Jump to content

Best Buy's surprisingly insecure approach to new PC setup


ShyWriter
 Share

Recommended Posts

.

screenhunter02may171411.jpg

Risk Assessment / Security & Hacktivism

Best Buy's surprisingly insecure approach to new PC setup

Somewhere in the march toward "easy," security got blindsided.

by Jon Brodkin - May 16, 2012 10:14 pm UTC

Screen-Shot-2012-05-15-at-11.46.13-AM-640x482.png

Enlarge / Want Geek Squad to set up your PC? Just write your e-mail and password in that box on the left

A basic rule of password-based security is "don't write down your password." A second rule might be "don't train people to write down passwords." And a third rule, which few follow, is "don't adopt password policies that lead to people writing their passwords down" (over-aggressive change requirements often have this effect, for instance).

Best Buy hasn't received the memo, apparently. This past Friday I came in contact with a surprisingly bad password policy in action as I shopped with my brother for his new computer in Scottsdale, Arizona. He had settled on an HP Windows 7 machine and was in the process of paying for it when a Best Buy employee handed him an 8.5” by 11” sheet of paper labeled “PC Recommendation Worksheet.”

Emblazoned with the familiar Best Buy and Geek Squad logos, one side contained a “new computer setup” form, where you can select antivirus software, Geek Squad tech support, data transfer services, Microsoft Office, and so forth. The other side had more of the same—along with a request for my brother’s e-mail and password, right below the fields for name, address, and phone number. Anyone reading this form would interpret it as a request for your e-mail address and e-mail password. And less-sophisticated users will fill it in, no questions asked. But we balked.

“So, why do you need my password?” my brother asked. The Best Buy employee quickly said, “you can just ignore that.” Intrigued, I asked the employee if I could have a clean copy of the sheet and he graciously complied. It’s good, because the sheet my brother filled in—without his password, of course—was taken by the Best Buy employee. You can see a scanned copy at the top of this post (click the image to get a larger view). Even though we were told to ignore it, my curiosity was piqued. Who and what is this meant for?

Best Buy's official spokespeople tell Ars that they collect the passwords so Geek Squad technicians can set up the user's preferred password for logging into their new PC. In other words, this field is where users put in a desired password for their new (Administrator-level) account. This strikes us as unwise, even if it is not a cardinal security sin. Best Buy also tells us that our inquiry has triggered a review of the form and that a revision is forthcoming. We don't know exactly how the forms will be changed, but we're glad Best Buy is working to fix the problem.

Given the placement of the password field underneath the e-mail address field, it certainly looks like Best Buy is asking for the password to a Yahoo Mail, Gmail, or similar account. More important, however, is the simple fact that asking users for their preferred password to set up their user account on the machine is bad security practice.

changepassword-300x298.jpg

The proper way to set up a new user in Windows 7

PC sellers helping customers set computers up isn’t unusual—but asking them to write their passwords down in plain text on a sheet of paper to be handed to the store employee is obviously questionable from a security standpoint. It's also unnecessary. Windows lets third parties set up a PC with a temporary password and provides a self-explanatory option titled "User must change password at next log on." This was a missed opportunity for Best Buy to help users become more responsible for their security. Instead, the big box retailer misses the mark and does nothing to boost the security consciousness of its customers.

(Note that the above process would not work exactly the same for Mac OS X, as the OS doesn't have an option for forcing users to reset the password. There is an option titled "Allow user to reset password using Apple ID," and of course, Geek Squad could set their own temporary password and give it to users along with instructions on how to change it. UPDATE: One reader helpfully notes that Mac OS X does have such an option—it's not in the graphical user interface, but it can be enabled in the command line.)

Screen-Shot-2012-05-15-at-1.43.22-PM-640x485.png

Also worrisome is the fact that Best Buy is handing these sheets to any old PC buyer, even individuals like my brother who had no intention of paying Best Buy extra cash to set up his computer. In case you're wondering: Geek Squad's basic PC setup runs $69.99, creation of recovery discs is $59.99 (or $100 for both PC setup and discs), while ongoing tech support starts at $99.99 for a single year. Transfer of "up to 9.4GB of data" from an old PC to a new one is $75. Yet they still gave him this form, and we absolutely contend that it appears to request e-mail passwords. It isn’t hard to imagine the less tech-savvy user filling in the e-mail and password fields without much thought.

