Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting Your Personal Info While Traveling?

Posted by Cliff on from the careful-where-you-browse dept.

AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"

19 of 360 comments (clear)

  1. A tip by ylikone · · Score: 5, Insightful

    Don't type anything you wouldn't want anybody else to see when you using public terminals. Kind of obvious?

    --
    Meh.
    1. Re:A tip by cjellibebi · · Score: 4, Interesting

      But in order to log into your e-mail account, you would need to supply your password. One way to get round this is to type the first few letters of the password, switch to an other app, type some gibberish, and then switch back to your web-browser / telnet-session (doing more switching if you're feeling insecure). If this is one of those hardware devices that sit between the PC and the keyboard, it cannot know what belongs where, but there might be some software out there that can detect app-switching and record kepresses on a per-app basis.

    2. Re:A tip by mattspammail · · Score: 4, Informative

      Or go to a web page and copy and paste characters into the password blank. It might take awhile, but it's key-free.

      AND make sure you only log in to https sessions.

      --
      Now accepting PayPal donations!
    3. Re:A tip by Anonymous Coward · · Score: 5, Insightful

      You're kidding right? Have you ever seen keylogging software?
      They spyware varieties rarely log every key. Instead, they intercept web submission forms, or data from specific applications. Switching windows and typing gibberish won't do anything to prevent information loss.

      The best approach is one of:

      - Bring your own computer. Use SSH or other VPN software to access your home computer and then your email. Do not trust public systems. Do not trust public WiFi networks.

      - Setup a web interface for accessing email. The password should change automatically after every successful login.

      - Bring putty on a floppy disk and use it to SSH into your home computer for accessing email. But don't trust the local web browser to not be infected.

      - Knoppix. Boot off your own software, check email or surf, then reboot back to the (likely) infect operating system.

      Things you should not do:
      - Do not assume the computer is not infected. Even if it runs a virus scanner or you're told that it is clean. If it isn't yours, don't trust it.
      - Do not assume the wireless network is safe.
      - Do not assume the connection between the internet cafe and the internet is safe. (Who knows what is being tapped.)
      - Do not assume that if you "just login for a moment" that you won't compromise your information. It only takes one login and the bad guys don't miss.
      - Do not assume the risk is limited to public terminals. Hotels and coffee shops with "free" wireless are commonly monitored by 3rd-parties. Any place that isn't "home" should be considered a risk.

      If you want to have fun, run 'netstat' on the public terminal. See any open ports? You probably will...

      Infected public terminals is a much bigger problem than even most government cybercrime investigators believe.

  2. No financial activities by fembots · · Score: 5, Insightful

    If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.

    Sensitive information should be transmitted separately, for example, credit numbers via email and expiry date via phone.

    --
    Rock that crushes, Paper & Scissors that don't matter.
  3. Create a disposable webmail address by cactux · · Score: 5, Interesting

    If you want to keep in touch with friends and family during travel, create an email address with one of the many free webmail services available.

    Then use only this adress while traveling, and only for casual messages, nothing important. Specify to your correspondants that this adress is temporary, and subject to be "stolen", so they should be suspicious regarding messages coming from it.

  4. They caught on to this a long time ago by jeffmeden · · Score: 4, Informative

    A good key logger will monitor anything coming and going from the clipboard. If you want to be paranoid, dont trust info on a machine you cant verify, assume whatever you do is going to end up on a billboard.

  5. First do your homework... by feloneous+cat · · Score: 5, Funny

    1. Get professional sweep gear.
    2. Cordon off the area and do a thorough sweep of the Internet Cafe in question.
    3. Make sure that and patrons and workers empty their nastly little pocketses.
    4. Disassemble any electronic hardware that is shielded to make sure the keylogger isn't hidden in its nasty bowels.
    5. Once the all clear is given, log in to AOL, download porn.

    I'm just saying...

    --
    IANAL, but I've seen actors play them on TV
  6. Advice? by artifex2004 · · Score: 5, Informative

    1) Carry a laptop
    2) ssh into your home server, or use HTTPS for webmail.

    Using your own laptop means nobody is keylogging you, unless they get access to your machine, in which case you're screwed anyway. Sticking to SSH or HTTPS means you're not sending anything worthwhile unencrypted up the pipe.

    Also, you'd be amazed at the number of compromised terminals at universities and colleges, too. Better warn your kids before they go off to college not to do any financial transactions, etc., from them, no matter if school policy is to run antivirus and spybot killers. Those are no match for good old fashioned hardware keyloggers, assuming they even use the latest updated programs to check.

  7. Security vs. Obscurity... by mellon · · Score: 5, Interesting

    If you want to access your email remotely, and you want to be sure it won't be hacked, bring your own computer. Otherwise, just accept the risk that your password will be sniffed, and change your password when you get home.

    Ideally, you should change your password before you leave, and then change it back when you get home, because if you're like most people there are lots of things online for which you use the same password.

    Oh, and if you need to do any kind of transactions _other_ than email while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.

