Slashdot Mirror
Best Way To Avoid Keyloggers On Public Terminals?
goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. Kyps.net offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"
Buy an iPhone and use that for net access (or blackberry, whatever). Problem solved...
I click around on icons until I can copy and paste a lot of letters into a single file. Then, with my Alpha-pallette, I cut and paste each letter as needed.
Aviod public terminals
Umm -- simple answer, don't access trusted information from an untrusted terminal? You can have no expectation of privacy while using that machine.
Copy and paste your password from random letters around the page. Unless they log everything that goes into the clipboard they can't tell what you put in. You can also copy/paste extra letters and paste over them for added security if you're really paranoid (or they log the clipboard).
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
One way to bypass it is to highlight the letters you want, then copy and paste them. But this is only for things such as small user names and pass words.
Help fight spam
The least technical solution would be get a phone with internet capability and check mail through it.
You could type the letters out-of-order, then rearrange them using drag+drop. Someone with a keylogger probably wouldn't bother using the mouse input to figure it out.
I'm not trolling here. If you're being keylogged, then even if your password isn't stolen, every single thing you do on that computer must be treated as public. Emails would be keylogged too.
Once you suspect a terminal is owned, that's it, game over, don't trust it. Probably not what you want to hear, and definitely not convenient for you, but every other solution is a compromise in security.
The ONLY alternative I could think of that I can stomach is to have a separate email address that you use only from public terminals. Change the password often and consider anything you say via that account to be as public as if it were announced over a PA system at an airport.
These posts express my own personal views, not those of my employer
It's slow, but you could look for the letters/numbers/symbols you need on the web. ASCII tables could be a good place.
Any smart keylogger will look at the raw text behind any password field on a website. Cut and Paste etc would be useless.
Enter your password in a different order than it is spelled? Simplest example: given your pass is "password", first write "pasrd", click between 3rd and 4th asterisk, complete it by entering "swo". The more complicated, the better.
I'm using this when I absolutelly need to use web cafe/etc....should fool most keyloggers, I guess. I still change my password afterwards as soon as possible.
One that hath name thou can not otter
Plastics.
Or a world-readable web page you control with an obfuscated list of passwords you can copy and paste as you need.
Or don't even obfuscate it. Let the public cloud help you remember passwords. See the OpenPassword project at Here.
Why would you be doing anything involving sensitive data on a public terminal?
I used a temporary account for email while on vacation. Stolen? No big deal. Throw away when done.
To get root access on my server, I use a one time password system(rfc 2289). I use a S/KEY calculator on a palm pilot, and PAM Opie on the server. The public terminal never sees a long term password, it never leaves the PDA.
Not much else to be said. Maybe you could also use a crypto token and asymetric crypto, but considering that you need drivers, I'd say it's not practical. You might still use some sort of somewhat disposable private/public key. That should defeat keyloggers, but you risk getting your key compromised (that's why it's disposable).
GPG 0x1B479C78
When it comes to security, the best answer usually becomes the most unpopular and hard to swallow.
--- Grow a pair, liberals... stop letting the Republicans bully you!
What protection does that afford against a physical keylogger?
Not all keyloggers are software.
If I have nothing to hide, don't search me
You are on vacation? Don't read your email. Second, buy a wi-fi device or smartphone. Third, I have been away from slashdot for a long time so, um, what the hell is this thing I am typing into?
sig not found
Set up your home computer as a proxy that automatically logs you into sites it knows your password for if you give the proxy the correct "master password". The master password should be changed every time you use the proxy, or alternatively, the correct master password is based on the date via some algorithm that can be calculated at any given time in your head, yet not too easily discernible as such an algorithm.
Just always run Firefox off of the stick (even while you're at home). Otherwise, the only thing I can suggest to you is to pull up the virtual keyboard and input using the mouse; you'd have to move the window around after every few characters to try to fend off programs that track mouse movements also. If the machines Tempest-ed (or its local equivalent) or the screen is being recorded, you're out of luck anyways. If it's not your machine, you really can't do anything about this sort of thing.
One-time passwords are the best, since they require a man-in-the-middle ralt-time attack to be broken. This is very unlikely on a public terminal. As to implementation, carrying around a printout is propbably enough for the avaliable remote-login solutions for Unix.
For Web-Stuff, and other servers you do not control, you are screwed, unless you can reboot the machine with your own system. There is basically no way around a keylogger without that. If the attacker invests a bit more, thay can also directly listen to the keyboard via hardware-device.
The best option is still to have your own reasonably secure device (PDA, Laptop or the like) and use wireless Internet. With the eee PC this just got a lot more affordable.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
He uses only the mouse, so it is invulnerable to that method, actually. You need to capture the mouse actions and the screen simultaneously. This is something not easily done in separate hardware.
So, thinking about this a bit...the point is you need a password that can't be used later. The digital services are fine, but do we really need more than a 1-5 minute resolution here?
So a clever IT department could make passwords dependant on the time and date. Print out a code sheet, different for each employee, with words substituted for the date and time, a short word for the date and a short word for the ten minute time period you're in, something like that.
This way the password would be useless to a logger, you'd need a code sheet to log in, but it doesn't seem like it would be THAT much trouble (if your info is so important you're this paranoid...)...
I call the patent!
A hardware keylogger records what passes through it from the keyboard to the computer. With his method, all it's going to see is somewhat hitting 'ctrl+c' and 'ctrl+v' a bunch of times. Could take a while though. The other way to defeat most off-the-shelf hardware keyloggers is to check the connection between the keyboard and the computer...
(My mistake; I thought you were replying to dmomo.)
How about a BartPE bootable CD? ...
...then don't use a public terminal.
I'm really not being flippant here. The posters above have listed some ways around a basic keylogger, but there are other ways a system can be compromised. You could be dealing with a program that takes screenshots and/or reads the clipboard at random intervals. Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.
My policy on using public access computers is that I only use them when I have no other choice, and the more valuable the data I need to protect, the less likely I am to use one.
There are so many more attack vectors than a keylogger that, if I were you, I wouldn't just focus on that one thing. If your data really needs to be secure and accessed remotely, get yourself a laptop and a data card from one of the cell carriers. At least that way, you can keep physical control over your machine and avoid the risks of using a hotspot. Of course, if you think that someone will be able to tap into your wireless connection through a cell phone carrier, than you likely have more issues than we can address here.
If you're so concerned about security, either A) don't use public terminals at all or B) set up a proxy email account that you use ONLY while you're away. Use forwarding from your normal account to deliver mail, and turn it off when you return home. It's not totally secure, but if someone gets your password they will only get a few emails instead of your entire archive.
