Slashdot Mirror
Protecting Your Personal Info While Traveling?
AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"
"I'm just here to regulate funkiness."
Bring your own keyboard!
Don't type anything you wouldn't want anybody else to see when you using public terminals. Kind of obvious?
Meh.
If I am forced to use a public terminal I like to check the tasks that are running in the background, to see if there is anything suspicious. It has saved me a few times, of course not all kiosks will let you use that command.
[n8.r0n] http://petesweb.spymac.net/
If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.
Sensitive information should be transmitted separately, for example, credit numbers via email and expiry date via phone.
Rock that crushes, Paper & Scissors that don't matter.
I am becoming increasingly paranoid about typing passwords in public terminals... I am even reluctant to type my password in a friend's computer... Generally avoid typing your password for anything you don't need while at a public terminal, and if you're REALLY paranoid you could have it written in a file in a USB keychain and pasted (keyloggers don't log pasting, do they?).
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Browse the web: Yes
Check my Accounts: No
My other car is a Popemobile
You wouldnt give your credit card # to someone over the phone in a public place.
You dont throw away check stubs without shredding them.
You dont give strangers your home address.
I guess I dont understand how people can not connect the dots.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
If you want to keep in touch with friends and family during travel, create an email address with one of the many free webmail services available.
Then use only this adress while traveling, and only for casual messages, nothing important. Specify to your correspondants that this adress is temporary, and subject to be "stolen", so they should be suspicious regarding messages coming from it.
It also helps to have two or three sets of passwords:
- The least sensitive password should be used for "subscription required" sites, like the NYT.
- The medium sensitive password should be used to protect your web mail accounts, like Gmail
- The most sensitive password should be used for online banking
Dedicated Linux servers (root access) $45 p.M.
A good key logger will monitor anything coming and going from the clipboard. If you want to be paranoid, dont trust info on a machine you cant verify, assume whatever you do is going to end up on a billboard.
1. Get professional sweep gear.
2. Cordon off the area and do a thorough sweep of the Internet Cafe in question.
3. Make sure that and patrons and workers empty their nastly little pocketses.
4. Disassemble any electronic hardware that is shielded to make sure the keylogger isn't hidden in its nasty bowels.
5. Once the all clear is given, log in to AOL, download porn.
I'm just saying...
IANAL, but I've seen actors play them on TV
Take a laptop that you use for your communications. With the availability of WiFi, you can use your laptop most places where there are computers and many places where there aren't. You have to worry less about what someone else may have installed, and you don't have to wait for a terminal to open up. Don't forget to use secure protocols to speak to your server though.
When I went to DefCon a few years ago, I loaded a fresh laptop and set it up to VPN all traffic leaving it, plus I didn't access any private resources, I had my e-mail copied to a webmail account on another box I was running. It worked great.
Sean
1) Carry a laptop
2) ssh into your home server, or use HTTPS for webmail.
Using your own laptop means nobody is keylogging you, unless they get access to your machine, in which case you're screwed anyway. Sticking to SSH or HTTPS means you're not sending anything worthwhile unencrypted up the pipe.
Also, you'd be amazed at the number of compromised terminals at universities and colleges, too. Better warn your kids before they go off to college not to do any financial transactions, etc., from them, no matter if school policy is to run antivirus and spybot killers. Those are no match for good old fashioned hardware keyloggers, assuming they even use the latest updated programs to check.
If you want to access your email remotely, and you want to be sure it won't be hacked, bring your own computer. Otherwise, just accept the risk that your password will be sniffed, and change your password when you get home.
Ideally, you should change your password before you leave, and then change it back when you get home, because if you're like most people there are lots of things online for which you use the same password.
Oh, and if you need to do any kind of transactions _other_ than email while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.
I would advise them that spell checkers don't know nouns from verbs.
-Peter
When you are on a public terminal you can type in your username and/or password by typing in the last half of it then use your mouse and go the front of the text box and type in the 1st half. It's not full proof but at least someone won't have your password in plain view in front of them.
:wq
This threat is not any different than the threat that almost all wireless users at cafes have faced for years....
