Slashdot Mirror
Protecting Your Personal Info While Traveling?
AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"
I'm just sayin'....
"I'm just here to regulate funkiness."
Bring your own keyboard!
Don't type anything you wouldn't want anybody else to see when you using public terminals. Kind of obvious?
Meh.
If I am forced to use a public terminal I like to check the tasks that are running in the background, to see if there is anything suspicious. It has saved me a few times, of course not all kiosks will let you use that command.
[n8.r0n] http://petesweb.spymac.net/
Don't put information that requires trust on an untrusted device. Period. No exceptions. Ever.
This even needs discussion??!??
Help save the critically endangered Blue Iguana
Send postcards....it's worked for a long time. Or....develop on one time pad to use before they leave to communicate how Aunt Bebe's bunions are doing.
People who bite the hand that feeds them usually lick the boot that kicks them
If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.
Sensitive information should be transmitted separately, for example, credit numbers via email and expiry date via phone.
Rock that crushes, Paper & Scissors that don't matter.
I am becoming increasingly paranoid about typing passwords in public terminals... I am even reluctant to type my password in a friend's computer... Generally avoid typing your password for anything you don't need while at a public terminal, and if you're REALLY paranoid you could have it written in a file in a USB keychain and pasted (keyloggers don't log pasting, do they?).
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Man, do I hate those terminals. So many of them are like they are designed to avoid use. Many of them have the trackball on the right side (instead of the middle), which is a way of telling left-handed users to buzz off. I've even seen them with space bars only as wide as the enter key. Yes, I typed a message on one once, but there were no spaces in it.
Don't blame Durga. I voted for Centauri.
Afaik there are two types of keyloggers, software or hardware. Both are easy to hide. But if you are able to look behind the computer case, you could see some sort of extension between the keyboard cable and the computer. If there is one, it could be a logger (your boss could do this too :-P).
do what my wife does: open a new free yahoo mail account for each trip and don't do anything confidential (ie. stick with trip updates and pics)
PS: these slashdot confirmation things are a pain in the ass. i have trouble distinguishing the letters.
Browse the web: Yes
Check my Accounts: No
My other car is a Popemobile
just tell them not to do anything that is personally identifiable; i.e. check your favorite news site, not your email. This threat is not any different than the threat that almost all wireless users at cafes have faced for years....
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
You wouldnt give your credit card # to someone over the phone in a public place.
You dont throw away check stubs without shredding them.
You dont give strangers your home address.
I guess I dont understand how people can not connect the dots.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
stick knoppix (or your favourite live cd) on a CD/USB/SD and use that, of course it wont stop hardware keyloggers but those are a lot more rarer than the plethora of windows keylogging software widely available
If you want to keep in touch with friends and family during travel, create an email address with one of the many free webmail services available.
Then use only this adress while traveling, and only for casual messages, nothing important. Specify to your correspondants that this adress is temporary, and subject to be "stolen", so they should be suspicious regarding messages coming from it.
All public computers (as well as friends computers) are suspect. Never use them for anything requiring user ID and password access myself. Along the same lines, all public wireless access points are suspect as well.
I've seen web pages with a checkbox allowing you to indicate that you are on a public computer, presumably to avoid caching personal information. That would not protect against a keylogger program, however.
The NSA: The only part of the US government that actually listens.
Always assume that any hardware you don't own and isn't in your control is insecure.
It's just good rule of thumb. And to be even more paranoid, you should assume the same about any hardware that isn't in a locked room 100% of the time.
If you're really concerned about this, make sure the passwords on things you do access aren't the same as other passwords you use and make sure you change it when you're done from a "secure" location.
I just wasted your mod points! HA!
Oh... you meant data on computers other than my own.
Realistically speaking, it's unlikely that your accounts are going to get p0wn3d by anyone.
However, if you're using public machines that have keloggers on them, then someone put those keyloggers there for a reason. That reason probably isn't to monitor the effectiveness of internet filtering at that particular location.
The best advice would be to make sure their hotmail (or whatever webmail they're using) password isn't the same as the password on their other accounts. Delete all the mail after it's read, or else someone will read them.
Don't log into any secure websites, etc. Just read (and delete) your email.
Besides that, there's not a lot you can do.
http://dewasoft.com/privacy/kldetector.htm
Speak truth to power.
It also helps to have two or three sets of passwords:
- The least sensitive password should be used for "subscription required" sites, like the NYT.
- The medium sensitive password should be used to protect your web mail accounts, like Gmail
- The most sensitive password should be used for online banking
Dedicated Linux servers (root access) $45 p.M.
I can just see you on vacation, pacing back and forth in the cyber cafe, waiting for your wife to finish sending her 6,000 "W1MDOWS XP SOFTWARE $14" and "MULTI-ORGA5M" and "COLLEGE DIGRE3" email messages.
Don't blame Durga. I voted for Centauri.
Tell them to buy a laptop >.> Or a pda... or something >.>
Show this to your friends and family that don't know what a real hacker is
A good key logger will monitor anything coming and going from the clipboard. If you want to be paranoid, dont trust info on a machine you cant verify, assume whatever you do is going to end up on a billboard.
1. Get professional sweep gear.
2. Cordon off the area and do a thorough sweep of the Internet Cafe in question.
3. Make sure that and patrons and workers empty their nastly little pocketses.
4. Disassemble any electronic hardware that is shielded to make sure the keylogger isn't hidden in its nasty bowels.
5. Once the all clear is given, log in to AOL, download porn.
I'm just saying...