From what I've seen, there's a huge variety of internet-cafe machines out there. You can't count on being able to read data, much less execute a program, from a USB keychain or CD.
http://doi.ieeecomputersociety.org/10.1109/MPRV.2003.1186723
I always enter a few extra characters in a couple of places in my username and password then go back and select those letters with the mouse and delete them. You'll have to count the character positions in the password field, but the username is easy to see. I also do this when typing URLs like PayPal, etc. that I figure keyloggers might search on. This is fast enough that I do it every time I visit a sensitive site even on my home machine.
Create an account specifically for when you are at a public terminal, that has the following behavior: Whenever you log into the account, the password is automatically changed to a random temporary password right afterward. Then, at your convenience (when you are at a secure terminal) you log in as admin and reset it to something new. This is just off the top of my head so maybe there is some flaw, though.
"Remember, there never were pineapple-almond cookies here."
Consider photographic authentication. http://doi.ieeecomputersociety.org/10.1109/MPRV.2003.1186723
A LiveCD will not save you from a hardware based key logger
You could try running Portable Firefox with KeyScrambler from a thumb drive. https://addons.mozilla.org/en-US/firefox/addon/3383
Try using the OSK (on screen keyboard), its worked well for me.
If you've got to stay in touch on the road then take your own machine along - either a laptop or a portable device like an iPhone. You can find wireless access almost anywhere and while that wireless may be hacked, at least the machine you're using won't be.
The suggestions to use a Linux CD or Firefox from a USB memory stick aren't going to give you the safety you're looking for. Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.
Remember: do NOT enter any information into a public terminal that you wouldn't want to publish in the newspaper.
This is exactly what I came in here to say. When using a public terminal, always, always treat it as if it is actively trying to steal your data. Nothing can protect you from a hardware based keylogger, save for ripping the case open and removing it, but I doubt that would fly either.
What about the On Screen Keyboard?
Start> Accessories> Accessibility> On Screen Keyboard
Charming man. I wish I had a daughter so I could forbid her to marry one. -Arthur Dent
I once had to remote support a customer in another country and they sent us a little card-sized gadget that displayed a random code that changed every few minutes. It was synchronised (by the clock being pretty accurate I suppose, or possibly by radio signal) to an identical random code list at their site. So whenever we wanted to log in we just looked at the current code on the card, typed it in and at their end the code was checked against the current code.
This sort of set-up could be very useful for people who frequently use public terminals. Your code can still be compromised but the crooks would only have a few minutes to retrieve and use it. Maybe you could even have it so that when you use a code once, the central code verification server invalidates it, so no-one else can log in, even if they do get the code quickly.
I don't believe anything like this exists for the average person wanting to use normal email accounts though. Anyway, none of this changes the possibility that there are screenshots being taken every few seconds so that all of your private emails will be viewed later anyway.
I couldn't live on the net with out my IronKey.
A: Use two factor such as a token or SKEY.
B: Don't use public terminals.
RSA securid is pretty good, a bit pricy. Or look at Apache TripleSec, it looks pretty good, it looks a bit young though still.
I used to care about this subject a lot, and I spent a lot of time looking into one-time pads and other clever tricks. But then I my company sprung for a Blackberry-- problem solved. I now access my important information via SSH. EDGE ain't the fastest thing, but it's fast enough. In fact, it's faster than the old PBX modems we used to use when I was in college (19.2), so I find that PINE is quite useable on the device. Only downside: no arrow keys (or, at least, I can't figure out how to make the terminal emulator do them). So no curses-based games. Oh, and the Opera mini web browser is pretty sweet. I'm not a big fan of Opera on the desktop, but they've put together a very nice mobile version.
Another option is a PocketMail device, which just wins my geek heart over for bringing acoustically-coupled modems back into style. They were extremely popular about 5 years ago when I thru-hiked the Appalachian Trail. All you need is a payphone, which is often easier to find than an internet cafe when traveling abroad. I would have picked one up myself, but then the aforementioned Blackberry came into my life.
I often have to log into one of many unprotected semi-public terminals at work (in a hospital) to check my email. I type my username and password in a random order but use the mouse to reposition the cursor after each keystroke for the proper position. Sounds cumbersome, but my username and password are all typed with my left hand and I simultaneously reposition the cursor with the mouse in my right hand. The keylogger would presumably record only the scrambled order, which, although not perfect, seems a reasonable alternative.
I built a system in the late 90's where you had a web-page where you entered an account-name. That name was tied to a cellphone number which was sent a generated password as a text-message. The password was only valid for 5 minutes.
AFAIK it's still in use and have never been cracked.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
Software keyloggers can also read the copy/paste buffer. The only solution is to ignore public terminals and just use your own computer or portable.
...I carry my own means to do so. Wether that be a smartphone, iPod touch, PSP, laptop with wifi, wireless broadband or (a consideration when I am travelling in developing nations) a satellite modem...
IMO, the use of a public terminal for private purposes is the height of stupidity.
i'm usually a lurker, but here,
I found that nero's safekeys work the best at public terminals. Granted, i don't do anything sensitive at them in the first place (i try to get my email on my phone when i'm on vacation). But i like nero, it prevents (or so it says) keylogger from reading what i type and i can keep it on a flashdrive for use on any machine. This won't stop a hardware keylogger, but people should look before they use them anyway.
-BMJ out
This would require server-side scripting, but what if each account kept a phone number on file? If the person uses the correct password, keep them out but text message them a single-use password. They can now log-in with the single-use password.
Now the system requires something you know (your password) and something you have (your phone).
The ______ Agenda
Best, realistic, idea I've heard yet.
Some drink at the fountain of knowledge. Others just gargle.
Don't use public terminals. Just say NO to public terminals. It really is that simple.
You'd use a condom when having sex with someone you just met wouldn't you? How is it any different than when you use your passwords on a public terminal? Your password needs privacy and you won't get that on a public terminal.
Copy and pasting your password won't work either since the public terminal can have it's OS hacked. If you're running off of a USB booted OS of your own then copy and paste might work however you likely will get into trouble for using the USB device. They'd charge you with "hacking". Watch out.
One way that might work is to use one time passwords with a dongle such as Secure ID. Is there any open source device or software package that we can run on our phone or iPod?
I bring it with me - I have a macbookPro and I don't use public terminals. You can get cooties that way.
RS
Shoes for Industry. Shoes for the Dead.
I recommend a 2 pronged approach:
1) take along your own keyboard to avoid hardware key-loggers
2) use a live CD to avoid software key-loggers
I run PasswordSafe as well as the database file from my flash drive. Since I use the autotype feature, unless the keylogger also copies the database file, my passwords remain secure.
they gots emailz now yo
where u at dawg!
I don't need no instructions to know how to rock!!!!
They have vending machines that let you make purchases with your cell phone. Maybe web terminals, debit PIN terminals and ATMs could be made to work the same way. You can't trust somebody else's keyboard/keypad, but hopefully you can trust your own cell phone not to have a keylogger installed.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
Having set up several, and helped a company to standardize their installation of many, I gotta tell you that with rare exceptions* in-room internet access is the most dangerous network imagineable.