This threat is completely different from wireless cafes. At a wireless cafe if you're using your own machine, all you have to do is be sure to use the SSL protected https site when checking mail, doing bank transactions (which should be SSL only anyway). If you're using a public terminal, there's basically nothing you can do to protect any sensitive information.
My advice is buy a portable PDA with wireless capability if you need to do anything involving sensitive information while away on vacation.
AccountKiller
While in Hawaii on vacation last September I prepaid for an hour of web cafe time. After answering all my emails and checking what news I felt like reading, I still had a good chunk of time left over and my GF was still in the same strip mall shopping. I decided it might be interesting to download and install ad-aware. (They were old windows 98 machines, so there was absolutely NO security.) In the 15 minutes or so I hung around watching and chatting with the clerk running the place, ad-aware ticked off over 2,000 spyware items found, and it wasn't anywhere near done!
I do very little 'sensitive' work while I'm visiting my folks, or the in-laws too. I just finished reinstalling the in-laws' machine and patching/updating it due to a huge spyware/virus problem. They could have had keylogging crap installed there unknowingly too.
The only machines I trust are those that I own and have direct, constant control of. Period.
My mother-in-law on the other hand decided that she'd keep doing her online banking/shopping, etc even after I advised her not to (it was going to be 2 weeks before I could do the wipe/reinstall). My father-in-law is a cop and well aware of how much identity theft is growing these days. Despite that, we couldn't convince her to sit tight for a few days.
That's why I get so annoyed when she asks for help!
-Ben
I thought Cryptonomicon was required reading here. I guess times have changed. Use Morse Code.
Speak truth to power.
Right now in existing operating systems, some sort of keyboard driver will translate the keystrokes coming down the wire into characters and pass it where it needs to be. Of course, anywhere between the driver and the keryboard can be compromised. You can tamper with the physical cable, between the cable and the keyboard port, or directly in the software.
Now imagine this scenerio to fight this:
The keyboard and OS are NGSCB (Microsoft's Next-Generation Secure Computing Base (NGSCB)) -aware.
They have been configured to work together. (Leave the discussion for HOW that happens another day)
The keyboard will ENCRYPT all keystrokes and ensure the integrity of the data with a message digest and send the secure payload to the OS.
The OS kernel driver for the keyboard receives the data. The keyboard driver is untrusted, and can do nothing with the data except drop it. Ok. Denial of service if this is a rogue driver. But nothing else can happen. No information disclosure. It can't read the information. A proper keyboard driver would see this special payload and transfer it to the trusted environment through the use of a secure conduit transport. (Microsoft calls their particular environment Nexus, and have easy to use API to accomplish this)
Here the trusted computing base can pass the payload to the proper secure driver, in this case a secure keyboard driver that can verify the integrity of the data and unencrypt it. It can then determine what information can be passed back to the untrusted kernel. Microsoft calls these drivers agents, or more commonly NCA. In the case of password management, they can verify passwords securely on the trusted side, and just pass back particular results to the untrusted side.
At this point... both software and hardware keystroke loggers become useless. They can do very little but record the encrypted payload. (Of course they could try to brute crack this.. but a good design would account for this). It's actually quite a neat design... except that you have to trust the "trusted code base". Of course, you don't HAVE to. You could replace Microsoft's Nexus with your own. And from my understanding they are making provisions for that in Longhorn. But should I trust you any more than Microsoft?
I am over simplifing this, but my point is that Trustworthy Computing is actually a good thing.
Don't worry about hardware keyloggers. They cost more than software loggers, so they won't be there. Cops and spooks break in to install them on dissidents' machines; they are probably very rare otherwise. Just bring along an Ubuntu LiveCD, and boot from it. If you can't do that, and you can arrange to produce your own web site, have web-page javascript password-entry scheme that uses just the mouse, unrepeatably. (That is, each time the page is (re-)loaded the buttons appear in different places on the screen.) Or, bring along a USB key with a pile of temporary-use private keys in it, and a copy of ssh configured to use only those key files. Be sure to delete the corresponding public key after each use. Even if they log keystrokes they won't copy the entire contents of every USB key plugged in; and it doesn't matter so much if they do, anyway.
