When Remotely Accessing Company Networks;
In-room Hotel Access Among Risks
|by Rodney Thayer, February 2004
In this study we examine the risk of unauthorized access to corporate networks due to password theft and related network security incidents that can occur when a business user is traveling and using the Internet from public access points. We constructed a scenario described to represent a typical business user traveling to a conference.In this scenario we examine several situations where the traveler uses the Internet to access various forms of information through typical password-based authentication mechanisms.We examine this scenario for the security implications, specifically looking for conditions where passwords could be stolen and used for unauthorized access by an attacker.
Note: In this study, we used only our own equipment. No unauthorized access or network compromises were committed. There was no actual “hacking ” of any third party information.
We configured a conventional Windows-based laptop PC with Ethernet and Wireless interfaces.We configured it with a normal user account,and installed a browser, email client, and word processing software.
The traveler was set up with an email account on a simulated corporate server, access to one of the free web services that includes email and Instant Messaging services, as well as a VPN client and file sharing services. We then took this machine through a simulated trip. We started at an Internet Kiosk in an airport in the San Francisco area, then we moved on to a hotel near Moscone Convention Center in downtown San Francisco, and then we visited several coffee shops/Internet Cafe ’s in the vicinity of Moscone.
We performed several networking tasks using the PC and the Internet. These are meant to represent ways in which a typical business user would access the network while on the road away from their corporate environment:
The specific “threat model ” we are looking for is the opportunity for unauthorized access to corporate information through password theft.We are not looking at other threats,and we are not looking at the security of either the computer itself or the networks it is using.We are accepting those as-is, with conventional standards of security applied (e.g.virus scanners,etc.)
Internet Access Scenarios
Access at an airport Internet kiosk
We started our simulated trip at one of the major airports in the Bay area. When in the airport, we wanted to make a quick stop to access the internet to check email through a web-based email server. We used a Kiosk — an appliance that has a keyboard and display, based on a conventional PC, with the addition of a credit card reader. Use of this device is charged by the minute.
In this scenario we are using an untrusted machine to enter authentication information — usernames and passwords — to access information. We used this to access the web mail interface of a corporate email server. We also used it to access one of the online services to manage sales leads,to look up a prospect ’s telephone number. In any situation where we have to log in and enter a password, using a machine we do not control introduces the chance that a password can be captured.
An attacker could install software on the machine, called a keyboard sniffer, to capture all the keystrokes that we enter. One such program is called “kl_lite ”. The “lite” version of this is available on the internet for free. This is a conventionally packaged Windows application.You download an executable, run it and a set-up program is executed, and it is installed on your machine. It doesn’t even require a reboot. A log of all your keystrokes is created and saved to a file, which can be later examined by the attacker. This file will contain everything you typed at the keyboard, including passwords used within SSL-protected web pages.
Access via broadband in a hotel room
After we leave the airport and arrive at the hotel, we want to check email. In this scenario we connect the PC to the broadband high speed internet connection provided in the room by the hotel. This is typically an ethernet jack that you simply plug into your computer. There may not even be any authorization required to use the service since it may be billed as part of the hotel room service.
After connecting to the network, we read email, send some email, and perform other common tasks as you would in an office. When traveling on business, the hotel room is in effect a temporary home office, so it is treated that way. We can connect to an Instant Messaging service to communicate with coworkers, or we might log on to a corporate web site to download a copy of the latest presentation to be delivered tomorrow. We might work late into the night, or perhaps go to sleep early because this is a different time zones. In all of these cases, we treat the environment like an office, and simply leave the computer running, attached to the network.
The network we are connecting to is a public network. We have no control over its topology, who else is using it, or what traffic is visible where. The Ethernet connection could go to a hub, in which case all traffic from all stations is visible to all other stations.This is sometimes the configuration of each floor or a section of a floor in a hotel. It could instead be connected to a switch, in which case you won’t see anyone else’s traffic, but you will still see broadcast messages, and you can therefore infer what IP addresses are valid. Someone in another room could be running a network scanner, such as TCPDUMP or Ethereal, and capture the network traffic that they see on the port in their room. There might even be access to the network from function rooms or other public areas so there might even be devices connected that are totally unknown to the hotel operator.