IANAL, but I've seen actors play them on TV
Don't trust anyone.
Even if they have a policy in place to keep terminals "clean" they don't nessiarly follow it.
I'd personally recomend that they use a throwaway email account while abroad if they plan on accessing it often.
The usual things too... user name and password unrelated to others etc.
If they're really paranoid, and have someone that they trust back home, they can get that person to change the passwords on the accounts during their trip.
Take a laptop that you use for your communications. With the availability of WiFi, you can use your laptop most places where there are computers and many places where there aren't. You have to worry less about what someone else may have installed, and you don't have to wait for a terminal to open up. Don't forget to use secure protocols to speak to your server though.
When I went to DefCon a few years ago, I loaded a fresh laptop and set it up to VPN all traffic leaving it, plus I didn't access any private resources, I had my e-mail copied to a webmail account on another box I was running. It worked great.
Sean
Only a cheap or poorly managed Cyber cafe would allow users to install software.
I have seen set ups that will let you install, or even format the c drive. But upon turning the computer off and then back up it restores itself to the correct settings. Most likely comparing the disk image to one stored on a server.
It make it nice to be able to install a game or some other software and when you leave the workstation you know that no one else will see what had installed or had running.
The bonus was that the cache and history files where wiped out with each log off.
My Sig indicates the end of the comment I posted.
1) Carry a laptop
2) ssh into your home server, or use HTTPS for webmail.
Using your own laptop means nobody is keylogging you, unless they get access to your machine, in which case you're screwed anyway. Sticking to SSH or HTTPS means you're not sending anything worthwhile unencrypted up the pipe.
Also, you'd be amazed at the number of compromised terminals at universities and colleges, too. Better warn your kids before they go off to college not to do any financial transactions, etc., from them, no matter if school policy is to run antivirus and spybot killers. Those are no match for good old fashioned hardware keyloggers, assuming they even use the latest updated programs to check.
If you want to access your email remotely, and you want to be sure it won't be hacked, bring your own computer. Otherwise, just accept the risk that your password will be sniffed, and change your password when you get home.
Ideally, you should change your password before you leave, and then change it back when you get home, because if you're like most people there are lots of things online for which you use the same password.
Oh, and if you need to do any kind of transactions _other_ than email while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.
I would advise them that spell checkers don't know nouns from verbs.
-Peter
Comment removed based on user account deletion
If I were to make a site in which I would need to log into remotely I would have it use a disposable password list; a list of passwords that will only work once, no worry about key loggers (though session highjacking would be another matter), as an added bonus if you log your password entries you can also use your list to figure out where the more nefarious spots are.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
One of my users, a west coast sales rep, uses internet cafes. I have warned him about the possibility of his wireless connection being hijacked, among other things. I would avoid using unsecured connections if possible... Use a vpn client if possible. But a keylogger would/could catch that too...
Personally, if you are going to use an unsecured connection, then don't access your bank account or anything of that nature while doing it.
Stick to a basic email account you don't care about, like a yahoo account.
Email things like, "The Germans never take showers!" or "Why are they showing another Harry Potter movie on the plane?"
We play the game with the bravery of being out of range
Getting read for Step 2, illustrated:
Don't blame Durga. I voted for Centauri.
If you have no idea what's installed in the computer you are using, everything you do with it may no longer be exclusively your's. I am not just talking about software, hardware is also included (think the Key Katcher Thinkgeek sells). If I wanted security, I would bring my own computer, use SSL on all communication channels, and even that may not be completely safe in a public location (hidden cameras, etc...). I guess hiding in the basement and keep the windows shut, because who knows if they (http://news.com.com/2100-1001-912785.html) can actually see what you do.
Oh, travelling? I guess the short answer is mostly no if public terminals are used.
Please direct all bug reports to
Fear and consumption. That's kinda the MO of the local news, ain't it?
bring a Knoppix CD with you! :)
Just open a seperate email account for the trip.. IE Hotmail...Operamail...Gmail. Any will do, have them use this account while on the trip. Then when the trips over throw the account away. Use common sense and dont put in passwords to other accounts or CC info and youre fine.
When you are on a public terminal you can type in your username and/or password by typing in the last half of it then use your mouse and go the front of the text box and type in the 1st half. It's not full proof but at least someone won't have your password in plain view in front of them.
:wq
Internet cafes have had lousy security for a long time. Especially the ones that can't afford the license fees for a new set of WinXP so carry on using Win98/IE5.
The first thing I do is call up the task manager and disable/kill any processes I don't like the look of.
If the cafe gives me access to the process manager, then they probably don't have a clue about security.
If possible, try to find a cafe that uses Linux... there are a growing number of them around.
.sig available on 'Need To Know' basis only!
really. why in the world with all the crap that is probably on your computer at the house, would you use a computer that the public uses. you can relate this to using a public bathroom.
personally i would just pick up the phone and call whoever you want to talk to. want to send pictures? how about you wait until the trip is over and then you can show them when you visit.
people now adays think that just because all this technology is around that keeps us all in touch all of the time that you have to keep in touch all the time. people seem to forget the freedom of not having an electronic leash around their neck.
On a vacation to San Francisco my son accessed a web based online game at an internet cafe on the Wharf. When he later used the hotel's internet his character started at a different location. A sign his account had been comprimised (and more telling than a "you last logged in at XX:XX" message!)