Screen-Shot-2012-05-15-at-11.59.11-AM-640x464.png

Bundle and save!

We've asked both Apple and Microsoft how their retail stores handle passwords during PC setup, but haven't heard back yet.

In response to our inquiry, Best Buy told us that the forms in question are "stored at a Best Buy store as protected customer information and destroyed after three years." We asked Best Buy if Geek Squad members are required to instruct PC buyers to change their passwords after their PCs are set up. It seems not to be a requirement, but Best Buy told us Geek Squad agents do "encourage customers to change their passwords after set-up."

Even if Best Buy employees are conscientious enough to tell PC buyers not to fill in the password field, it's a practice that should be abandoned entirely. These sheets should not be placed in front of customers during the PC purchase process, and those who opt for Geek Squad setup should not be asked to determine a preferred password for setup and to write it down. Best Buy can and should do more here to inform users of proper security practices, and that begins with not telling a complete stranger what you want your desktop computer password to be, or worse yet, writing it down for them.

SOURCE: http://arstechnica.c...email-passwords

Steve

Link to post
Share on other sites

I become more and more sorry for first time buyers or those with a limited knowledge of computers. Time after time i hear the most outrageous statements made by salespeople when i am shopping/browsing.

A few months ago i was deciding on a new laptop and was merely comparing prices, i said i wanted a Core i5 (even though i fully intended to buy direct from the OEM) then the sales person tried to sell me a Toshiba, very good deal he said, Core i5 and 4 gigs RAM.

I asked him what he knew about intel processors, i pointed out the three digit number and asked did he know he was trying to sell me a first gen out of date model, thus the price? He just looked blank :(

When we were looking at Macs the salesman quickly informed us that Apple/Macs do not get "viruses". When i informed him of the half million Macs recently infected he did not believe me.

Commerce thrives on ignorance and deviousness.

Link to post
Share on other sites

Guest Seagull

Well said goldhound.

About 4 years ago, I was at Best Buy looking for a computer to buy for my Dad, I was just browsing and a salesman came up to me and ask me if I need help and I said

I am just looking for a computer to buy my Dad and he said okay and my Dad was with me and he tried to play mind games with my dad to try and sucker him in to buying some

slow low end Gateway and I told the salesman I went to college for Information Technology and that computer is just too slow and not what were looking for, and he said

Oh you went to college for computers, well if you need anything just ask.

Isn't funny as soon as he found out I have some knowledge in the computer field he walks away, I guess he figured I am not your average sucker.

I ended up buying my Dad a nice Sony Vaio Desktop from Sony's website in the end, I really didn't care for Best buys selection.

Also, a salesman try to pull the "Macs Don't get viruses" to a friend of mine about a year ago and I had to explain to him that's not true.

Link to post
Share on other sites

When I'm bored and have nothing of any consequence to do, I like to hang out at the local BEST BUY and listen to the conversations surrounding me.. More fun than watching a barrel of Monkeys on crack with etch-a-sketches explaining E=MC2... What can I say; I'm easy to entertain. :P

Steve

Link to post
Share on other sites

I'll repeat it then and I challenge you to prove me wrong. Mac's don't get viruses!

screenhunter03may171917.png

Click on Image

Malware Descriptions

[updated 7th November 2011]

Added links to some further information from F-Secure about OSX/Devilrobber to the appropriate section below.

[updated 4th November 2011]

I’ve just been reminded of a threat descriptions database I should have added to this list: PC Tools’ iAntivirus page includes a threat descriptions page here. Brief descriptions, but plenty of them.

