Evil geniuses and world domination are 2 of our goals... we also like Dr Who

Creta marine : Internet Access Kiosk

no comment

So – I bit the bullet and decided that I would invest some money in some internet access.  I stumped up the 2 Euros to access the machine – and I started thinking about how you make such a machine secure and usable.

First of all it looked like windows 7 – but was it actually windows 7?  Well luckily they had left access to the file manager open and available – and I was able to locate winver and run it…

Windows 7 Home Premium









So – that’s a copy of windows 7 home Premium running service pack 1.  I’ll need to check this out but I’m not sure that home premium is a suitable licence for a commercial setting such as providing an internet kiosk.


According to the Windows 7 Home Premium Licence section 8 :

SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the features included in the software edition you licensed. The manufacturer or installer and Microsoft reserve all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
· work around any technical limitations in the software;
· reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
· use components of the software to run applications not running on the software;
· make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
· publish the software for others to copy;
· rent, lease or lend the software; or
· use the software for commercial software hosting services.



In addition the CMD command line was also accessible –

Access to command line







and what’s that the title bar is saying?  I’m an administrator?

Interestingly issuing the whoami command gives marine-4\station7, and the hostname of this machine is marine-4.  This suggests that the user base is locally stored.

I managed to get quite a lot of information about this machine :

  • I know its name
  • I know its mac address
  • I know how the accounts appear to be stored (locally stored)
  • I know that there are restrictions placed on accessing things from the browser bar (can’t type in c:\ for example – but can still browse to it)\
  • I know that it has service pack 1 installed
  • I know all the service packs and hot fixes that are installed on the machine (I ran SystemInfo)
  • I know what version of the software is installed : Webbar 2012 – it’s emblazened across the top of the screen
  • I can’t access task manager (good)
  • I can’t access control panel (good)

I think I might submit this as a talk to OWASP.


Why could this be a problem?

I believe that the administrator intended to lock this system down so that only basic web browsing could be performed from this device.  I believe that they secured the system by preventing explorer from loading files (hence the issue when trying to browse to named paths) – but that this was incomplete.  I believe that the administrator took a decision to allow maximum usability to the user, but made the public user an administrator by default.

This means there there is no access control to this machine : anyone guest or otherwise could walk up to it, deposit 2 euros and have administrator privileges on the device.  It also means that we need to be aware of the potential fall out from using such devices – using the incognito mode (which for some reason was not the default mode for Google Chrome) and potentially changing passwords after use.

I certainly would not recommend using such devices for internet banking.



Also found that the windows security essentials that is installed is flagging as “potentially unprotected”… scary



Comments are closed.