Later that day, or rather earlier the next morning, 4am to be precise, I suddenly woke up and realised my hotmail account might be have been compromised in the same way (as I'd used a different PC in the internet cafe). Strange how your brain works when you sleep. I had to go down to the lobby to reset my password. Strange looks from the night porter!
When I typed the password in I assumed that the hotel machine was also compromised and changed window focus between each character and mixed in delete keys to try and confuse any key-logger log file. Not sure I'd rely on that but it seemed a reasonable precaution to my tired brain. Typing the same new password twice was a challenge this way though!
For the rest of my stay I watched other guests access their banking services from the same PC. I have no reason to believe the hotel's PC was key-logged. But it would have been an extremely juicy target.
While in Hawaii on vacation last September I prepaid for an hour of web cafe time. After answering all my emails and checking what news I felt like reading, I still had a good chunk of time left over and my GF was still in the same strip mall shopping. I decided it might be interesting to download and install ad-aware. (They were old windows 98 machines, so there was absolutely NO security.) In the 15 minutes or so I hung around watching and chatting with the clerk running the place, ad-aware ticked off over 2,000 spyware items found, and it wasn't anywhere near done!
I do very little 'sensitive' work while I'm visiting my folks, or the in-laws too. I just finished reinstalling the in-laws' machine and patching/updating it due to a huge spyware/virus problem. They could have had keylogging crap installed there unknowingly too.
The only machines I trust are those that I own and have direct, constant control of. Period.
My mother-in-law on the other hand decided that she'd keep doing her online banking/shopping, etc even after I advised her not to (it was going to be 2 weeks before I could do the wipe/reinstall). My father-in-law is a cop and well aware of how much identity theft is growing these days. Despite that, we couldn't convince her to sit tight for a few days.
That's why I get so annoyed when she asks for help!
-Ben
Wait are you saying that there are ways to have your personal information stolen simply by using the internets? I had NO IDEA! Why didn't someone (such as the mainstream media every 12 seconds in a new article) tell me???
I thought Cryptonomicon was required reading here. I guess times have changed. Use Morse Code.
Speak truth to power.
Hell, I don't even like touching pay-phones, much less a keyboard.
I wonder if people who really use public terminals would be the same people who would worry about information being observed, or copied. I think if you have this question to ask, then you won't get an answer that will suite you.
...it won't suite you because you're a fregin id10t
Or a laptop?
There is a large number of interesting travel sources that travelers will want to use. The modern vacation now includes a lot of information resources along with the recreational and scenic resources.
Being forced into living a state of fear by cyber thugs is really not that great of an option. The fact that we are essentially asking travelers to ignore an intriguing new aspect of travel is quite sad.
I am also disappointed to see our technological elite offering little more than a probation against using the technology.
two things, you dont need to comprimise a machine to monitor it... example, does the place have ethernet ports? 10 bucks says they're on the same subnet as everything else. and this wonderful little program called cain does this wonderful little thing called arp poisoning, and it can even hijack HTTPS traffic with no issues at all. secondly, why not just bring a knoppix CD around, that cures the software side of things, hardware keyloggers are a simple glance behind the machine.
Just carry any good live CD and boot that. Only a hardware keylogger is going to work then - and you can usually check the back to see if one is attached.
I don't trust them there computers.
Dodgy double crossers.
All of 'em.
I see their beady little lights blinkin' away at me.
Keep away! Get back!
I have hammer! Keep away I tell ya!
Now run! Get away before they git you too!!!
(boss walks by and asks what's going on in here)
Right now in existing operating systems, some sort of keyboard driver will translate the keystrokes coming down the wire into characters and pass it where it needs to be. Of course, anywhere between the driver and the keryboard can be compromised. You can tamper with the physical cable, between the cable and the keyboard port, or directly in the software.
Now imagine this scenerio to fight this:
The keyboard and OS are NGSCB (Microsoft's Next-Generation Secure Computing Base (NGSCB)) -aware.
They have been configured to work together. (Leave the discussion for HOW that happens another day)
The keyboard will ENCRYPT all keystrokes and ensure the integrity of the data with a message digest and send the secure payload to the OS.
The OS kernel driver for the keyboard receives the data. The keyboard driver is untrusted, and can do nothing with the data except drop it. Ok. Denial of service if this is a rogue driver. But nothing else can happen. No information disclosure. It can't read the information. A proper keyboard driver would see this special payload and transfer it to the trusted environment through the use of a secure conduit transport. (Microsoft calls their particular environment Nexus, and have easy to use API to accomplish this)
Here the trusted computing base can pass the payload to the proper secure driver, in this case a secure keyboard driver that can verify the integrity of the data and unencrypt it. It can then determine what information can be passed back to the untrusted kernel. Microsoft calls these drivers agents, or more commonly NCA. In the case of password management, they can verify passwords securely on the trusted side, and just pass back particular results to the untrusted side.
At this point... both software and hardware keystroke loggers become useless. They can do very little but record the encrypted payload. (Of course they could try to brute crack this.. but a good design would account for this). It's actually quite a neat design... except that you have to trust the "trusted code base". Of course, you don't HAVE to. You could replace Microsoft's Nexus with your own. And from my understanding they are making provisions for that in Longhorn. But should I trust you any more than Microsoft?
I am over simplifing this, but my point is that Trustworthy Computing is actually a good thing.
I am working on a project called Cartman, which is a PAM Challenge-and-Response authentication module for linux.
Its not as "good" as something like SSH, but has the benefit that you have to type the "challenge" into a PDA (Blackberry, Palm, etc) in order to get a response - so capturing keystrokes doesn't help.