The "lowest bidder" effect will apply all through the chain of decisions with the end result of that little wire (or wifi) linking you to every possible attack vector known to man. Even in the hotels with firewalls (mostly to save address-space costs with the ISP, not for your safety) the inside will almost always feature some knucklehead with something on their laptop.
And all the above refers to the innocent sources. The malicious types, well, they have free reign for the most part.
For What It's Worth.
*the exceptions would be those hotels that employ some rudiments of network security, usually segregating sections of the hotel. Only one that I know of had per-room VLANs, which was certainly a good start.
that's right... just get a bkackberry
Yet another reason why I like OpenID so much. Once you push the actual mechanism for authentication away from the website itself, you have more flexibility. In other words, I could set up my own openid server to authenticate me based on either username/password, or from a list of acceptable one-time pads. When using a public terminal, authenticating to my OpenID server using a onetime pad would give me the ability to authenticate to temporarily authenticate to any site I wanted, without having to give my passwords to a proxy service like KYPS. Oh, for want of more widespread OpenID adoption...
However, I think that the people who own the terminals are well-within their rights to run a keylogger/clicklogger to see who did what. If they damage the machine, they should pay the cost in my opinion. Usually at public terminals you put in your credit card first, that is where the repair cost should go if you break the machine. Dispute all you want, but if I owned a machine I would be trying to make money, and I do not appreciate people 'breaking into' the machine with whatever method they want to try. Yes, I would definitely run a keylogger but not for password 'farming', just to be able to find the perpetrator who breaks whatever with the machine (any serious damage that takes time to fix). Anyone who knowingly runs a keylogger on their terminal to collect passwords and uses them to hack accounts (especially bank accounts, etc) should be charged with identity theft. This is something I would NOT use the keylogger for.
OpenID was mainly done to protect user's credential and to implement a global Single Sign-On process. VeriSign is an OpenID provider (https://pip.verisignlabs.com/), and they provide increased security by adding a two-factor sign-on (https://idprotect.verisign.com/learnmore.v). This way if someone get your long-term password on the VeriSign website, your account is still secured by the single-use key generated by the device.
We use RSA two-factor ID key-fobs. My password is an 8+ didgit standard chain of numbers which I set to which you then add another 8 numbers generated by the key-fob which are changed every minute. Each fob is unique and about the length of a matchbox and one third of its width. http://www.rsa.com/node.aspx?id=1156
Forward your emails to a throwaway account, then immediately delete them after checking them on a public terminal.
This way, the danger is limited to a few current emails and your main account cannot be misused or compromised.
You could also prevent emails from particularly sensitive sources from being forwarded with filter rules, if you know you wouldn't need them over the holidays.
Check the back of the computer for a keycatcher, and then boot into linux off your USB key.
www.isoHunt.com
Which does you what good, exactly, when malicious software already has control of the OS and can see (and alter) everything that passes through memory?
I'm aghast at all the people suggesting nonsense like copying and pasting or making silly efforts to run trusted copies of applications. If the OS is compromised, absolutely nothing you can do at higher layers that will not be compromised.
As (terrifyingly few) people have already said, the answer to the original question is that you can't. If the machine itself is untrusted, any attempts to add security atop that is just building castles on quicksand.
One can purchase keyboards with the logger built in. See Amecisco's website
Windows xp Start>Accessories>Accessibility>on screen keyboard. i typed this on it.... do key loggers record clicks or screen shots cause I really dont know?
Bring your own customized keyboard, and a virtual machine application (running Ubuntu (and Firefox) inside)?
I doubt any place would be upset about bring your own keyboard and plugging it into their PC.
I could imagine a device that encrypts the data typed into your special keyboard. Then run a hacked up version of QEMU that knows how to decrypt your message.
Eventually someone would figure out how to watch the QEMU instance.
Have to do some spread spectrum shield modulation as a countermeasure against these devious Borg attacks. Seriously, the code could be made to dynamically alter itself and be hard to trace.
Sounds like a nice weekend project for an enterprising hacker...
-- John.
Setup VNC or something similar on your home desktop. Create a list of passwords you'll use for the duration of your trip.
Every time you stop by at a cybercafe, connect to your VNC, do your business with all your passwords pre-saved safely on your home desktop. Once done, execute a script which will change the password to the next password on the list, log out, and move on.
I haven't done this myself, but last time I went to Italy and had to use some really shady cybercafes, I really wished I had a system like this in place...
- shazow
The guy's using Knoppix. Unless he's installed the keylogger himself and remastered the CD, it 'aint a problem.
"I've got more toys than Teruhisa Kitahara."
if my username and pwd is "username/password" I would type in the keys upsaesrsnwaomred, but click in the opposite input box after each letter. So i have spliced my 2 inputs together in terms of keystrokes, but they appear as they should in the form. By no means perfect, but good when you have nothing else to help out
I use KeePass on a usb stick. After I select the username/password I want by highlighting it, I use the Ctrl-V function to autofill it into the login page. Simple, easy, elegant and free.
1. Get a foldable keyboard this way at least you are certain the keyboard doesn't contain a hardware logger in it.
2 Most software keyloggers are removable with adaware/hijackthis or some other form of spyware checker (usually a free download).
3. look up all data on all hardware keyloggers and use the key-codes/-words that disables them. I distinctly remember norton antivirus blocking all internet traffic up receiving some activation-code in any chat or text window containing the words keylogger and readout or something.
4. Dump that bf/gf that's so paranoid that (s)he would spy on you.
5. Use a linux-live-cd with ipsec tunnel with the keys burned onto the cd and of course the mozilla password manager to no have to type the passwords, and hope the hardwware-keyloggers' manufacturrers forgot to make it linux compatible. And if they are using hardware keyloggers at least the sofware partner of the hardware keylogger can't spy you display activity.
6. Don't thrust public hardware use a mobile (smart)phone or laptop with ipsec tunnel (XO or EEE anyone ?) with a usb-stick containing mozilla-firefox and a password manager so you don't type any online passwords (smile you're on candid spy-cam).
7. Whenever on vacation live life to the max and don't use the internet.
Quite a lot of internet terminals in airports and around the place now use a network booted OS image. As soon as a user is finished and logs out, the system reboots and boots up off a read-only image on the network.
Stick to these types of internet cafes and there's less risk, as users aren't able to fiddle with the OS.
They are usually run by larger companies or are part of a franchise as well, and often coin operated, therefore don't have a flow of short-term staff coming through.
