The security implications of working on remote computers

The first security problem appears when you use unencrypted communication channels, as telnet, ftp, and the un-kerberberized IMAP and POP e-mail clients (eudora, netscape, outlook, etc). All those applications authenticate the user by sending the user name and the password in clear on the network.

Specialized programs named sniffers are used for network monitoring. These programs, which are publicly available on many ftp sites, can be easily configured by crackers to listen the first few minutes from each newly opened connection and to pick the username/password.

On most of the networks there are sniffers running on broken accounts. If your connection is passing through such a network (and probably it does), your login name and password will be stored in the sniffer's log file and may be used later to compromise your account and/or to run a sniffer under your name and to pick more passwords on your local network. The sniffers have a passive attitude, so many of them cannot be detected from the network, and an user without special training will never realize that a sniffer is running under his own account. As a result, the crackers have available huge archives of broken accounts from most of the networks. These accounts may be used at some undetermined moment to launch illegal activities or to destroy your data.

What can you do:

	do not ever use ftp and telnet -- use ssh and scp instead; find out if the connection is encrypted each time you have to use a password or any other important confidential information which goes to a remote computer (as in the case of most of the e-mail services, subscription to different financial services offered via the web, e-commerce, etc);
	if you are using telnet or ftp, you can minimize the exposure by changing your password a few minutes after the login. The sniffers listen only for the first few minutes from a newly opened connection. After that, if you change the password, the new password will not be recorded, and the password already recorded by the sniffer will no longer work;
	change your passwords at least twice a year, just in case;
	report to Florin any suspicious activity inside your accounts.

Another important security problem appears when you are trying to send windows from one computer to another using telnet and X-Windows. An window can be exported only if the local X-server has set permission to give up control of the display/keyboard/mouse to the remote computer. This should be achieved by the command "xhost + remote_computer" issued on the local computer (see the xhost manual page). The xhost command opens a huge security hole because it gives to any user of the remote computer rights to control the behavior and to monitor the display, the keyboard, and the mouse of the local computer. The only secure setting of xhost is "xhost -" which denies any access, except for the local user.

What can you do:

	do not include in your login scripts any variation of the "xhost +" command; make sure that "xhost -" is the default;
	use ssh instead telnet; the whole communication will be encrypted and compressed/faster; windows can be exported without changing the xhost setting -- ssh tricks the X-server into believing that the remote display is a local one; do not change the DISPLAY environment variable from the value which was set by ssh, even if it looks as nonsense to you -- it will blow up the whole security.