[unisog] Safe remote access

Bob Johnson bob89 at eng.ufl.edu
Tue Jul 26 23:34:49 GMT 2005


On Friday 15 July 2005 09:11 pm, Andrew Daviel wrote:
> Following an incident where we believe a user had a password captured at
> an Internet cafe in Bulgaria, I've been bouncing the question off a
> couple of lists as "Are Internet cafes safe?"
>
> To which the general consensus was "No!"
>
> But of course our researchers still need access to their data, and
> possibly hardware, while travelling. I wondered how this list's members
> approached the problem.
>
> tidbits that emerged from previous discussion:
> - you can buy a keystroke capture device, or keystroke-logging keyboard,
>   quite cheaply: http://www.keyghost.com/securekb.htm
> - at least one cafe monitors the VGA signal in the back room
> - one-time-passwords may work (OTP token or software on a PDA/cellphone)
>   to secure the initial login, as long as you don't shell in to anywhere
>   else from the initial session

This is mandatory.  Put S/KEY or OPIE on any login session your users are 
likely to want to open, so even if they su, they get a one-time password 
prompt.  

You must assume that someone will get your password, most likely by keystroke 
capture.  OTP devices are available (but of course I don't have the names of 
any products handy right now), and you can get OPIE or S/KEY for PDAs.  BUT 
your users must understand that OTP alone doesn't provide encryption, it just 
protects their login password.

> - MITM attacks against SSH actually work; SSH1 should be disabled:

Yes, SSH1 is no longer considered secure for multiple reasons.

>   http://www.itworld.com/nl/lnx_sec/04302002/pf_index.html
> - Booting off e.g. Knoppix CD may be safer than using the
>   operating system off the hard drive

Not "may be".  Definitely "is", at least from a statistical point of view.  
But you must still assume they are capturing your keystrokes with a hardware 
device.  Never trust anything that you didn't bring with you.

> - SSH2 end-to-end from a clean laptop over open WiFi is better than
>   using an untrusted desktop
>

Definitely.  Always try to control both the hardware and the software if that 
is an option.  As soon as someone else controls either, you must assume that 
at the very least they can see everything you type at the keyboard, and 
probably all of the responses, also.

> (ssh port tunneling and Squid at the far end can protect non-SSL Web
> traffic)
>
> I've been concentrating on SSH  to Linux; I guess similar concerns
> arise using things like Remote Desktop/VNC/VPN to Windows.

Aside from the lack of security, the biggest problem I've encountered is 
places that, to protect their own security, have their public access systems 
locked down so that the only thing you can do is run a web browser.  

Make sure you can get to your email via some form of webmail over ssl 
(although I've seen even SSL blocked) and if you need login sessions, have a 
javascript ssh client applet on your webserver.  In fact, you should consider 
always using such an applet rather than an ssh client you find on a public 
machine.  There is no reason to assume that anything you find on a public 
system has not been hacked to reveal its secrets to someone.  Make as much of 
the communication system as you can manage out of things you bring to the 
party.

- Bob



More information about the unisog mailing list