You know what I say? Stop worrying about things. Live life. Life is dangerous. You might be killed tomorrow. Disease, car crash, something like that. And there are lots of people in the world. What are the chances it will happen to you. Set your root password to password. Run an open SMTP server. Do whatever you want. It's better to regret the things you have done than the things you haven't.
Get your own free personal location tracker
I once worked at a computer lab where I was able to test some software (iOpus, I believe) that had some keylogging software. This software was incredibly ingenius, and would very accurately tell me what was typed where, when, and by whom. I also had the option to take screenshots every once in a while (I could set how often the screenshots were taken). These files (log and screenies) could then be saved on a location where the current user would not be able to access due to user restrictions.
Be wary of this, since I was able to catch the logins of several users. (My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing. Needless to say, with the screenshots and logs, I caught him rather red-handed.)
But these days, such precautions are to be expected with terrorism on the rise and such. My only advice: Be very careful when doing this on a public location where spying and keylogging is easy to implement. Not all people were as nice as I was and let the small info go. A small slip of the Credit Card number, and away goes several thousand dollars!
Start > Run > osk.exe
The onscreen keyboard doesnt get picked up by any keylogger i know of.
If it's keylogger software you are worried about, it sounds like a single use password (tear sheet style) would be ideal.
If it's one of those little PS/2 keyboard devices that sits between your PC and keyboard, try this: Log in normally, use your password, do whatever, then logout. Before you walk away from the kiosk, tape down the left-arrow key. The auto-repeat will fill the buffer (might be a few Kb) and eventually overwrite your PW.
I posted to slashdot from an Internet Cafe, and nobody stole my password.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Cut-n-paste your sensitive logins and passwords one character at a time. You need to type-in the alphabet (upper and lowercase) and numbers into a different window. This is all the keylogger sees (that and cut-n-paste commands).
Hopefully nobody is looking at your screen remotely (and see the mouse movements)... anyone have a technique around that?
Unfortunately, you will never be able to trust the routers or connections that you come across when traveling.
Judging from the large number of people who've had their laptops, PDAs and cell phones stolen, I suspect that the chance of your getting your laptop stolen on vacation is greater than the chance of losing your email password at a local library.
Seems like the best thing would be a random layout that changes each time it's accessed, so the mouse positions alone are not meaningful.
It could still be defeated with either complete page contents logging (in addition to mouse logging) or screen video capture.
I've got kind of a weird system brewing in the back of my head. I have RDP set up on my home computer (think VNC, only faster, and Windows). Ideally I want to log in to that. But I don't want it open 24/7, so I have the port completely closed. What I *will* have (don't have it yet) is a few ports open to a virtual private server I own. I connect to the virtual private, type in a one-time password, and it sends an instruction to my home computer to open a port to a certain IP for a minute. During which time I connect to it via Remote Desktop and use my home computer.
:)
Since my home computer has passwords saved, of course, I wouldn't need to type in passwords from here. This assumes the connection is secure from being hijacked (I don't honestly know if it is) and there's a little vulnerability where someone could immediately RDP into my computer again, from the same IP, with the password that they've presumably just logged, since *that's* not a one-time password. (I suppose I could try to set it up to only allow one connection in.) But they'd only have a minute to do it in.
Of course, the point is entirely moot since I haven't set any of this stuff up - it turned out I needed a laptop for work, so they gave me a laptop, and I've just been using that with ssh and cygwin. Heh.
But that's the plan.
Breaking Into the Industry - A development log about starting a game studio.
I've heard that some European banks do one-time passwords - you just print out a sheet and bring it with you. This would be the ideal solution if you don't care about privacy, but of course if, like me, you live in the U.S., you probably don't have this option.
Nobody has mentioned the simple way to limit your losses. Open a travel account at another bank. Set up automatic weekly transfers. Use it for gas and such. My travel account gets $200/week. If it gets hit, I contact my bank. My potential loss is very limited. The checking account is not backed up with overdraft protection. Keep track of your balance and use the bank ATM whenever possible. The rest of the bills are set up from the primary account at another bank with auto payments. If the electric is a little off one month, it can be adjsted upon my return. They are happy to receive a regular payment even if it is a little over or under. Let them know what's up. They are very good working with you to get paid.
The truth shall set you free!