Post on 27-Aug-2014
description
Virtual Datacenter Infection:Attacking VDI from the Endpoint
John Whaley, Geoffrey Thomas@joewhaley, @geofft
7/20/2014
Not business information:
Not business information:
Not business information:
NOTHING IS LEAVING THE DATA CENTER
DEMO
The Hoff Says...
https://github.com/joewhaley/VirtualRubberDucky
Virtual Rubber Ducky
Rubber Ducky Attacks
Input Injection / Logging
Pasty Attacks
Stealing Data via QR code
DEMO
Secret Channel via Image Steganography
Secret Channel via Audio
pwn the browser
Side-Channel Attacks
Keystroke timings are predictable
…and easy to extract with a packet trace
DEMO
Side-channel attacks on the server
Defending Against Rubber Ducky Attacks
Securing the Client
Doesn’t help:●Password policies●Multifactor authentication
Defense in Depth
Security vs Usability
Host Assessment Check(Malware Scan)
Dumb Terminal(a.k.a. “thin client”)
Locked-Down Environment
Weak Defenses
Run Local, Not Remote
VDI Security
Implementation Challenges
• PCoIP input issues– Drops/reorders keystrokes– Key repeat issues– Happens even with fast typing ☹
• VMware: no accessibility support
• QR code not optimized for screenshots
• RDP sound cuts out too much for modem
7/20/2014
Conclusions
1. There is no defense against a sophisticated, malicious user.
2. There are fundamental architectural limitations to hosted desktops.
3. There are some good reasons to do VDI. Security is not one of them.