Services

It is a common trend that public institutions such as universities, libraries or similar offices offer free facilities to the public such as providing public computers with internet connection. Generally a USB port is recognized as a standard feature on any computer and public computers are no different. The difference lies in the security implemented on these USB ports.

I recall an incident which happened a few years ago in a photocopy shop in Germany which was well frequented by students from a nearby university.

The shop offered public computers with free internet connection; however, the main reason for having these computers was to offer a cheap print out service for any common electronic file on the printer machines that were owned by the shop owner.

The USB port was essential on these public computers because it allowed customer to plug in the USB stick which would contain the document that they wished to print out; however, none of these public computers had any security protection in place such as Antivirus and/or Endpoint Security software.

Commonly students would print out legitimate documents such as their assignments or thesis. So when someone brought a Trojan on a USB stick and deployed this malware on one of the public computers by inserting his USB stick into the USB port, nobody noticed the incident.

The Trojan quickly spread on all the public computers that were connected via a shared network. Furthermore, it copied itself on every USB stick connected through a USB port.

Legitimate documents on the USB stick had been duplicated and sent to the email addresses of different recipients. This all happened because of the Trojan however students blamed the security leak on the photocopy shop owner.

Which leads to the question: who is ultimately responsible for the damage caused by the Trojan?

As a result of this a dispute occurred between the victims and the photocopy shop owner over the issue of security.

One must remember that sometimes free services can be risky, especially when no security prevention measurements have been implemented. And if you want to offer free services to your customers it’s important to offer secure services – security software does not cost much and will help to prevent situations such as the one described above which could have easily been avoided.

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.