  8. Use the mouse by BenjiTheGreat98 · · Score: 4, Interesting

    When you are on a public terminal you can type in your username and/or password by typing in the last half of it then use your mouse and go the front of the text box and type in the 1st half. It's not full proof but at least someone won't have your password in plain view in front of them.

    --
    :wq
  9. Re:medium threat by Vellmont · · Score: 4, Insightful


    This threat is not any different than the threat that almost all wireless users at cafes have faced for years....

    This threat is completely different from wireless cafes. At a wireless cafe if you're using your own machine, all you have to do is be sure to use the SSL protected https site when checking mail, doing bank transactions (which should be SSL only anyway). If you're using a public terminal, there's basically nothing you can do to protect any sensitive information.

    My advice is buy a portable PDA with wireless capability if you need to do anything involving sensitive information while away on vacation.

    --
    AccountKiller
  10. Morse Code by spoonyfork · · Score: 4, Funny

    I thought Cryptonomicon was required reading here. I guess times have changed. Use Morse Code.

    --
    Speak truth to power.
  11. Practical by Markus+Registrada · · Score: 4, Interesting

    Don't worry about hardware keyloggers. They cost more than software loggers, so they won't be there. Cops and spooks break in to install them on dissidents' machines; they are probably very rare otherwise. Just bring along an Ubuntu LiveCD, and boot from it. If you can't do that, and you can arrange to produce your own web site, have web-page javascript password-entry scheme that uses just the mouse, unrepeatably. (That is, each time the page is (re-)loaded the buttons appear in different places on the screen.) Or, bring along a USB key with a pile of temporary-use private keys in it, and a copy of ssh configured to use only those key files. Be sure to delete the corresponding public key after each use. Even if they log keystrokes they won't copy the entire contents of every USB key plugged in; and it doesn't matter so much if they do, anyway.

    1. Re:Practical by Locke2005 · · Score: 4, Informative

      Uh, those methods do nothing for you if the software is designed to simply record HTTP POST and SMTP operations, in which case it doesn't really matter how the data was entered into the machine. Yes, one-time-use keys would work, except that none of the mail readers support them, do they? Hmm... bringing your own copy of ssh might work... do public access terminals let you run your own software? Seems to me that I would disable floppy, CD, and USB file system.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
  12. Re:Something to consider... by fuzzybunny · · Score: 5, Insightful

    (My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing

    What you did is strongly illegal in many countries, including parts of the US (look up state & federal wiretapping laws) especially if done without informing users. Aside from that, it pushes the ethical boundaries of what's acceptable (I think it's filthy, personally, but I'm giving the benefit of the doubt and being diplomatic.)

    Not all people were as nice as I was and let the small info go

    If you can't tell what's wrong with this statement, you shouldn't be administering systems used by other people. You're perfectly correct about being wary of using boxes beyond your exclusive control; however, we're talking about crime and not exercising control over your own computers.

    --
    Cole's Law: Thinly sliced cabbage
  13. I didn't have a problem by Cro+Magnon · · Score: 4, Funny

    I posted to slashdot from an Internet Cafe, and nobody stole my password.

    --
    Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    1. Re:I didn't have a problem by Cro+Magnon · · Score: 5, Funny

      Shows how much he knows. I've been using Cro Magnon's ID since he did that.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  14. Re:Tell them by antarctican · · Score: 5, Interesting

    not to use the public machines for any financial or private communications.

    Agreed. When I travel what I do is change my password on all my accounts to one which I will throw away when I return home. Yes, there's still a risk of abuse, but the window is hopefully small enough if you're only gone for a few weeks that it won't be a problem.

    What I also do is forward all my email accounts to a throw-away Gmail account. Again, so I can read and respond to email but not be concerned someone could try and break into my box. It also means I'll avoid at all costs trying to ssh into my machine.

    The final really geeky thing I sometimes do is setup an almost honeypot box. A machine that I can ssh into with a throw-away password that is on an isolated network. I then place an ssh key somewhere on this box and use it to ssh to one of my other boxes if needed. This way the only password I will type will be to this honeypot box, not to the actual machine I need access to (being a sysadmin, sometimes you need to pop in to a machine while away, but I'll never 'su' - I'll ask whoever is covering for me to actually do that 'work'). Again one great advantage of this is you can then just erase the key from that honeypot box, so even if the keylogging person is somewhat techno-savvy, they can't get access to that key. If you hide about 3 keys on the machine, you can do this use/erase method 3 times over your trip.

    And I know others will probably suggest an ssh-key on a usb key, another very good idea - as long as you're going somewhere that has a high enough level of computing to be able to use this method. Most of my trips have been to the developing world, where machines are still running win98. USB keys don't exactly work too well on those machines, if they even have USB slots. ;)

    The key takeaway message is - use a one-time password and create a throw-away email account for communication. And I agree, no banking! Leave your online banking info with someone at home and email them to do it for you. Nothing wrong with being a little paranoid. :)