View
345
Download
5
Category
Tags:
Preview:
DESCRIPTION
Many organizations have implemented VDI as a solution to desktop manageability and security concerns, believing that running desktops on a central server will improve security. However, VDI encourages end users to access their secure desktops from uncontrolled and unsecured clients. In this session, we will demonstrate an actual attack that works on all major VDI products whereby an infected endpoint can remotely compromise a VDI instance upon initial authentication, completely unbeknownst to the user. We will also discuss techniques to guard against these types of attacks. Topics include: • The security properties of VDI offerings from major VDI vendors • Real and theoretical attacks against VDI • A methodology for evaluating the security of a VDI solution • Best practices for securing VDI
Citation preview
Virtual Datacenter Infection:Attacking VDI from the Endpoint
John Whaley, Geoffrey Thomas@joewhaley, @geofft
7/20/2014
Not business information:
Not business information:
Not business information:
NOTHING IS LEAVING THE DATA CENTER
DEMO
The Hoff Says...
https://github.com/joewhaley/VirtualRubberDucky
Virtual Rubber Ducky
Rubber Ducky Attacks
Input Injection / Logging
Pasty Attacks
Stealing Data via QR code
DEMO
Secret Channel via Image Steganography
Secret Channel via Audio
pwn the browser
Side-Channel Attacks
Keystroke timings are predictable
…and easy to extract with a packet trace
DEMO
Side-channel attacks on the server
Defending Against Rubber Ducky Attacks
Securing the Client
Doesn’t help:●Password policies●Multifactor authentication
Defense in Depth
Security vs Usability
Host Assessment Check(Malware Scan)
Dumb Terminal(a.k.a. “thin client”)
Locked-Down Environment
Weak Defenses
Run Local, Not Remote
VDI Security
Implementation Challenges
• PCoIP input issues– Drops/reorders keystrokes– Key repeat issues– Happens even with fast typing ☹
• VMware: no accessibility support
• QR code not optimized for screenshots
• RDP sound cuts out too much for modem
7/20/2014
Conclusions
1. There is no defense against a sophisticated, malicious user.
2. There are fundamental architectural limitations to hosted desktops.
3. There are some good reasons to do VDI. Security is not one of them.
Recommended