It is safer to use your own laptop with SSH, even over open
wireless, than it is to use someone else's computer. Failing that,
boot your own operating system from CD.
Do not share passwords between institutions (e.g. TRIUMF and CERN),
or between different
security regimes (email and shell, banking and webzine). Use
for better control of where shell logins are allowed from.
Users need to login to TRIUMF or Grid computers to check on
analysis or data acquisition. And of course, they want to login from
home, and from a whole range of possible locations such as
friend's or family members' computers, airport kiosks, Internet cafes
and so on.
The problem is that many of these computers have an unknown security status,
and may have trojan keystroke loggers installed. (Normal viruses,
propagated via email or via file sharing protocols, are not usually an issue,
since these computers are not part of the TRIUMF network and file sharing is
An incident in May 2005 resulted in accounts at TRIUMF and CERN being
compromised through, we believe, keystroke capture at an Internet cafe
in Eastern Europe.
TRIUMF Managed Computers
TRIUMF desktops and laptops should be protected by
Symantec Antivirus (under AntiVirus Support -
will in future include anti-spyware), should subscribe to the Microsoft Update
service, and probably should be running some service such as
Microsoft AntiSpyware (under Application and Utilities).
TRIUMF Linux PCs should be subscribed to the yum-based TRIUMF Linux update
service, included in TRIUMF Kickstart CDs and described at e.g.
Internal Linux page - Local Guides to Installing Redhat.
(There is still a finite risk of compromise even though these precautions
have been taken - stolen passwords, or new exploits, may be used to gain access.
Keystroke or password logging may then be installed, often protected by a "rootkit"
- software designed to hide illicit activity from e.g. task monitors and
directory listing. Incidents around Christamas 2003 at CERN and TRIUMF
resulted in the compromise of several system passwords.
are better than passwords in this regard.)
Non-TRIUMF managed Computers
Employee-owned personal computers used to access TRIUMF should
be protected by regular updates and anti-spyware. These are in many cases
free and readily available over the Internet from e.g.
TRIUMF will not generally provide support or antivirus software for
home PCs, with the exception of TRIUMF-owned laptops that are also
used at work.
This includes actually unmanaged computers, plus all others
where the management status is unknown and the user has no
responsibility or permission to manage them - basically, other people's computers.
The diagram below shows a range of possible ways that regular unencrypted Web use can
be monitored or tampered with.
"Shoulder Surfing" refers to someone simply watching you enter a bank
PIN number or computer password.
Video Recording: In one reported case, a video feed from the monitor
VGA was recorded on a VCR, possibly to check for "unacceptable usage".
A Key Logging Device is a piece of hardware
that is capable or recording keystrokes. Such devices have been found attached to credit card readers
as part of a card skimming operation. (TRIUMF Computing Services has
a keyghost device available for computer forensic work).
Root Kits may be installed manually, by a virus or
by a hostile website using a browser vulnerability. They are probably the most common threat
on either Windows, Unix/Linux or Mac.
A trojan client is a common piece of software (SSH client, Web browser, etc.)
that has been deliberately modified to log keystrokes, passwords, credit card numbers etc. It is
possible that this might be installed on a public machine that allows users to install software,
such as some Internet cafes
Surveillance Camera: A regular, or clandestine, video surveillance camera might record keystrokes. Such devices are used in bank ATM card cloning
EMI: Stray electromagnetic radiation from monitors, computers etc. may be intercepted
and screen contents recreated. This technique requires sophisticated equipment, but it
is real, and may be used for industrial or government espionage. See e.g.
Traffic on a wireless LAN (WLAN) may be easily intercepted, particularly if no encryption
is used. Basic WEP encryption can be broken with moderate effort.
Most (non-SSL) Web passwords (webmail etc.) may be captured, along with
ftp, telnet and email logins (POP3, IMAP).
is a technique where a nameserver is loaded with false information. This could cause a connection
to a service such as PayPal or eBay to be diverted to a rogue site, which might be able to
record account information while forwarding the connection to the real site.
Hosts files may be rewritten manually, or by trojan or virus programs, to achieve the same
effect. The hosts file is often consulted first before nameservers on the Internet.
Man in the Middle attack
is one where an attacker takes over the identity of a server in order to intercept traffic, then
forwards the traffic to the original server so that the user is unaware of any problem. In
some circumstances this may thwart encryption used by the client.
The sound of typing can be analysed to determine what is being
typed, including passwords:
Rogue Access Points put out a stronger wireless signal than
the legitimate one; they may then operate their own DNS service so that
all traffic is sent to sites of their choice, or subject to a man-in-the-middle
attack. A laptop with wireless card is sufficient to run one.
(The wireless LAN at the CanSecWest security conference was virtually
unusable due to the number of people trying this.)