Possibly Historical Document - Last Updated Wed Oct 12 18:14:47 2005

Secure Access - The "Internet Cafe" Problem

Next: SSH Threats

Precis

It is safer to use your own laptop with SSH, even over open wireless, than it is to use someone else's computer. Failing that, boot your own operating system from CD. Do not share passwords between institutions (e.g. TRIUMF and CERN), or between different security regimes (email and shell, banking and webzine). Use SSH keys for better control of where shell logins are allowed from.

Introduction

Users need to login to TRIUMF or Grid computers to check on analysis or data acquisition. And of course, they want to login from home, and from a whole range of possible locations such as friend's or family members' computers, airport kiosks, Internet cafes and so on.

The problem is that many of these computers have an unknown security status, and may have trojan keystroke loggers installed. (Normal viruses, propagated via email or via file sharing protocols, are not usually an issue, since these computers are not part of the TRIUMF network and file sharing is blocked)

An incident in May 2005 resulted in accounts at TRIUMF and CERN being compromised through, we believe, keystroke capture at an Internet cafe in Eastern Europe.

TRIUMF Managed Computers

TRIUMF desktops and laptops should be protected by Symantec Antivirus (under AntiVirus Support - will in future include anti-spyware), should subscribe to the Microsoft Update service, and probably should be running some service such as Microsoft AntiSpyware (under Application and Utilities).

TRIUMF Linux PCs should be subscribed to the yum-based TRIUMF Linux update service, included in TRIUMF Kickstart CDs and described at e.g. Securing Linux, Internal Linux page - Local Guides to Installing Redhat.

(There is still a finite risk of compromise even though these precautions have been taken - stolen passwords, or new exploits, may be used to gain access. Keystroke or password logging may then be installed, often protected by a "rootkit" - software designed to hide illicit activity from e.g. task monitors and directory listing. Incidents around Christamas 2003 at CERN and TRIUMF resulted in the compromise of several system passwords. SSH keys are better than passwords in this regard.)

Non-TRIUMF managed Computers

Employee-owned personal computers used to access TRIUMF should be protected by regular updates and anti-spyware. These are in many cases free and readily available over the Internet from e.g. update.microsoft.com.

TRIUMF will not generally provide support or antivirus software for home PCs, with the exception of TRIUMF-owned laptops that are also used at work.

Unmanaged Computers

This includes actually unmanaged computers, plus all others where the management status is unknown and the user has no responsibility or permission to manage them - basically, other people's computers.

The diagram below shows a range of possible ways that regular unencrypted Web use can be monitored or tampered with.



"Shoulder Surfing" refers to someone simply watching you enter a bank PIN number or computer password.
Video Recording: In one reported case, a video feed from the monitor VGA was recorded on a VCR, possibly to check for "unacceptable usage".
A Key Logging Device is a piece of hardware that is capable or recording keystrokes. Such devices have been found attached to credit card readers as part of a card skimming operation. (TRIUMF Computing Services has a keyghost device available for computer forensic work).
Root Kits may be installed manually, by a virus or by a hostile website using a browser vulnerability. They are probably the most common threat on either Windows, Unix/Linux or Mac.
A trojan client is a common piece of software (SSH client, Web browser, etc.) that has been deliberately modified to log keystrokes, passwords, credit card numbers etc. It is possible that this might be installed on a public machine that allows users to install software, such as some Internet cafes
Surveillance Camera: A regular, or clandestine, video surveillance camera might record keystrokes. Such devices are used in bank ATM card cloning schemes.
EMI: Stray electromagnetic radiation from monitors, computers etc. may be intercepted and screen contents recreated. This technique requires sophisticated equipment, but it is real, and may be used for industrial or government espionage. See e.g. TEMPEST
Traffic on a wireless LAN (WLAN) may be easily intercepted, particularly if no encryption is used. Basic WEP encryption can be broken with moderate effort. Most (non-SSL) Web passwords (webmail etc.) may be captured, along with ftp, telnet and email logins (POP3, IMAP).
DNS Spoofing is a technique where a nameserver is loaded with false information. This could cause a connection to a service such as PayPal or eBay to be diverted to a rogue site, which might be able to record account information while forwarding the connection to the real site.
Hosts files may be rewritten manually, or by trojan or virus programs, to achieve the same effect. The hosts file is often consulted first before nameservers on the Internet.
A Man in the Middle attack is one where an attacker takes over the identity of a server in order to intercept traffic, then forwards the traffic to the original server so that the user is unaware of any problem. In some circumstances this may thwart encryption used by the client.
Keyclick Recording: The sound of typing can be analysed to determine what is being typed, including passwords: keyclick analysis, story.
Rogue Access Points put out a stronger wireless signal than the legitimate one; they may then operate their own DNS service so that all traffic is sent to sites of their choice, or subject to a man-in-the-middle attack. A laptop with wireless card is sufficient to run one. (The wireless LAN at the CanSecWest security conference was virtually unusable due to the number of people trying this.)

Related Information: FDIC Best Practices on Spyware Prevention and Detection (US Banking organization)


Next: SSH threats

A.Daviel