The page isn't up yet, but will be at:
http://www.bradgoodman.com/cartman
Don't worry about hardware keyloggers. They cost more than software loggers, so they won't be there. Cops and spooks break in to install them on dissidents' machines; they are probably very rare otherwise. Just bring along an Ubuntu LiveCD, and boot from it. If you can't do that, and you can arrange to produce your own web site, have web-page javascript password-entry scheme that uses just the mouse, unrepeatably. (That is, each time the page is (re-)loaded the buttons appear in different places on the screen.) Or, bring along a USB key with a pile of temporary-use private keys in it, and a copy of ssh configured to use only those key files. Be sure to delete the corresponding public key after each use. Even if they log keystrokes they won't copy the entire contents of every USB key plugged in; and it doesn't matter so much if they do, anyway.
You know what I say? Stop worrying about things. Live life. Life is dangerous. You might be killed tomorrow. Disease, car crash, something like that. And there are lots of people in the world. What are the chances it will happen to you. Set your root password to password. Run an open SMTP server. Do whatever you want. It's better to regret the things you have done than the things you haven't.
Get your own free personal location tracker
The answer is of course TINFOIL.
Tinfoil money belt
Tinfoil passport cover
Tinfoil shaving kit
If I could get tinfoil condoms in case I get a date, I'd be in heaven!
I limit my on-line activities on kiosks to anonymous surfing, though if I am travelling, I usually have my tablet PC and my cell phone with me, the combination of which can be used to browse the web.
But I admit to being more paranoid than the average bear. :)
I'm proud of my Northern Tibetian Heritage
Say it's YOUR internet café. What are the ethics of installing keyloggers? It seems quite clear that these public stations would have keyloggers--barring an evil SysAdmin--to protect their computers (their property). Should the public be informed if they are paying to use the system (or not)?
Sort of offtopic, but I'm curious.
I don't check email when I am on vacation. Things are supposed to be a change of pace. Isn't that why you are on vacation?
This issue is a bit more complicated than you think.
I once worked at a computer lab where I was able to test some software (iOpus, I believe) that had some keylogging software. This software was incredibly ingenius, and would very accurately tell me what was typed where, when, and by whom. I also had the option to take screenshots every once in a while (I could set how often the screenshots were taken). These files (log and screenies) could then be saved on a location where the current user would not be able to access due to user restrictions.
Be wary of this, since I was able to catch the logins of several users. (My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing. Needless to say, with the screenshots and logs, I caught him rather red-handed.)
But these days, such precautions are to be expected with terrorism on the rise and such. My only advice: Be very careful when doing this on a public location where spying and keylogging is easy to implement. Not all people were as nice as I was and let the small info go. A small slip of the Credit Card number, and away goes several thousand dollars!
Start > Run > osk.exe
The onscreen keyboard doesnt get picked up by any keylogger i know of.
Someone out there must have a list of the default passwords for all the keyloggers... Just fire up notepad and type these passwords in. If nothing happens, you're probably in the clear.
[o]_O
As long as the machine in question is connected to a lan with dhcp (almost all public terminals) then you can usually get by with just rebooting the computer with a Knoppix CD in the drive to guarantee you have a clean computer to work from. Then just use whatever techniques others have suggested to fool hardware keyloggers or check the cables to the computer. This worked fine for me at the local coffee house, just might have to deal with pissy management if they are confused at what you are doing.
We've secretely replaced the Enterprise's dilithium crystals with Folgers crystals. Lets see if they notice.
Under windows, shouldn't you be able to use the character map application to "type" in your password using the mouse, thus circumventing any hardware keyloggers? Of course, if I was going to capture passwords, I'd modify the browser itself to record all POST data, so it doesn't matter how you input your password.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
If it's keylogger software you are worried about, it sounds like a single use password (tear sheet style) would be ideal.
If it's one of those little PS/2 keyboard devices that sits between your PC and keyboard, try this: Log in normally, use your password, do whatever, then logout. Before you walk away from the kiosk, tape down the left-arrow key. The auto-repeat will fill the buffer (might be a few Kb) and eventually overwrite your PW.
Can anyone recommend a one-time-pad (OTP) implementation for use with openssh under linux? I looked into this some time ago and was only able to come up with a couple of hits, most of which were suffering from bit-rot... The most promising candidate was libpam-opie (though I seem to recall it had it's own problems.) However the URL I had for it is now dead too. As an aside, can anyone with a clue comment on 'S/Key'. It appears to be a method of generate OTP passwords -- is this a ubiquitous standard? A generalized algorithm that can be implemented in mutually incompatible ways (ie. different hash functions)? Some proprietary, patent-encumbered thing?
- Set up a temporary gmail account with a dumb password I don't use anywhere else. Also set a signature reminding everyone I'm on vacation and that they should still only email my normal account. Set the reply-to accordingly.
- Set my normal gmail account to forward (but keep copies of my mail) to the temp account
- Turn off forwarding when I return, change password to something else on my temp account
This meant I didn't have to have friends email a temporary account and I could still receive any important emails I'd normally get. Even if the account did get compromised there's no chance anybody could sift through all the email I have stored in gmail. Good enough for me...Since my laptop is my office machine, it goes where I go. I take the appropriate measures to secure my laptop at all times. As far as physical security goes, since I'm a field employee, my backpack is my office. I always keep the backpack in my presence.
Tell them to assume that anything they do on the public terminal is public information.
What kind of information is that sensitive, though? Personal e-mails? Instant messaging? They are typically not encrypted from a private terminal, and therefore not exactly private information as it bounces around the Internet.