Also if the computer has a regular keyboard on a cable (not bolted into the desk) check the cable for hardware key logging devices...
http://images.google.com/images?hl=en&q=ps2+keylogger&btnG=Search+Images&gbv=2
Sometimes the smaller internet cafes and youth hostels simply just have unsecured windows boxes, pretty dodgy. I remember a couple of years back I was in a hostel in Madrid and was using the computer to book my next hostel in the next city I was traveling too. I put the first digit of my visa card in (they all start with 4) and the form auto-complete feature displayed every visa card that had been entered in the past. As Garth would say "that's not good, i'm not happy". I didn't book obviously.
Time zone converter
Your own machine (laptop, phone, etc), use their internet but send everything through your own secured proxy.
When it comes to security, everyone gets alarmed. The one thing everyone should understand is make sure you access your personal data at a more secure place. I don't even access important data on my girlfriend's computer.
First thing to do when you sit on a public terminal is access the Task Manager and end all the suspicious processes(hope you can differentiate between safe and suspicious processes). If you can't access Task Manager the best thing is to check the Program Files in the OS Drive. Most of the keyloggers are installed in there. If you still cannot find anything. The next simplest way is to search the computer with keywords related to keyloggers.
If still you think theres should be some security for your passwords, carry your USB stick and store all the passwords in a file and just copy-paste it. Other ways can be like keeping a password manager handy.
The most lathergic and boring and time consuming method is visit a blog where you can find loads of content, copy alphabets of your password and paste them one by one.
Open notepad and write all the alphabets and copy paste the needed ones, one by one.
All these are secure as per I know but really boring, instead use good and trusted public terminals.
An OLPC, a throwaway off of Craigslist that you throw Ubuntu on...it doesn't have to be fancy, so long as it has an 802.11* card. It'd cost maybe US$200, and it'd have a dozen uses. Hotspots are easier to find than public terminals anyway.
The US free market: two halves of a government-granted duopoly are free to set the market price.
Is the keylogger the worst thing you could think of?
Keylogging is evil, but theft and harm can be done in many other ways. If you cannot trust a terminal, use it anonymously.
What about carrying your own internet tablet (Nokia N800 or Ipod Touch) to use with public WiFi? Your transactions may not be secure but your logins should be safe. Plus, memorize or keep your passwords in a secured file in case the tablet is stolen.
Well, What you maybe can do is set up your normal account to boot a custom shell or something (like /bin/cstm-sh) that needs verification when you log in.
Then, Make sure your root password is not the same as your user (i don't think your checking your mail as root don't we?).
Set up the questions bash (or your custom bash (/bin/cstm-sh) needs to verify before you can enter commands.
PS: I don't know if this is possible, But i think it is, Its linux so pretty customizable
PSS: Don't EVER change your root shell ;-)
PSSS: Take questions like "What is my faforite food?" or "Do i like dogs?", or even better!!!
"What is my favorite site?" WE ALL KNOW ITS SLASHDOT!!!
i set up a second webmail system on a linux box that uses password maping on ldap to my exchange server. pulls it up via imap. when i'm done from vacation i change that shells password and all done. but there are not many times i cannot get my email and other public ones on my pda phone. or laptop with a broadband card.
I feel safer if I'm able to get terminal services to work on the public computer. I tend to use the terminal services ActiveX control. for better security I wonder if you could get a SecurID so you dont have to type in a password on the machine being TS'ed into. if you do this keep in mind that using the SecurID you can get into your private computer safely but any key presses will be logged, so you'll need to be careful when you type in passwords from the safe computer. To get around that consider using roboform on your safe computer - this program will let you click a button causing the forms on the safe computer to be populated. you wont have to type in the passwords using the compromised keyboard
http://www.pamusb.org/ & http://srp.stanford.edu/ndss.html Granted this can be manipulated in other ways but is safe from keyloggers.
The road between democracy and tyranny is paved with secrecy in the name of security.
For those of us using a live CD + Dvorak, wouldn't that defeat all keylogging?
Hardware and Software loggers are both a moot point in that case...
Probably get modded down for this, but I work for a company that provides primarily business center solutions for hotels. This kinda thing is a BIG deal to us. We are VERY careful with security policies and what have you on our units, and if a unit is ever left "unlocked" without one of us remoted in to it we re-image the unit and start from scratch.
Beyond software you just have to worry about hardware keyloggers. Luckily they are usually pretty easy to spot if you are looking for them. Especially when there's very little spagetti. Almost all hardware keyloggers attach at the end of the keyboard. Don't trust any USB to PS2 "adapter" on a keyboard. If it isn't very obviously going strait into a unit (if the unit is in a locked kiosk, generally speaking your okay unless teh AV company the hotel uses to manager their network has been compromised) don't use that one.
Speaking of which, all these kiosks or business center computers should have some sort of logo or at least text on the screen of who is providing them (usually very small with the hotel's logo prominent). Look them up before you do anything 'sensitive' on the unit. Haven't heard of them, can't get through to their tech support, or bring up their stock information then DO NOT USE THEM.
Oh and don't trust the hotel staff about it. 90% of the time they have no idea. Hell, we had an incident where an update exploded (bad wireless connection, hurray packet loss) and our main application wouldn't launch. If it doesn't launch, the computers are essentially free for use. The downside is, private information isn't shredded then.
The hotel staff were told explicitly that the private information of their guests were in danger unless they kept the guests off the computer and let us repair it (guests kept turning it off and back on when we locked out the keyboard). They flat out wouldn't do it.
Could have been major legal problems for both the hotel and our company.
So essentially: Be Paranoid. Trust No One.
If you can't verify it yourself, the station should be considered compromised.
And no, I won't say what company I work for.
The machine is completely untrustworthy; there's no way you can be sure that anything being done on the machine is not being reported back to its true master. Rebooting off a LiveCD is the only way to be sure that the software the box is running can be trusted.
I boot from a usb.
of course it's running windows because it has all the right drivers.
Have a friend waiting in a car outside. When you're done, grab the terminal and run to the car. Make sure you get the keyboard. Drive off, and throw the terminal into a woodchipper.
Note: this may be illegal in some areas!
Slax on a 2 GB USB pendrive? if you HAVE to use Windows then you're doomed, cut and paste or no cut and paste.
If you're this worried about keyloggers than the safest thing is to just NOT use a public terminal. The public terminal could have a packet sniffer or something worse. I would say if you absolutely had no alternative you could use the suggested roboform... but that doesn't solve the packet sniffer problem. Basically, don't do anything you wouldn't be comfortable with having get compromised from a public terminal. The obvious stuff here... Do not access confidential work or sensitive material from a public terminal. Never use your credit card info from a public terminal, etc. Public terminals are not safe, and I would not use one for more than common surfing.
That's why God invented WiFi. Of course, someone could be sniffing the packets, so I use my ISP's web based email that does everything over HTTPS. Or, you can use gmail which also uses SSL certificates. I wish more ISPs use SSL certificates in their email Internet connections instead of cleartext.
