[unisog] Safe remote access

H. Morrow Long morrow.long at yale.edu
Wed Jul 27 01:02:38 GMT 2005


If your school uses a SSO for all apps (LOTR ref: one password to  
control
them all, one password to find them and in the darkness bind them...)  
and
the researcher doesn't want to lug a notebook PC or PDA around with them
then recommend that they forward all of their email for the duration  
to an
email account they've set up at Hotmail or Gmail or Yahoomail and have
a throwaway password set on.  They can then check, read and respond to
their email using this from Internet cafes all over the world -- and  
then
when they get home they can disable the forwarding and either change
the password on the throwaway free webmail account or shut it down.

You'd probably want to make sure nothing important ever got sent
(unencrypted) to the throwaway email account though...

And I'd still provide faculty with the advice about h/w keystroke  
loggers
(e.g. never trust the keyboards in Internet cafes) so that they then  
don't
type in their credit card # or do their online banking -- to pay some  
bills,
etc. -- in an Internet cafe and then find out that they have somehow  
run up
big charges or ACH transactions from Bulgaria).

There is a really cool semi- 2 factor secure authentication scheme I've
seen sold and implemented for web-based authentication which uses a
cellphone (you type in your account/name and possibly other credentials
and your cellphone is called and given a one time passcode (via SMS?).

It probably wouldn't work for many going abroad since most North  
American
cellphones won't work in Europe nor most parts of the world.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

On Jul 15, 2005, at 9:11 PM, Andrew Daviel wrote:
> Following an incident where we believe a user had a password  
> captured at
> an Internet cafe in Bulgaria, I've been bouncing the question off a
> couple of lists as "Are Internet cafes safe?"
>
> To which the general consensus was "No!"
>
> But of course our researchers still need access to their data, and
> possibly hardware, while travelling. I wondered how this list's  
> members
> approached the problem.
>
> tidbits that emerged from previous discussion:
> - you can buy a keystroke capture device, or keystroke-logging  
> keyboard,
>   quite cheaply: http://www.keyghost.com/securekb.htm
> - at least one cafe monitors the VGA signal in the back room
> - one-time-passwords may work (OTP token or software on a PDA/ 
> cellphone)
>   to secure the initial login, as long as you don't shell in to  
> anywhere
>   else from the initial session
> - MITM attacks against SSH actually work; SSH1 should be disabled:
>   http://www.itworld.com/nl/lnx_sec/04302002/pf_index.html
> - Booting off e.g. Knoppix CD may be safer than using the
>   operating system off the hard drive
> - SSH2 end-to-end from a clean laptop over open WiFi is better than
>   using an untrusted desktop
>
> (ssh port tunneling and Squid at the far end can protect non-SSL Web
> traffic)
>
> I've been concentrating on SSH  to Linux; I guess similar concerns
> arise using things like Remote Desktop/VNC/VPN to Windows.
>
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> security at triumf.ca
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050726/1f267243/attachment-0001.htm


More information about the unisog mailing list