[updated 1st November 2011]

OSX/Devilrobber (a.k.a. OSX/Miner)

  • It opens ports and listens for C&C servers
  • It steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • It acts as spyware, forwarding usernames and passwords to a remote server
  • It noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse materia

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Interestingly, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

OSX/Tsunami.A

A version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run on OS X. Low risk, but apparently a work in progress: a second version shows some “improvements”. More info:

[updated 28th October 2011]

Sophos Mac Malware Descriptions

You may notice that this page is nowhere near keeping up with the flood – ok, trickle – of Apple-targeting malware that we’ve seen this year. No, that doesn’t mean there wasn’t any: it means that this page is a low priority. I should, however, certainly have mentioned before Graham Cluley’s excellent article “The short history of Mac malware: 1982 – 2011” – in fact, I did mention it, but only in the main Mac Virus blog, not as a resource to check on for malware descriptions. It’s not encyclopaedic, but it’s certainly an excellent summary.

[updated 26th February 2011]

Blackhole RAT (darkComet, MusMinim):

Updated 1st April (no, I don’t think it’s a joke)

SecureMac describes a later variant it’s labelled BlackHole RAT 2.0a, which is said to be distinctly different to the variant described by Intego.

Updated 30th March (info on later variants)

RAT (Remote Access Tool) which targets both Windows and Mac users. Described as a beta version by its author, but already includes an interesting range of functions. The user interface includes some German words/command options. The author refers to it as Blackhole ( but Sophos analysis indicates that it’s a variant of the Windows malware commonly referred to as darkComet: however, the apparent author of darkComet has denied it and says he’s developing his own – oh joy…). Sophos detects it as OSX/MusMinim-A: other AV researchers have samples, so other products will detect it too (contact your vendor if in doubt).

[updated 22nd January 2011]

Symantec blog on the high proportion of Macs recruited into the Boonana botnet.

[updated 21st January 2011]

I can’t believe I forgot to mention that Graham had updated his blog post to include Autostart! But he did.

Meanwhile, I came across a description of the Top 5 malicious programs that affect OS X, according to malwarecity.com, which is a BitDefender initiative. It includes short but to-the-point descriptions of:

  • Jahlav
  • RSPlug
  • HellRTS
  • OpinionSpy
  • Boonana

[updated 24th November 2010]

No, this is not the week I get on with adding some more descriptions to this page. In the New Year, maybe. In the meantime, though, I notice that Graham Cluley has put up a blog including the highlights of Apple-targeted malware to date. While it’s not particularly detailed or comprehensive (surprisingly, it doesn’t mention 1998′s AutoStart worm), it’s accurate (as I’d expect), and you may find it of some interest.

Apple Mac malware: A short history

[updated 22nd September 2010]

Predictably, my virtual ear has just been bent by someone assuming that because there are only a couple of descriptions here, that’s all the OS X malware there is. Sorry, but it isn’t. I simply don’t have time to put into this project right now: going back over descriptions for earlier malware simply isn’t a priority, and right now I’m up to my ears in conferences and can’t find time even to detail more recent malware.

Perhaps Old Mac can find some time for this, but I wouldn’t bet on it. As I remarked in a comment below, ESET’s OS X sample collection is now well into the thousands. There’s some information on the most common malware types and families in the EICAR paper on Apple security on the resources page at http://macviruscom.wordpress.com/mac-malware-resources/papers/ though that paper is now quite a few months old.

Ryan Russell’s blog at http://ryanlrussell.blogspot.com/2006/10/os-x-malware.html is not up-to-date (he didn’t have time to update either) but includes more individual items than I’ve managed so far.

David Harley

[updated 14th June 2010]

This is an embryonic information resource with information (or links to information) about specific Mac threats. This may not be the biggest project in the world (Mac threats tend to be counted in hundreds, not tens of millions, as is the case with PC threats), but it will take a finite amount of time, which I’m a little short of, so in the first instance, at least, I’m likely to add descriptions as they’re asked for, rather than chronologically or in order of importance. Descriptions may also be modified as I find time to work on them, and the format is likely to become a little less rough-and-ready.