In fact, I'm surprised that they haven't incorporated SSL into the standard WiFi protocol. Why must standard WiFi be so insecure? Yes, I know you can use WPA2, but that requires me to give everyone a password which kinda of puts a damper on pubic access. The World Wide Web can do it, why not build in the same mechanism into WiFi?
Create a throwaway free mail account, who cares if it gets compromised. Oh, but you might need to check work-related mail, etc...? You're on *vacation*!!!
Using tokens that provide 1/2 the password (the other half you memorize), and which changes every 1 min and is used to create an SSL tunnel to some known destination (i.e. your work or possibly home if you can afford the SSL gear on your end). Once you are tunneled into the remote destination you are surfing using that destination's Internet gateway, and since you are using an encrypted tunnel with 1 time password, problem somewhat solved.
Somewhat because every keystroke you type still gets logged. So if you have the patience get yourself a software keyboard installed on the remote workstation you are connected to. By this I mean a keyboard that shows up on the computer screen and you type by using the mouse to click the "keyboarD" buttons.
By far the easiest thing is to get a laptop and "borrow" some WiFi, then zero keyboard loggers. I would still use the above method, since the WiFi is probably not encrypted.
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
Great for checking e-mail, worry-free.
Some quick thoughts: Perhaps this is my ignorance showing, but why wouldn't loading up charmap and a mouse work? Are keyloggers that good at tracking mice? The other thing I would consider doing is to open up multiple applications and switch between them. Type a letter of the password, switch between programs, type some junk, and go back. If it can't keep track of how many programs you have open, someone looking at a log shouldn't be able to follow how many alt-tabs you do.
Check out mypw.com. One-time password fob that won't break the bank and integrates with the services we all use.
Use ssh with public key authentication running from a (write protectable!) usb stick or sdcard. If you do it correctly, the user id is never typed and so not key logged. You type the passphrase (which will be key logged) in response to the challenge and it uses that to decrypt the private key from the usb stick.
To get in they need to have copied the usb stick.
You should likely configure a special usb-stick only public/private key pair so that you can deauthorize it at the end of your trip
The meme is dead, long live the meme!
It blows my mind when I see someone logged into their bank/email/etc from a public terminal.
I was once friends with a guy that carried around a PS/2 keylogger that he would plug into university terminals for a day or two then pick it up later. He just wanted to see what he could find. He found everything from people doing homework, cybersex, and even bank info. Now if he was actually out to do harm, he could have really made things bad for hundreds of people.
If it's not yours then just assume that it has a loudspeaker on it broadcasting everything you do to everyone around you.
And for those that think cut&paste, screen keyboards, etc will protect them. I personally installed a keylogger on a friend's PC to catch her then, 12 year old son, looking at porn. The log files had a play button which would replay every mouse movement, screen change, and keyboard input for up to 96 hours. This was about 7 years ago so I'm sure they've gotten better.
Your live cd has your security certificate. You have your password. Intercepting your password keystrokes will do no good unless they also steal your liveCD.
They could still have a setup to catch you, but at that level of paranoia you should be equally worried that they will be snooping the electric field of the computer.
Seriously, if your data is THAT sensitive which is to say THAT VALUABLE $$$, simply buying your own laptop is probably a very economic thing to do.
use the s/key authentication scheme to log in to your home machine via ssh. then surf from there.
I keep a no-install copy of Firefox for Windows on a USB key, already logged into my Gmail account (cookies are kept on the USB key), and also with the password saved in case the cookie expires. However more sophisticated attacks are emerging such as cookie-stealing, so this is not as good an approach as it used to be.
With my HSBC Direct bank account, you only enter a few letters of your password at a time. Each time you login, the required password characters are changed. So you don't end up entering your entire password until you've made several successful logins.
As you think! I run portable firefox in my pendrive, with all my passwords. I just need type my firefox master password (complete different logic from any other) to automatic fill my other passwords. No passwords type
bad guy need key log my master password AND get my pendrive to access my passwords
from time to time (close to one trip) i just copy my desktop firefox profile (in fact just 2 password files) to my pendrive to update
- bad point: only cover web-form passwords
- think point. (i have no deep experience with truecrypt. all points here need check)
Add some portable truecrypt level to protect my pendrive access will not work for the first bad guy, he already logged my password. This only protect me from a new bad guy to access my data. (brainstorm mode on) maybe i can use a file as password. a web based picture as password. Just delete the web based picture if loose my pendrive. also protect to keylog my truecypt password. bad point is you cannot open your truecypt volume in one off-line station (brainstorm mode off)
The best way to avoid keyloggers on public terminals is do not enter anything on any screen on a public terminal
forward all your email to a disposable hotmail account while your on vacation. once your back throw the account away.
I avoid all these pesky security problems by ensuring that all information I transmit electronically is full of spelling and grammatical errors (so as to fly under the filters of spies) and is also full of nonsense, gobbledygook, wrongly interpreted statements and assumptions and is factually inaccurate to boot.
The sneaky would-be interceptors of my super important internet communications have yet to notice this clever defense. What fools!
There is no perfect solution to this problem: using a public terminal is fundamentally insecure, and nothing you can do will change that. However, when I am faced with this problem, I log in using SSH and S/KEY. This prevents a key logger from gathering useful password data. You still have to be careful that no sensitive information is inputted or returned, this without fail will go into the hands of your attackers.
Change your password as soon as you get to a safe terminal. Smart "keyloggers" record the screen, the copy paste tricks don't work anymore.
BUT!
! built a second one. That sank into the quicksand. So, I built a third one. That burned down, fell over, then sank into the quicksand, but the fourth one... stayed up!
Just get a laptop. There are lots more places that will provide you with a wifi link than that will provide you with a public terminal.
Even if you can somehow using some kind of impossible magic login to a remote resource from a public terminal without it picking up your password. You've still given who ever runs this public terminal a certain amount of time in which they have access to your account.
They can have the terminal download all your email so they can look at it later or as has happened with a few people's gmail accounts, setup a filter they forwards all incoming mail to an address of their choosing.
If you are connecting to a remote shell, they could replace executable files in your home directory with their own malicious files, they could corrupt your data in unoticable ways or change your config files to unable a setting that might be more remotely exploitable.
All of this is entirely unlikely. Most of the time nobody would go to this much effort, but also most of the time a public terminal will not be running a key logger.
Laptops are cheap, get one.
...and that is all I have to say about that.
http://jessta.id.au
However if you don't care about the content that you're sending after authentication (which I can see you might not) then why not use S/Key.
Get a cheap laptop running linux, and use it with public wifi instead. Don't use public terminals.
Ideally, you should use one time passwords when you're on untrusted terminals. Unfortunately, no web E-mail that I know of supports them (if you know of any, please post).
Some services use image-based logins, but some logging software captures images of the context of the mouse, so that doesn't really help.
if you access sensible data you cant use public terminals. Its not only keylogging, its also all the cameras in public space.
