tag:blogger.com,1999:blog-24586388.post1723680013954760533..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: On Thin Clients SecurityJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-24586388.post-25583872910612891822010-11-28T04:41:09.546+01:002010-11-28T04:41:09.546+01:00@David: I suggest that thin clients increase the d...@David: I suggest that thin clients increase the damage done by compromise by a factor equal to the number of thin clients that replace a regular desktop system.<br /><br />If a desktop gets infected, it may be isolated to that one machine, however, should a thin client be be "infected", it is in fact the server that gets infected, and thus the damage is greatly enhanced.<br /><br />Thin clients are easier to manage, but more secure? I'd argue the exact opposite.<br />-RobAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-91248008122688198102010-09-14T16:59:14.308+02:002010-09-14T16:59:14.308+02:00@mokum: And how often you would like to "clea...@mokum: And how often you would like to "clean them out"? Every day? Every hour? Every minute? Because, you never know when the system was compromised...<br /><br />SILLY!Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-14964426177208686362010-09-14T16:57:17.847+02:002010-09-14T16:57:17.847+02:00More secure or not, I leave that to the language i...More secure or not, I leave that to the language interpretation experts, but I know I rather "clean out" 1000 virtual desktops [click!] then 10 physical desktops...mokum von Amsterdamhttps://www.blogger.com/profile/03801346660588264367noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-79826721896148792462010-09-14T15:56:11.724+02:002010-09-14T15:56:11.724+02:00@joanna
first of all, thanks for quick reply.
i...@joanna<br /><br />first of all, thanks for quick reply. <br /><br />i was glad to see some opinions too.<br /><br />i think we should consider (dumb)thin-clients with no external devices except keyboard and mouse, no usbs, no build-in OS (network boot),<br />NIC with hrdwr encryption, direct encrypted connection to primary server, token if you want.<br />IF the environment will be properly build and strongly encrypted - the probability of OS attack on primary server can be significantly reduced even when we talk about insiders(consider HSM and etc), also and especially if the perimeter' defence is build well (IPS,NAC,Filtering).i thought with all this, things doesnt look so bad.<br />frankly, i was thinking (maybe naive) that the era of personal OS is nearly ended, with all the CLOUD things going on..<br />what do you think? <br />(i beleive you've seen some cool implementations of the hardened thin-clients..maybe even tested some of them :))Max Tiktinhttps://www.blogger.com/profile/04130493265428378967noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-17934218303483240972010-09-14T15:34:03.403+02:002010-09-14T15:34:03.403+02:00I do security audits for hospitals, and often enou...I do security audits for hospitals, and often enough we are asked to 'steal' a laptop to show physical security weaknesses. Often enough, we are also told that the thin-clients are useless if 'stolen' and are oh-so-very-secure.<br /><br />Every time we 'steal' one, we glean all sorts of useful data off of it (network information and keys, user credentials, etc) and it is never reported gone so we can load anything we want along with the OS or in the background. Place it back, and BAM we have even more access.<br /><br />If you are going to argue that 'locking down' an OS is the answer, then you have to get rid of the browser, PDF reader, Java, active-X, and all those other things. Hell, lets just prevent the user from getting online at ALL (actually I'm for that most of the time).<br /><br />Unfortunately, a secure end-user system is only as secure as the end-user. Plus, a keylogger attached to physical keyboard is easy enough too.Keith Dronehttps://www.blogger.com/profile/09656254830806580208noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-10888110643809016322010-09-14T12:11:53.938+02:002010-09-14T12:11:53.938+02:00@Anonymous: Thin Clients cannot prevent data theft...@Anonymous: Thin Clients cannot prevent data theft -- if your laptop is compromised, it can still steal all the data that is being displayed on it.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-4069962539250704822010-09-14T11:50:04.956+02:002010-09-14T11:50:04.956+02:00Does data theft count? Steal as many thin clients ...Does data theft count? Steal as many thin clients as you want its all on the server, swap and allAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-24942670348652408162010-09-14T10:51:47.644+02:002010-09-14T10:51:47.644+02:00@David: so, can you actually explain why you think...@David: so, can you actually explain why you think that thin client can improve security of our desktops? Please provide some *concrete* thoughts/examples.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-26513260994123369442010-09-14T04:01:35.712+02:002010-09-14T04:01:35.712+02:00I believe the sentence "Thin Clients do not i...I believe the sentence "Thin Clients do not improve your desktop security in any way" lacks the profundity and technical analysis. Ok, before I'm being lambasted, let me explain.<br /><br />Btw, I don't represent any companies who sell thin-solution for a living. However, having been around long enough, I have seen most if not all the thin solutions around the world. I strongly believe there are true value in thin-client. The hype protection; <br />memory reservation technique; video prioritization mode; and so on. <br /><br />Yes, it does not take away the problem entirely. But, it is just another defense in-depth strategy any organization should consider. Just like in the mainframe days, dump terminal (aka TN3270) equates today's thin solution. TN3270 also has microcode; don't we forget that.<br /><br />Let's open up our mind to accept things in perspective. We should brush the technology aside simply because it is not "yet" perfect.<br /><br />Cheers.David STSHM1noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-78438992837892485022010-09-13T22:48:58.478+02:002010-09-13T22:48:58.478+02:00@Larry:
"Locking down" an OS like Windo...@Larry:<br /><br />"Locking down" an OS like Windows by keeping it "up to date" is all one big bullshit, let's admit it. You can apply all those "security best practices", yet your system will still be vulnerable to all those PDF or Browser 0days that come out *every* month. It really doesn't matter that your system will be owned by "just a few" botnets each month, instead of a few hundred...<br /><br />Also, local malware doesn't need to sniff anything on the network to mess with your data -- it can sniff much earlier, e.g. by hooking into your keyboard driver. The choice of the network protocol (e.g. RDP vs. VNS vs. X. vs. something-else-proprietary-and-super-secure) is totally irrelevant.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-54628276080514963322010-09-13T21:19:15.287+02:002010-09-13T21:19:15.287+02:00I'll disagree with you a little on these groun...I'll disagree with you a little on these grounds: thin clients are easier to manage and lock down than fat clients, so I would ass-u-me that they will tend to be kept more up to date and less vulnerable.<br /><br />And yes, a local malware could sniff your network traffic even before it's encrypted, but with a protocol like RDP it will be hard to do anything useful with it. Not impossible, but a lot of work.<br /><br />You are right that the architecture of thin clients is that you are running a virtual fat client on the server, so all the same software compromises should be possible.Larry Seltzerhttps://www.blogger.com/profile/12802131529713319717noreply@blogger.com