Yes, *that* Bob Vila.
If the public internet cafe you are using allows external computers to connect to their lan, such as bringing in your laptop, then try ssh tunneling to protect your content. Google defines ssh tunneling as "The process of taking any networkable connection between two hosts and channeling the information through the SSH session by encapsulating the private data inside of ordinary (usually encrypted) TCP/IP SSH packets. These connections may be arbitrary TCP/IP ports, X11 connections, or even email, allowing for features like encryption and compression for normally unsecure communication." To setup your own ssh server, install OpenBSD(http://www.openbsd.org/ or get OpenSSH for Windows(http://sshwindows.sourceforge.net/). A good ssh client is PuTTY(http://www.chiark.greenend.org.uk/~sgtatham/ putty/).
Another, easier alternative is to use an encrypted vnc connection, such as RealVNC(http://www.realvnc.com/ and just use your home computer from on the go. This would allow you to use your home computer from another computer to get past a packet logger on the internet cafe's lan.
If the internet cafe doesn't allow external computers on their lan, the only way to keep your data secure for sure is to not access any sensitive material when using their computers, such as everyone else has already said.
http://83p.unitedti.org/
I posted to slashdot from an Internet Cafe, and nobody stole my password.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
The reality is that people have to use untrusted machines every once in a while, and even if you then change your password from the next trusted machine you have access to there is still a window of opportunity. If I must use credentials at a public terminal I make extensive use of cutting, copying and pasting, and typing over selected text so a key logger would see a password like 'secret' as a string like 'fsdjn392e9c3sD$r@90ejfndt'. This won't protect you from things like browser helper objects (BHOs), but it's better than nothing, and you can be sure there's plenty of other low hanging fruit for your adversary to pursue.
a ss.asp) which is used for two factor authentication and signing of transactions. There's other mechanisms being considered, like text message challenges, sequence based tokens, etc. but in the mean time plenty will suffer - fortunately the more clueful will manage to be reimbursed but you can bet there will be plenty of expense borne by the others.
It doesn't help that you usually won't be able to change the password backends, but for things like mail you can, if you run your own servers. I'd like to think there were a challenge response token that's affordable for single user installations - I've seen something like this before but if anyone has any suggestions...
Incidentally, there's a fair bit of work being done in the area of endpoint analysis, which is usually in the form of an agent which scans the machine for suspect registry entries, processes, files, etc. and applies corporate policies like OS and patch level, virus scanner health, firewall status, etc. before allowing access to a trusted resource (eg a VPN). There will be interesting things to come in this area but I suspect it will be an arms race for some time (think virus scanners, anti spyware, etc.) and there's always the question of how much trust you can attribute to code running on an untrusted platform. If it weren't for the potential for abuse (think digital restrictions management) this is where technologies like Trusted Computing Base are useful.
Now if only banks would stop seeing fraud as a cost centre and actually start doing something serious about curtailing it then we wouldn't need to be having this discussion. In Ireland for example rabodirect equip users with a digipass (http://www.rabodirect.ie/security/digipass/digip
Suggestions have been given how to avoid getting your passwords stolen, but sometimes it happens despite one's best efforts. Here are two very useful tips to limit the damage that can be done if any passwords are stolen.
Wow, hadn't thought of that. That's cool!
How well would it work to make a point of entering your username and password wrong a few times before actually logging in? I've never seen the output of a keylogger before. Would that make it enough of a pain that they'd move on to the next poor schmuck?
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
Once in an internet cafe in Lima, Peru, I saw a dialog on another computer pop up saying "Your free trial of KeyLoggerPro expires in 3 days. Click here to buy!". Terrifying.
I don't know what these things really log, but one idea that may be worthwhile is to type characters out of order and to use the mouse to reposition the cursor. E.g. to enter "password", type "word" then mouse back to the start and type "pass". That ought to be a bit harder to pick up than using the cursor keys to achieve the same thing, depending on what level they listen at.
Otherwise, make sure you have different passwords for low-importance vs. high-importance accounts. If you have a server account of your own, consider using one-time passwords (e.g. the OPIE PAM module). Take a windows version of Putty on a flash stick. Or a VNC viewer. Or use Anyterm http://anyterm.org/; it should be possible to set it up to use OPIE one-time passwords, and it's quick enough for something like pine, if the terminal emulation works.
Cut-n-paste your sensitive logins and passwords one character at a time. You need to type-in the alphabet (upper and lowercase) and numbers into a different window. This is all the keylogger sees (that and cut-n-paste commands).
Hopefully nobody is looking at your screen remotely (and see the mouse movements)... anyone have a technique around that?
It isn't even necessary for customer privacy to be your top priority in order to implement measures that will result in greater privacy and peace of mind for your users.
How about network booting your public terminals? Configure terminals to reboot after (short) periods of inactivity and make an explicit statement asking users to reset the machines after (or before) they use them. Clean slate after every reboot.
Benefits? For the admin, no more malware troubles, single point to install updates to, use your imagination. For the users, somewhat increased privacy, depending on how seriously admins take such matters.
That can help alleviate software keyloggers. Dealing with the HW variety would require securing the physical terminal. Would USB keyboards thwart at least some HW keyloggers? Is it cost-effective? I'm not sure, but you get the idea.
Let's not forget strong security profiles, limited rights on Windows-based terminals, etc.
Oh, and admins? SSH clients would help a lot of people.