For the password: If this is your only concern, use rotating passwords. on linux this would be easy to implement - every logout on your webmail triggers a new password-set. If you want to avoid carrying around a password-list, you can have the server generate random passwords and send to you per sms. This is not a big deal.
I've read a paper some time ago (think it was
http://www.cise.ufl.edu/~nemo/papers/Carnahan2005.pdf
Carnahan 2005, or http://www.netaro.info/~zetaka/publications/papers/awasee-MobileHCI03.pdf)
You'll see an array of small images (e.g. 10x10), and you have in your memory the 'algorithm' on how to click: e.g.: 2 images above the image of a rose, the 3rd image left of the image of a frog, and 1 image below the image with the yellow background (add more for security)
As the images in the array are ordered in a different way each time, there's no easy way for any attacker to know on which images to click to gain access. From that point, I hope you have setup your ssh keys so you can login to other systems as well without having to enter passwords (as anything you type can still be logged with a keylogger)
You could even replace the 10x10 images with a 10x10 set of ascii characters, and just enter the character 3 characters left of the 'R', the character 2 below the 'f', (add a few more steps) as a password.
I still hope to find some way to connect this authentiaction method to my SSH server..
A large fraction of Slashdot readers seem to have a fundamental misunderstanding of security. First of all, perfect security is neither possible nor desirable.
Any computer connected to the internet is in principle vulnerable since no human being can guarantee that all the software on a modern computer is secure. To only way to get perfect security is to lock your computer in a basement away with no internet connection, or better yet, melt it down. This is obviously impractical. The prime question of security is how much convenience you're willing to sacrifice for security.
So, will a USB stick with preinstalled aps give perfect security? No. But it will avoid the majority of attacks with very little inconvenience.
Personally I like the suggestion above to use VNC with single session passwords, and all web passwords saved on the server, since this seems like a relatively low effort approach which will avoid the vast majority of security issues. That said, I think the USB stick idea is perfectly reasonable.
Personally I use my own server to login anywhere.
I created a php script a while back that when visited asks for a one-time password (I carry around a small list with some randomly generated passwords). Once you enter the correct password (there's also a master password to print the lists etc.) it lets me chose which site/sites I want to login to and logs me in automatically, this way I only ever need to carry around one password at the time and I can still access my stuff anywhere without worry.
I doubt anyone is targeting me with man-in-the-middle attacks anyway.
And highly critical information? I just don't access that, sensitive emails, bank info, etc. This is something I just wouldn't do on a public terminal.
A standard part of Windows. I don't know about other OS'es.
On Windows 2000 (prob same on XP etc) Start / Programs / Accessories / Accessibility / On Screen Keyboard.
Click in your Password field. Enter your password using the mouse on the on screen keyboard. Good enough.
"vacation" and "e-mail" are totally incompatible terms.
Assuming that http://kyps.net/ is legit, what is the problem? It is easy, does not require installation/execution of software, and does not leave any long-term secret (e.g. password) on the untrusted computer.
I do the same but use an open source Java midlet running on my mobile phone. Just google for rfc2289 and midlet. I also run sshd on 443/tcp as that port is usually open or can be reached by CONNECTing through a proxy :-)
Use a password string that is long enough to crash the keyl0ggers.
Colorless green Cthulhu waits dreaming furiously.
My only comment is that there are some (few) things that you can do reasonably securely on a completely untrusted machine with the appropriate accouterments.
Specifically, there are smartcard challenge-response devices out there that permit you to securely make purchases.
Basically, you get to the checkout, and you are prompted with the merchant ID and the cost. Enter those bad boys into your smartcard+calculator-looking device, and you get a response. Type in the response, and voila. No more than the given amount is debited, only the specified merchant (by ID) gets the money.
The only fraud possible here, is that the MIM gives you their merchant ID instead of your vendor's. Risky proposition for them at best (quite trackable)
However, from a security perspective, you're essentially communicating with low-bandwidth between two trusted machines (bank/merchant and your smartcard+calculator-looking device), and the untrusted machine is just a medium at that point.
Not useful for interactive control, and not a good plan for reasons specified above (capturing of data post-authentication, permitting impersonation post-authentication.)
or sniffer (if not using ssl)
I realize that I'm one of probably fifteen or twenty threads here, but it looks like people are still coming up with all kinds of inventive ways around the fact that it is an untrusted terminal. Untrusted means anything you do on that terminal is subject to being messed with.
Most of the smarter methods revolve around authentication -- one-time-pads, etc. That'll protect you from a keylogger, but what about a pwned web browser? And yes, you run yours off the USB device -- suppose the whole OS is pwned, and injects screen-scraping-logging into your USB web browser. Worse, suppose it mods the EXE to contain itself, so that even if you never get hit, you're a carrier -- the next time you open it at another internet cafe, you'll infect them.
Then there are the stupid methods -- copy/paste, drag characters around, character map, etc. That's an OK skill to have when your keyboard breaks -- just recently, Ubuntu decided my Apple USB keyboard is a Macbook keyboard, so numlock would kill half my keyboard until I restarted X. But this kind of only-use-the-mouse mentality is pointless on a public terminal -- fine, you've defeated most hardware keyloggers, and you've defeated the dumber software ones. The smarter one saw you click a button, or hit enter, and grabbed the value of the form element at that point.
The closest I can think of to something that might work is to boot from a livecd, AND use the mouse for everything. In which case, you're still vulnerable to screen capture (grab an image on every mouse click, say), and to things like the Blue Pill proof-of-concept -- what makes you think it's actually booting your livecd on bare metal, and not in some virtual machine?
For all the effort you would spend thinking up schemes like these, and slowly realizing how they can be defeated, it's probably easier just to buy an EEE PC. Control the endpoint, and problem solved, barring insanely difficult and unreliable schemes like tempest. (There was even one which could figure out your password by listening to your keystrokes.)
Don't thank God, thank a doctor!
Don't use a public terminal for private work. Duh. Even at home you aren't guaranteed privacy, but when someone else controls the device, and anyone that wants to hack the device has physical access to the hardware your screwed.
Usually what I get are just suggestions not to go on sensitive sites [like banking] while out and about. That's the safest, I suppose.
If each mistake being made is a new one, then progress is being made.
Write a script, that, when run, will set your user password to the top one of a list, and delete that one from the top.
Keep a copy of the list with you, SSH in (or whatever), and run the script immediately.
Assuming no-one tries to log in from the time you enter your password in the Internet cafe to when you run the script, and change it, it's a perfectly safe method.
Get your own free personal location tracker
I use one-time passwords. In debian gnu/linux I can just aptitude install libpam-opie and configure services to use opie by editing /etc/pam.d. Then I have a OTP calculator in my mobile phone that I can use to calculate responses to OTP challenges. Low tech solution would be to just print the passwords and keep the password list in your wallet.