These various network sniffing tools can capture enough information to obtain passwords from many protocols, such as POP-3, which is used to read email. Even if you use a VPN or encryption software such as SSH, the packets are still visible to some extent and an attacker can in some cases even extract passwords. If we leave the machine connected to the network all night, an attacker would has plenty of time to attempt to compromise the machine,searching for any vulnerabilities that might get past the PC’s local security, such as open file shares, exploits in the networking software, or software that runs on the PC that automatically connects out to the internet and could therefore be spoofed into connecting to a man-in-the-middle device. Because an attacker can potentially access the same LAN segment they can generate illegitimate network packets that can fool the PC into sending information to the wrong machine.
This information is then forwarded on to the real destination,after being copied or modified. Such an attack is a Man-In-The-Middle (MITM) attack. It only works if the attacker has access to the network between you and your destination, but in some of these broadband scenarios they have just that.
Access via wireless in an Internet café
We have left the hotel room and head over to the convention center for the conference. But before going into the show, we want to check email one last time. So we stop into one of the numerous coffee shops,cafe’s, or fast food restaurants that offers wireless internet access.
We walk into a coffee shop that has a commercial wireless service. We turn on the PC, and start a web browser. The commercial wireless access service has provided a “captive portal ” through which we enter a username and password for the service.The captive portal has a web interface which uses SSL. The data is safe as it travels over the wireless network because it is encrypted by the browser. At that point we are connected to the internet. We use an email client to check mail (it uses the POP-3 protocol) and we also connect to a corporate intranet web site to grab contact details for someone we are meeting with. This all takes a while, so at one point a second cup of coffee is purchased.
While we were accessing the network, all the packets sent over the wireless card were visible to every other wireless card within radio range. Using Ethereal or tcpdump, an attacker can be sitting on the other side of the cafe, quietly capturing all the data, including the password just used to access email, because POP-3 is frequently not encrypted. Even worse, while we were away from the machine buying coffee, someone slipped a cd into the drive and took the 30 seconds it requires to install a keyboard sniffer, which is now logging all the keystrokes and sending them off to an attackers machine so they can identify the password use for corporate vpn access. This will also allow them to capture the wireless service login the next time this machine is used in one of these cafes. It is even possible for a skilled attacker to “shoulder surf ” and watch as you enter your password on the keyboard, thus bypassing all the software controls you may have in place.
In each of these scenarios, the possibility exists that an attacker could compromise password-based authentication schemes. This does not mean that the computer was configured wrong, or the network operators have been negligent in providing the services they provide, or even that the user was operating the equipment incorrectly. The nature of the technology we use is such that it provides widely available easy to use access to network services that we have come to rely upon in our day to day business operations.
With both Ethernet and wireless, it is possible for other devices to receive network traffic you are sending to your corporate site. This means that you have to assume the data is not secured unless you secure it yourself, including your passwords. Encryption, VPNs, SSL- protected web sites and other security tools are only as good as the authentication mechanisms used to access them. A business traveler has to be careful when they are on the road. Leaving your PC alone for any length of time is not safe, even if nobody installs a keyboard sniffer. Allowing someone to be close enough to see your keyboard means they are close enough to see your screen, and that could cause leakage of confidential information even if there were no password theft involved.
The use of strong authentication mechanisms, such as two-factor devices, along with VPNs and other encryption tools, is always recommended for anyone who uses a computer on the public internet, especially a business traveler.
About Rodney Thayer
"SafeWord products are on the cutting edge when it comes to eliminating the risks associated with fixed passwords," said Jay Goldlist, vice president and general manager, Enterprise Security Division at Secure Computing. "We're excited about the new release of SafeWord(R) RemoteAccess(TM), which sets the standard for ease of use and Active Directory integration. Now any organization running a Windows server and Active Directory can simply and cost-effectively add strong authentication to their trusted connections."
|Also See:||Travelers Confront Confusing Number of Strategies for Getting Online; Where Is the 'How To' Idiots Guide? / September 2003|
|Del Lago Resort Takes Wireless High Speed Broadband to the Golf Course and the Lake! / March 2003|