Push the envelope. Watch it bend. -Tool
Hardware based keyloggers are a little easier to spot, though. You could show them pictures of hardware loggers so they'd know what to look out for. A quick Google found this one and this one, which are pretty much the only two types I've seen so far.
It should be noted though, that finding these things on an Internet kiosk would be near impossible as most of the hardware is hidden from the user's view.
I'm not tense. I'm just terribly, terribly, alert.
Lame, very lame. Any decent keylogger will be installed as a (hidden) kernel driver. You wont be able to see it even with kernel object dumper, leave alone lousy task manager.
Seems like the best thing would be a random layout that changes each time it's accessed, so the mouse positions alone are not meaningful.
It could still be defeated with either complete page contents logging (in addition to mouse logging) or screen video capture.
Duh.
Has anyone seen a good implementation of challenge/response? And is there one where the plaintext password does not need to be stored?
www.swivelsecure.com
You can even put a cellphone in the loop which uses SMS to put on-time passwords in place. Of course, few banks are using this yet (and yet they say they are worried; pretending I reckon).
K.
anyone can snoop them with a device that fits inside a laptop case or purse within range, just by walking near you.
In other words, get it now before they add the RFID broadcast/interrogate chip, cause once they query you they have all the time in the world to crack it.
-- Tigger warning: This post may contain tiggers! --
I just got back from vacation and experienced this problem. I could only check my bank balance via the internet, and in order to make hotel reservations I would have had to give my credit card number over a (very) public telephone or in full view of 50 people in an internet cafe.
What I ended up doing with the bank balance was having a family member I trusted look the information that I needed. I will have them do this with reservations in the future.
There really has to be some system where you can secretly pay for things via internet cafes and verify your identity, maybe through an attached thumb print device.
Simple advice, same as I give to anyone - Don't use Windoze. Getting admin access to install a keylogger is trivial on Windoze, but near to impossible to do on Linux.
None of my Gentoo Linux boxen have ever been hacked, and I intend to keep it that way. I've run three Windows machines in the past, all of which have been hacked in some way.
if you need to do any kind of transactions ... while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.
If that is really so for you, you should change your bank immediately!
Do you seriously mean that you can do bank transactions with nothing more than a username and a password?
I have never seen something like that, but I guess it does exist, or I wouldn't get all these silly phishing emails.
On the bank sites that I know, one still uses the first system I had seen: you need a contract number (different from your bank account number) and a password, and a number that can only be used once, taken from a printed list sent by registered mail. (And it does have to be the next number in the list, not just unused number).
With the other, you also need a contract number, and then a card which you put into some sort of calculator/card-reader. You don't give your password to the bank site, but to the card reader with your card in it. The web page then gives you a number, which you enter into the card reader, which displays a one-time password which you enter into the site. Does it sound annoying? Well, it is. But you get used to doing the operation quickly, and it definitely defeats key-loggers.
Anyway, if you need to design strategies to keep your bank account safe, then it's hopeless. Either cancel your online banking contract or get another bank.
A one-time-pad (one-time use random 'key' data, sizeof(key) == sizeof(message), xor) and a one-time-password system (OPIE, S/Key) are two different things.
At a wireless Access Point, anybody can presumably crack whatever WEP is in use and eavesdrops, or if the AP uses no WEP at all, which is no big deal if you are using an SSL browser or better yet some secure tunnel to somewhere.
They are talking about hardware keyloggers, which are not necessarily easy to spot. I could wire one INSIDE a box where no one would see it in about 15 minutes.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
I've got kind of a weird system brewing in the back of my head. I have RDP set up on my home computer (think VNC, only faster, and Windows). Ideally I want to log in to that. But I don't want it open 24/7, so I have the port completely closed. What I *will* have (don't have it yet) is a few ports open to a virtual private server I own. I connect to the virtual private, type in a one-time password, and it sends an instruction to my home computer to open a port to a certain IP for a minute. During which time I connect to it via Remote Desktop and use my home computer.
:)
Since my home computer has passwords saved, of course, I wouldn't need to type in passwords from here. This assumes the connection is secure from being hijacked (I don't honestly know if it is) and there's a little vulnerability where someone could immediately RDP into my computer again, from the same IP, with the password that they've presumably just logged, since *that's* not a one-time password. (I suppose I could try to set it up to only allow one connection in.) But they'd only have a minute to do it in.
Of course, the point is entirely moot since I haven't set any of this stuff up - it turned out I needed a laptop for work, so they gave me a laptop, and I've just been using that with ssh and cygwin. Heh.
But that's the plan.
Breaking Into the Industry - A development log about starting a game studio.
First off, as a rule of thumb, I do not use public terminals for anything that needs to be secure. It's too easy to carry a laptop around and jack in using ssh.
That being said, an interesting approach to addressing this problem could be via the use of a signal system using a CGI script to temporarily set a particular password. For example, you write a CGI script that is called with certain parameters that "seed" a password that only you know. You call the cgi script, it changes the password of a particular account (I like using additional variables like time-of-day numbers to seed the password), then you log in and when you're done, you call the cgi script again with a code to reset to the password. It wouldn't be difficult to integrate this into a web server or some other listener. The keylogger would be useless.. even if it captured everything, there would be a formula that only you know, integrated into the cgi script that would never be revealed during the transaction.
instead of typing anything, cut and paste your password using characters copied from a website. You could even paste the characters in a random order if you think the keylogger is tracking the clipboard.