For each vacation I create a hotmail/google account and forward my email to it.
If that account is hacked only the emails I've received during that time is in jeopardy. Good risk/usability value.
To bypass a keylogger you can type in the password backwards at any field and use cut/paste to bring it back in order.
Then copy/paste it into the password box. Works even on Amiga.
*sigh*
I have also used S/KEY for the past... five years? ten? It's very robust when used as a PAM module.
I use the J2ME S/KEY calculator (google is your friend) which works great on all mobile phones I've tested it with. It's always with me so it's not much hassle. I use this instead of SSH public keys, as if someone owns my terminal in any way I doubt public keys are any safer than a password. As long as the OTP calculations are secure I should be safe.
The only better solution I can think of is smartcards. I actually used that for a while but it was too unpractical since I had to key a card reader for every computer I use. For other people that might be an option as the secret key never enters the computer.
Today there are compromises between OTPs and smart cards such as Yubico. I haven't had the time to investigate, it looks promising but passing logins through a third party gives me an uneasy feeling.
Firefox portable with google browser sync that I use only for my pw.
it seems silly to rely on something secret stored on the usb stick. it would be trivial for the public terminal to make a copy of all the data on there.
Post all your passwords into a post on slashdot, replying to a comment that's sure to be modded into oblivion. That way they'll be lost in the noise and you can look at the post and copy & paste them into the password dialog :-D
type some random text in a file and then drag-drop the letters to the password field.
It seems to me that a Blackdog http://www.projectblackdog.com/ might help get around at least some of this problem given the right setup. Think about this scenario; You walk up to the public terminal and plug in the Blackdog into the USB port and it boots up a X-Terminal session on the host, and from there you use ssh and port forwarding to proxy your web traffic to a trusted host at home/work through its ssh VPN. The authentication is done via a secret key stored on the Blackdog and unlocked via something like s/key or a keyring stored on the blackdog, and subsequent passwords could be either injected into the session by the Blackdog processor environment, or stored in a Firefox browser running from the dongle itself. Keystrokes might be visible but if the Blackdog can supply the authentication where needed then the crooks can't reconstruct enough of the session to do or learn anything. Sure they might log a bunch of mouse movements and a few key strokes but they would not even know what application those keystrokes were going to much less what sites you visited.
Jup. I wrote a virtual keyboard implementation in JavaScript for the Roundcube webmail client, although this can easily be used for other applications.
Take a look here: http://www.syn-ack.org/code/jsvk/jsvk.html
Here's the code: http://www.syn-ack.org/code/jsvk/jsvk.js
In need of reliable and affordable server monitoring?
I don't trust a public machine at all. What I do is to plug my mac into the cybercafe's public terminal network cable, and use it instead of such crappy machines with dirty keyboards. Then, I establish a VPN tunnel through my home computer to the world. Works fine.
Hi, I have scripts to update my ipods notes with the latest 100 passwords for OPIE (one password in everything) onetime passwords when i sync it, i then use ajaxterm on my server, log in with opie password which then becomes useless. I then launch a screen session - so i can resume should i need to... I can then just use mutt to check my gmail etc, irssi with the awesome bitlbee software for msn/gmail jabber/yahoo whatever other chat i require.... etc etc.. i make sure i don't log into anything else, i have ssh keys for hosts i may need to connect to so no password required and the untrusted terminal never sees that key anyway... i'm sure its not a perfect solution for everyone, but its certainly working for me ... but i like the command line :D
How about calling a trusted person, having them change your password to a temporary one and then have them change it back once you are done. Alternatively, you could also have him/her read out your email to you :)
Perfect Paper Passwords (kind of OTP) : https://www.grc.com/ppp.htm
Using QEMU is a solution, I use a Qemu-OpenBSD to log into my kerberos realm from public terminals running windows. Normally you can't boot a live-cd, but you can run qemu from an usb stick. I saw some terminals that don't allow you to run the starting-script, but you can use the binary from the commandline with arguments. If you need X and don't want to type your passwords I suggest to use damn small linux instead of OpenBSD - the X is much faster, and use thunderbird password saving. Without X and in OpenBSD you can script mail, or pine (if you need imap) to not to type the passwords. To exchange files with the host (for printing e.g.) you should configure your system in Qemu to run an ftpd - in user-mode networking (the qemu-default, doesn't need any privileges on the host-machine) this will cause a warning and blocking by the hosts firewall at startup, but you don't care about that, simply type ftp localhost in the windows command-line and you will see your served files.
Yes, these programs can and do record clicks and screen shots. In other words, every time you click, it makes a screen shot of either the whole screen or the area around where you clicked. They can also record the contents of the clipboard.
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
On a public system, you cannot know that the Firefox you are running does not have some unique modification. Such an approach is way easier than trying to use a keylogger. These days I am very suspicious of public systems that ONLY provide Firefox/other open source browsers. It's probably one of the rare situations where I prefer to use IE. That said, if you use anything other than a throwaway password from a public terminal, you are extremely foolish.
That's why I always bring my oqo with me when travelling.
0. Assuming you have openvpn installed in always-on trusted gateway(home or office, windows or linux)
1. When needed ask/try to find just a network connection, not a public terminal.
2. Connect to your openvpn gateway pc. Don't do anything unsafe using normal network. If openvpn says something suspicious, don't use openvpn session and just use that network connection just for absolutely safe, casual activity e.g. viewing slashdot anonymously. Beware spyware.
3. When openvpn connected successfully, route all your internet traffic via your gateway pc using openvpn session.
4. Done. Other vpn solution also works, but openvpn is free, available for windows and linux, sniffing free, man in the middle attack free.
If you're on holiday, make a one-shot password or dump the information to some place that you won't be using again.
E.g.
OPTION 1
first password used once. Then the password goes to the next one. Then the next. If you run out of passwords, you can't access your system. Just make sure you have enough. Or, if you have a fairly long list, round-robin it.
OPTION 2
have your email forwarded to a new account you made up for the vacation. If you're really paranoid, create a new one each time you want to send.
If you have control over the email server you can configure one-time passwords.
Am I the only one who thinks this is paranoid well beyond common reasoning?
-- Go to a public terminal in a respectable Internet café
-- Take a mobile device with you with which you can connect to the Internet
I just reset the computer and hope they have DeepFreeze or something similar installed, and that the terminal owner isn't him/herself running a keylogger.
i use a java ssh applet that i load from my own website on the net, then use a combination of cutting and pasting for the password. if your applet is signed, you'll be able to access the local disks, so you can use a USB key that carries a private key, so then you dont need to worry about keyloggers at all. once in side, you can use pine (or alpine) to check your mail.
-kid m.
Comment removed based on user account deletion
it does not need drivers as they are on the keyboard cable before it goes in to the system.
