Protecting Your Personal Info While Traveling?

AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"

A tip

[ylikone]

Don't type anything you wouldn't want anybody else to see when you using public terminals. Kind of obvious?

Re:A tip

[japhmi]

Just type all possible letters, numbers, and whatever else is in your password into one file, and use copy-paste to bring over what you need.

Yeah, it's a pain, but you could shorten it by just making sure everything's out of order and with some gibberish.

Of course, nothing's 100% secure, especially while traveling...

Re:A tip

You're kidding right? Have you ever seen keylogging software?
They spyware varieties rarely log every key. Instead, they intercept web submission forms, or data from specific applications. Switching windows and typing gibberish won't do anything to prevent information loss.

The best approach is one of:

- Bring your own computer. Use SSH or other VPN software to access your home computer and then your email. Do not trust public systems. Do not trust public WiFi networks.

- Setup a web interface for accessing email. The password should change automatically after every successful login.

- Bring putty on a floppy disk and use it to SSH into your home computer for accessing email. But don't trust the local web browser to not be infected.

- Knoppix. Boot off your own software, check email or surf, then reboot back to the (likely) infect operating system.

Things you should not do:
- Do not assume the computer is not infected. Even if it runs a virus scanner or you're told that it is clean. If it isn't yours, don't trust it.
- Do not assume the wireless network is safe.
- Do not assume the connection between the internet cafe and the internet is safe. (Who knows what is being tapped.)
- Do not assume that if you "just login for a moment" that you won't compromise your information. It only takes one login and the bad guys don't miss.
- Do not assume the risk is limited to public terminals. Hotels and coffee shops with "free" wireless are commonly monitored by 3rd-parties. Any place that isn't "home" should be considered a risk.

If you want to have fun, run 'netstat' on the public terminal. See any open ports? You probably will...

Infected public terminals is a much bigger problem than even most government cybercrime investigators believe.

No financial activities

[fembots]

If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.

Sensitive information should be transmitted separately, for example, credit numbers via email and expiry date via phone.

Don't trust an unknown computer

[BlogPope]

I would never trust an unknown computer like that. I even clean my parents computer up before I use it for anything.

Browse the web: Yes
Check my Accounts: No

Re:ctl+alt+del

[dcfix]

There are plenty of keyboard sniffers that are not interrupted by the Ctl+Alt+Del. Of course, hiding a process from taskmanager is a pretty easy thing to do too. If it's not your computer, it's not safe.

Re:Keylogger

[MarkGriz]

"Bring your own keyboard!"

and boot CD

Re:medium threat

[Vellmont]

This threat is not any different than the threat that almost all wireless users at cafes have faced for years....


This threat is completely different from wireless cafes. At a wireless cafe if you're using your own machine, all you have to do is be sure to use the SSL protected https site when checking mail, doing bank transactions (which should be SSL only anyway). If you're using a public terminal, there's basically nothing you can do to protect any sensitive information.

My advice is buy a portable PDA with wireless capability if you need to do anything involving sensitive information while away on vacation.

Re:Something to consider...

[fuzzybunny]

(My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing

What you did is strongly illegal in many countries, including parts of the US (look up state & federal wiretapping laws) especially if done without informing users. Aside from that, it pushes the ethical boundaries of what's acceptable (I think it's filthy, personally, but I'm giving the benefit of the doubt and being diplomatic.)

Not all people were as nice as I was and let the small info go

If you can't tell what's wrong with this statement, you shouldn't be administering systems used by other people. You're perfectly correct about being wary of using boxes beyond your exclusive control; however, we're talking about crime and not exercising control over your own computers.

Re:Tell them

[frodo+from+middle+ea]

that would be like 0.00001 % of the Netizens

Re:A new aspect of travel

[yintercept]

Unfortunately, you will never be able to trust the routers or connections that you come across when traveling.

Carry a laptop.

Judging from the large number of people who've had their laptops, PDAs and cell phones stolen, I suspect that the chance of your getting your laptop stolen on vacation is greater than the chance of losing your email password at a local library.

Radom layout (but still far from unbreakable)

[Kagami001]

Seems like the best thing would be a random layout that changes each time it's accessed, so the mouse positions alone are not meaningful.

It could still be defeated with either complete page contents logging (in addition to mouse logging) or screen video capture.

Re:Something to consider...

[tweek]

And in our company, the AUP says that we can and will do these things.

Flat out the machine is not yours to use as you will. As long as you're doing work on it and not fucking around, we won't care but if performance slips and there is reason to suspect that you are fucking around instead of working then we'll do what is needed to determine what you ARE doing as part of the dismisal package.

Look, I fucking HATE playing big brother. We log all traffic on our network and keep the last three months. I don't have information emailed to me and only a few trusted people have access to that system but when management comes to me and says "We have a possible liablity here. Susan says she saw Timmy looking at adult material, can you verify?" I will pull up what logs we have and if they do point to something, I turn the information over.

I have a feeling if you check that nice stack of documents you signed when you took the job, you'll see similar language to that effect.

Re:They caught on to this a long time ago

[darkith]

Heck, good theftware will hook into the web browser, and look for certain fields (e.g. login, username, password, pin, etc) in HTML forms, and just save that data.

This counteracts copy&paste, type-edit-type, etc.

If the OS can be modified (software attacks, physical attacks, boot disks, etc)...you cannot trust the system at all.

And of course, even if the OS isn't modified, hardware keyloggers and/or spy cameras could also be a risk.

I suspect multifactor authentication is going to quickly become more popular...

Re:Practical

[NeoSkandranon]

How many net cafes really let you boot an unknown operating system on their computers from a CD? Damned if I would, that's a huge security risk in itself