OSX/OpinionSpy

Also Known As:

Associated with software calling itself PermissionResearch or PremierOpinion

First reported

1st June 2010

Discussion on Mac Virus:

Information from Intego, including initial alert:

Discussion on the ESET blog:

Analysis by Methusela Cebrian Ferrer: http://ithreats.net/2010/06/02/premieropinion-spyware-now-in-mac-os-x/

Discussion by Paul Ducklin: http://www.sophos.com/blogs/duck/g/2010/06/02/mac-osx-monitorware/

Description by McAfee: http://vil.nai.com/vil/content/v_267638.htm

OSX/MacSweep

Also Known As

Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper

First reported

January, 2008

Description

The first OSX scareware (or fake security application), or at any rate the first widely-recognized as such. Published by “KiVVi Software”, who covered themselves with glory by stealing most of the text from their self-description from Symantec’s web site, changing only the company name.

Most of the descriptive material applying to OSX/iMunizator also applies to MacSweep: in fact, some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies (Down, Cookie! Down, boy! Naughty Cookie!), compromising files and so on , and anyone trying to remove them is told they need to buy the MacSweep software.

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware.

Further information

http://www.f-secure.com/weblog/archives/00001362.html

http://blog.intego.com/2008/01/15/scareware-tries-to-trick-mac-users-into-buying-worthless-software/

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmacswpa.html

http://vil.nai.com/vil/content/v_143952.htm

http://en.wikipedia.org/wiki/MacSweeper

OSX/Imunizator

Also Known As

OSX/iMunizator, OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan

First reported

Late March, 2008

Description

As the fact that some vendors call it MacSweep.B indicators, Imunizator was essentially a retread of OSX/MacSweep (MacSweeper), the first OSX scareware (or fake security application), or at any rate the first widely-recognized as such.

The “call to action” in this case was a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” (that’s the capitalization offered by the product’s screen, not mine: I know the difference between a raincoat, an Apple computer, and a Media Access Control address…).

Wouldn’t it be nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the Imunizator software. Amusingly (in a black sort of way), Imunizator tries to tell you that the apps it flags may compromise the victim’s credit card.

Pot, kettle….

Perhaps the most interesting thing about these early Mac-specific ventures into the rogue application market is that they were also early examples of rogue security software that presents itself as something other than straightforward fake anti-virus or fake anti-spyware. Presumably the authors were taking into account that most Apple-users don’t believe that there is any Apple malware. (Yes, I said that about MacSweep, too.)

Further information

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmacswpb.html

http://vil.nai.com/vil/content/v_144297.htm

http://blog.trendmicro.com/scareware-software-makes-its-second-round-on-mac-os/

http://www.h-online.com/…/More-fake-anti-spyware-for-the-Mac-734693.html

http://www.intego.com/news/ism0801.asp

http://blog.intego.com/2008/03/28/new-scareware-targets-mac/

David Harley CITP FBCS CISSP

Mac Virus Administrator

Steve

Link to post
Share on other sites

Goldhound is right, but for a change I wasn't being contrary for it's own sake. I have been criticised on this forum for failing to make distinction between viruses and malware and I maintain that it's largely pedantic and generally unimportant. However, in the context of the discussion of Mac security I think it illustrates a core issue.

Eugene Kaspersky said 'Mac OS is no more secure by design than Windows'. Carefully chosen words. The system upon which Mac is based wasn't designed to be more secure than Windows it just is. Mac users have grown smug and complacent over the years and that is partly down to being ignored by malware writers, but for good reason. Experts here and elsewhere will testify as to how hard it is to construct an effective virus for the Mac platform, the same could never be said for Windows.

Link to post
Share on other sites

Mac is BSD/Unix based. Like Linux it's relatively hard to build malware that gains root access and most malware would be confined to the home directory. Root infection is normally the result of the user installing something they should not have through social engineering. I believe I saw a video a while back from Sophos that showed the Bannan Trojan on a Ubuntu system where the user willingly installed the infected program by imputing their root password.

Link to post
Share on other sites

  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.