How important *is* your Slashdot nick? We won't hold those 419 appeals against you when you get home. Promise.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
Media release: Microsoft Partners with Australian Law Enforcement Agencies to Combat Cyber Crime
Does this seem hypocritical to anyone? Isn't the botnets and insecure OS's the main area's for cyber crime to take place. And do you think Microsoft would help secure Linux, hell no, they'd want to leave it insecure to make them look better. And the Feds are the ones that are meant to protect us from terrorism... I might as well move to Gaza!
"I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
Print out all your email before you leave. Bring a typewriter along and type out your replies while you're away, then OCR it back into your computer when you're at home. I'd like to see a hacker break that!
Generate a public/private keypair for them using a computer at home. Make sure to use relatively small prime numbers. Now, read them the public key over the telephone, and have them generate a shared key, encrypt it with your public key, and read the result back to you (in binary, of course).
From now on you don't need the public/private keypair, have them burn any note paper that they might have used while calculating the message. Make sure they put the ashes in at least 4 different trash cans in different parts of town. From now on you will communicate with them using the shared key. This will be much easier to do by hand, and you can use a slightly larger key size. In fact, maybe it's best if you use some shared source for a one-time pad. For instance, they can probably get a copy of the NIV bible, and you can get one too. Pick a particular passage to start at, and there you go, you have a one-time pad. But don't use the NIV bible, because someone reading this post will have a much easier time cracking the message. Instead, pick a source and send that in the encrypted message. Keep the messages short. You can communicate most of the information over the phone unencrypted, just make sure the sensitive data is encrypted.
Now, have them send you all their current passwords (these would be encrypted, of course). You should now log in and change all those passwords to random ones which you generate. From now on, if they need to access something, they should call you up (or email you using a newly created email account) and tell you what they need to access. You will then change their password, and send the new one encrypted to them. They will decrypt the password by hand, possibly using a calculator if they can ensure that there is no keylogger installed on it (obviously don't use a calculator on the possibly compromised machine). Once they are done using the site, they should contact you and you'll change the password again, to something new and random.
Obviously all of this would have been a lot easier if they had set things up before leaving. For instance, when I'm at work I only connect to my home computer via https using a a password which automatically changes every single time I connect. My home computer contains the actual passwords to the sites and thus it logs in for me and relays the information. I carry around the next 15 passwords every time I go, though they are obviously encrypted using a special scheme which I have memorized and can perform in my head. Yes, it's possible the browser itself is compromised, but that's a lot less likely than that a keystroke logger is installed. I used to use a secureID device which automatically changed the password every 5 seconds, but then someone told me that the NSA installed a backdoor into those devices.
Oh yeah, I'm just kidding about all this... Or am I?
if needed (happened twice) to enter a password, I usually go to some webpage, copy and paste each character. I assume that the keylogger is not smart enough to clipboards. There are workarounds for that too.
Okay, help me out if it's so simple.
I got back Friday night from travelling in Eastern Europe since early May. It was a sometimes-working holiday, so I actually had my laptop WITH ME, but publically available wireless access was basically non-existent, so most places I had to deal with internet cafe-style public terminals as my only internet access.
Since I was doing work, I *needed* to access at least email occasionally.
I used tricks like alternating typing in the username and password chars (and chars in the browser bar), and changed my passwords periodically as well, but I STILL suddenly started getting a flood of bounces and virus-filter alerts, mostly from Austrian domains, so I'm guessing it was the internet cafe in Vienna that trapped my password somehow.
Weird, in a way, because they seemed to have a much more professional setup (versus, for example, the internet cafe on Vis island in Croatia that had no special software or limitations whatsoever, just a few old computers with dialup internet access).
Anyway -- what else should I have done?
Reformat the public terminal before using it.
take the laptop with you, and just jump aboard any internet café, I'm sure they'll understand and assist you in maintaining security for your data ... the customer is always right ... even in timbuktu
Question Authority before IT questions You
Just bring a Knoppix CD and one of those USB flash memory "drives". Boot Knoppix so you do not have to worry about the spyware on the computer.
Religion is the main cause of atheism.
Use a mom-and-pop run internet cafe and boot Knoppix. Use the machine at the back.
http://www.knoppix.org/
Ludwig Wittgenstein
As such, his personal AIM screen name and password are never typed in, so the onlything key-loggers will catch is his conversations, which are mostly uninteresting.
If he wants to do any financial transactions or login to secure systems, he carries a Knoppix CD with him. He reboots the system and lets it load the OS from CD. No changes to the hard drive are performed, and he can be sure that there are no software-based processes watching what he types in. He can browse and use ssh without worry.
In my opinion, very clever.
splunge (n) -- A good idea.. but it could be lousy... and I'm not being indecisive!
Is there any utility program out there that interfaces with a SSH server that will generate a list of, say, 500 one time use passwords which you can print on paper and carry with you (on trips)? Then each time you ssh home, you type in one of these passwords (say 10 chars long) to do whatever (VNC, email etc). Then the server deletes the password from being used again. I guess if the server is willing to accept any of 500 passwords, this makes it easier to attack, but not by much.
If you need another list of passwords, go to a trusted computer and get the server to generate and send you another 500 one time use passwords that you can print off.
Why does various web based email sites not offer this service??
So it should be ADVICE not advise.
Where he had had "had", I had had "had had". "Had had" had had the teacher's approval.
Do not correct my grammar again.
1.Check the PS/2 or USB port for a hardware keylogger
2.Boot off a Knoppix CD
3.Make sure your data is encrypted.
Do this, and you will be protected (unless the bad guys put the keylogger on the MOTHERBOARD somehow, but I doubt that.)
