[unisog] Safe remote access

Andrew Daviel andrew at andrew.triumf.ca
Sat Jul 16 01:11:35 GMT 2005


Following an incident where we believe a user had a password captured at
an Internet cafe in Bulgaria, I've been bouncing the question off a
couple of lists as "Are Internet cafes safe?"

To which the general consensus was "No!"

But of course our researchers still need access to their data, and
possibly hardware, while travelling. I wondered how this list's members
approached the problem.

tidbits that emerged from previous discussion:
- you can buy a keystroke capture device, or keystroke-logging keyboard,
  quite cheaply: http://www.keyghost.com/securekb.htm
- at least one cafe monitors the VGA signal in the back room
- one-time-passwords may work (OTP token or software on a PDA/cellphone)
  to secure the initial login, as long as you don't shell in to anywhere
  else from the initial session
- MITM attacks against SSH actually work; SSH1 should be disabled:
  http://www.itworld.com/nl/lnx_sec/04302002/pf_index.html
- Booting off e.g. Knoppix CD may be safer than using the
  operating system off the hard drive
- SSH2 end-to-end from a clean laptop over open WiFi is better than
  using an untrusted desktop

(ssh port tunneling and Squid at the far end can protect non-SSL Web
traffic)

I've been concentrating on SSH  to Linux; I guess similar concerns
arise using things like Remote Desktop/VNC/VPN to Windows.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security at triumf.ca


More information about the unisog mailing list