[unisog] Safe remote access
bob89 at eng.ufl.edu
Tue Jul 26 23:34:49 GMT 2005
On Friday 15 July 2005 09:11 pm, Andrew Daviel wrote:
> Following an incident where we believe a user had a password captured at
> an Internet cafe in Bulgaria, I've been bouncing the question off a
> couple of lists as "Are Internet cafes safe?"
> To which the general consensus was "No!"
> But of course our researchers still need access to their data, and
> possibly hardware, while travelling. I wondered how this list's members
> approached the problem.
> tidbits that emerged from previous discussion:
> - you can buy a keystroke capture device, or keystroke-logging keyboard,
> quite cheaply: http://www.keyghost.com/securekb.htm
> - at least one cafe monitors the VGA signal in the back room
> - one-time-passwords may work (OTP token or software on a PDA/cellphone)
> to secure the initial login, as long as you don't shell in to anywhere
> else from the initial session
This is mandatory. Put S/KEY or OPIE on any login session your users are
likely to want to open, so even if they su, they get a one-time password
You must assume that someone will get your password, most likely by keystroke
capture. OTP devices are available (but of course I don't have the names of
any products handy right now), and you can get OPIE or S/KEY for PDAs. BUT
your users must understand that OTP alone doesn't provide encryption, it just
protects their login password.
> - MITM attacks against SSH actually work; SSH1 should be disabled:
Yes, SSH1 is no longer considered secure for multiple reasons.
> - Booting off e.g. Knoppix CD may be safer than using the
> operating system off the hard drive
Not "may be". Definitely "is", at least from a statistical point of view.
But you must still assume they are capturing your keystrokes with a hardware
device. Never trust anything that you didn't bring with you.
> - SSH2 end-to-end from a clean laptop over open WiFi is better than
> using an untrusted desktop
Definitely. Always try to control both the hardware and the software if that
is an option. As soon as someone else controls either, you must assume that
at the very least they can see everything you type at the keyboard, and
probably all of the responses, also.
> (ssh port tunneling and Squid at the far end can protect non-SSL Web
> I've been concentrating on SSH to Linux; I guess similar concerns
> arise using things like Remote Desktop/VNC/VPN to Windows.
Aside from the lack of security, the biggest problem I've encountered is
places that, to protect their own security, have their public access systems
locked down so that the only thing you can do is run a web browser.
Make sure you can get to your email via some form of webmail over ssl
(although I've seen even SSL blocked) and if you need login sessions, have a
always using such an applet rather than an ssh client you find on a public
machine. There is no reason to assume that anything you find on a public
system has not been hacked to reveal its secrets to someone. Make as much of
the communication system as you can manage out of things you bring to the
More information about the unisog