SIGSEGV caught, terminating
wait... not that kind of sig.
Maybe it is possible to carry a Linux Live CD distribution on a CD or a credit-card-sized-cd or perhaps boot Linux from a USB memory stick if that is possible on the computer.
But nobody really needs to check their email when they travel or do banking things, when you travell and you get to be at a computer then you just goto slashdot and read the latest news.
if you use ssl that doesn't matter the whole POINT of ssl is it treats the network as basically untrusted that includes the wireless part.
to do a mitm on ssl you need a root cert thats installed in the users browser which means you either need a comprimise the users system or comprimise a root ca (which won't be easy),
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
If you boot knoppix, and use cut & paste to enter your password you should be almost 100% safe. Very good idea!
I travelled some pretty dodgy places in the last 12 months, and I was more worried about catching bad stuff from water or food. How aobut you tell your friends to enjoy themselves, be smart, but don't worry too much aobut anything, they are on vacation right? Thats what I did, and I had a great time, and no-one keylogged my keystrokes (or if they did they havent used it yet :-))
Create a new account on your favorite free email server, like Yahoo! or Hotmail! or whoever just for the vacation and give that to people in advance. Tell people not to send sensitive stuff, but if something important comes up to have messages like "Please call Elsa. It's important." You can even leave a .vacation.msg that gives proper instructions on the use of te throw-away account.
This doesn't work for every use, but I could definitely understand the need to have some means of communication when one is on the go. This is especially true when going from country to country, say, in Europe, where I live.
In fact it was important for a friend who was bouncing between Germany and Switzerland who was having trouble connecting with a host. If you're going to be away so long that you need to do more extensive (and sensitive) stuff then I agree with the other posters that you should either bring a laptop or use smart technology. In fact, see my article about a proposed solution here.
I've heard that some European banks do one-time passwords - you just print out a sheet and bring it with you. This would be the ideal solution if you don't care about privacy, but of course if, like me, you live in the U.S., you probably don't have this option.
Nobody has mentioned the simple way to limit your losses. Open a travel account at another bank. Set up automatic weekly transfers. Use it for gas and such. My travel account gets $200/week. If it gets hit, I contact my bank. My potential loss is very limited. The checking account is not backed up with overdraft protection. Keep track of your balance and use the bank ATM whenever possible. The rest of the bills are set up from the primary account at another bank with auto payments. If the electric is a little off one month, it can be adjsted upon my return. They are happy to receive a regular payment even if it is a little over or under. Let them know what's up. They are very good working with you to get paid.
The truth shall set you free!
I type out all the letters (and numbers) of my password in notepad - nor in order and with a few others thrown in.
The cut and paste them one by one into the appropriate box.
Slow, but pretty secure.
As alternative approach you can use SecurID( http://www.rsasecurity.com/node.asp?id=1156) It generates unique password for you that is valid ONLY 20 seconds !. So even if someone sees that pass he can use it for less than 20 seconds
It's not too hard to enter a password without the key logger being able to know what you are doing.
Open a text editor, type all the alphabet and numeric keys. Then use cut and past, character by character, to enter the password in the dialog.
The only flaw: nobody shall be able to see your screen when you do that.
I think your Idea of switching app's,though simple ,is brilliant.
It would work even better if the pass is not some common word,but some garb like " ryt67skjh".In that case splitup will work real good!
Thanks.
Why does yahoo do this
That works s long as the Kl is software based?
Duh!
Thats if you know the process name of every keylogger in this world for sure !
Sure you can make out suspicious names.But most device driver names look suspicious - anyone who has tried C_A_L on a win 2k/ XP knows this.
Why does yahoo do this
If you don't trust the client, the obvious thing to do is to use a one-time password scheme on the server, like opie or s/key. Print out a list of passwords and take that with you before you go travelling. That way, even if someone intercepts the password, it won't be of any use to them.
OpenBSD s/key has been ported to Linux, btw.
OpenBSD has an s/key implementation, which has been ported to Linux: It used to be available here: www.sparc.spb.bu/solaris/skey (That's down at the moment, though - strange). Gentoo, for example, has an skey ebuild, and has the sources available here: http://mirror.gentoo.no/distfiles/skey-1.1.5.tar.b z2
Hopefully you are joking, but I am not convinced.
- comp-l/msg03017.html
Here is a post of someone talking about why they switched, though don't follow their advice about blindly clicking on certificate warnings.
http://www.phenix.bnl.gov/phenix/WWW/lists/phenix
Unable to navigate and/or enter data for a visa to the U.S. from the U.S. Embassy Tokyo site with FireFox on Mac and Konqueror on FreeBSD, I printed out the hand written form (which the State Department says to do if the site doesn't work) and brought that in to the embassy. (To enter an appointment required turning off JavaScript after viewing the calendar of available days since Microsoft's JScript screws up Date.getYear() and the site creators don't know that!)
Anyway, once arriving at the embassy with everything, I was given the below paper and told to make another appointment:
(Bold is theirs.)
Am I the only one to find this official advise to use Internet cafes to enter my personal information for a visa application a bit scary?
With a combination of looking at page source code to get to next pages, and enabling and disabling JavaScript, I was finally able to get their EVAF barcode. (I found it interesting that Konqueror can handle VBScript - treating it like JavaScript, which it looked like.) So with just a little bit of effort, this whole process can be made cross-browser friendly. Why won't the State Department do that? And stop recommending using Internet cafes to enter personal information?