My USB dongle has a copy of PuTTY and a private key that is separate from my usual. The key is password protected, but not with my login password. In .ssh/authorized_keys on my home machine is the public key for the dongle private key.
Someone with a keylogger will grab the password to my USB key, but they won't get the key itself. This is true two-factor authentication, and easy to do.
Professor Hubert Farnsworth: Well, then good news. It's a suppository!
Half the answers in this thread are fucking ridiculous.
Copy & Paste? Are you fucking kidding me?
And half the other BS people have spouted off.
I'd rather wait a few hours to check my email from a safe place than dick around with shit that takes me 20 minutes to log into a site.
I have never heard of this service, and it seems really cool. They *do* say they do not store your passwords, they just use them to generate the OTP.
From http://www.kyps.net/overview.htm:
"If you also provided your password on the registration page, then the KYPS server computes your list of one-time codes by bitwise xoring (the appropriate number of bits of) each pad with your password. The codes are returned to you in the form of a nicely formatted PDF file (see this example). In order to make it easy for you to enter the codes using a possibly foreign keyboard, the codes are returned to you in a form that does not contain any special characters (base64 encoding). Note that the server immediately deletes the codes and your password as soon as your list of codes has been sent to you. The list of pads, however, is kept in the server's database. "
If you don't trust the, the above URL gives a good description of how the site works, you could easily duplicate it on your own site with a few lines of PHP or Perl.
I use thunderbird on a mem stick, configured with usernames and passwords so I don't have to type.
Other than that, I use hotmail!!
Here is a tip: Don't use a public terminal. Just use your own computer, and use their free wifi. The SSH/Tunnel to your secured server and then do your business.
I know it doesn't directly answer your question, but otherwise, you would pretty much have to accept the security settings that the public terminal come available with, because the terms of use might prevent you from running your own software or taking over the machine, out right.
Apart from the fact that you will _never_ be able to secure access from an unsecured machine, just change your passwords. Write down the passwords with the usual methods if need be. If you are really paranoid, have a cron change the passwords from your home machine on a daily basis using permutations of what you wrote down. Once you are back, you change the passwords to whatever they were before.
This is a classic public key/private key problem.
:)
Normal solution.
You have a device that when given a challenge code it responds with a response code that proves to the challenger that you have the key without actually responding with the key. Challenge codes are non-reusable so knowing one pair gets a cracker nothing.
Security researchers have beat this to death, and this is good.
Even better though,
One of the banks I worked with, gave out devices that would generate a new code every 60 seconds or so.
Users are asked to input the code on the device as part of thier password-set.
If you don't have this device, you cannot guess the magic code, you cannot get into the system, I don't care what you logged.
Ofcourse, both of the above require a host that is complient with, and concerned about, securing your credentials.
Changing your password more often.
on that note... I'm sleepy.
Results 1 - 10 of about 295,000 for macosx keylogger. (0.04 seconds)
While travelling I would make use of the mouse while typing in passwords, deliberately mistype your password and then use the mouse to select the incorrect text and then type to correct it, I bet keyloggers don't record mouse strokes, yet.
Ironkey has the browser built into the USB key and even it it gets horked from a virus a simple reformat will put it back where you started. You can carry your passwords in it too for fast and instant filling. It's awesome. A loger may get the password to the key but you can change that next time you get home. ironkey dot com
DUH! Don't check emails or anything that require a login on a public terminal. You do realize you said you were on vacation - right? If you are on vacation - enjoy it. Go out on the beach and look for babes, or at least for seashells that wash ashore. Don't waste your time staring a dumb terminal that's full of tons of real, physical viruses that can get you sick, not just the electronic kind....
So just how common are keyloggers on public machines? Are some places more prone to having keyloggers installed?
I wouldn't quite go that far, but close. Obviously secure information can be transmitted through in-secure networks. So it would definitely be possible to do things like exchange stenography images through a unsecured computer. Obviously you would have to have some security after the computer for your display/entry or interpretation of information. It is theoretically possible.
One possible solution would be to use the speaker/microphone as your route. From a Tom Clancy book, for example, they had the religious group (catholic church?) that developed their own language. Using that excessively around a determined code cracker would allow a break, but doubtful a single event would leave enough clues behind.
What about after you've logged in? The possible keylogger isn't just looking for your UNIX password. Any emails you type (or read; why do people worry about a keylogger, but not, say, a packet capture sitting in front of the Internet uplink?) for example.
The answer of course is that you cannot. It's a public terminal, controlled by somebody else; there's NOTHING you can do to make that secure.
All you'd be able to do is bring your own hardware, and encrypt everything you do over the public Internet, or somebody else's connection.
Vintage computer games and RPG books available. Email me if you're interested.
Why not predefine a list of x passwords (like 30 or so) you carry around on you. Every time you log into your pc, the current password is expired and it moves on to the next password in the list. This wouldn't work for public stuff like gmail but I see no reason you couldn't script it on your home computer. If you run out of passwords on your pad it could just start over or just lock the account entirely if you want to be really safe.
I'm sure someone must have said this already, but if you are that worried about keyloggers and such on public terminals, DON'T USE THEM!
I'd strongly recommend that you buy a laptop to take with you on vacation so you can check email, etc. from the road. If you're that paranoid about it then the simplest solution is to not use public terminals at all for tasks that require you to enter private data and make the investment in a cheap laptop.
Not necessarily. If the logger has access to applications, like say a web form that has the password hidden, but not encrypted, you're fubar. Now, if you remote desktop in to a trusted machine and use a java keyboard, that would do the trick.
Duplicating your whole message in the subject line will make it easier for the key loggers to find out what you are up to.
(Sorry, it was necessary.)
Naturally someone could still sniff packets but it stops keyloggers, password sniffers etc.
I had a go at developing a simple Windows app that would (temporarily) disable the keyboard hooks that the majority of keyloggers use to capture keystrokes. I had some success, but the program isn't particularly stable and it can cause other applications to crash, but if you only want to log in to a browser and fire off a quick email it might help you. You can download it (and the Delphi source code) from this URL: http://members.lycos.co.uk/wuul/logthis/readme.html Note that this is *used entirely at your own risk*, please read the instructions carefully. I have left various options configurable so people can play around with settings & see which combinations defeat particular keyloggers. If anyone fancies trying to debug this and help to create a more stable version please feel free.
Some tools like Password Safe have an auto-type feature that will populate user/password fields for you. I have no idea if keyloggers would intercept that kind of "typing".
You still have to type your master password to get into Password Safe, but ofcourse that one is stored on a USB stick that you carry around with you.
Set up your own server and read all your mail through it. Have a secure authentication method on your server like one with a digipass or whatever physical authentication token you like.
Allow different levels of security. For example when you log in from an unknown machine or using a special password, you should only be able to perform simple operations like reading the mail, but not change any of the settings.
(of course, this is only for the really paranoid)
By-the-way does any of you guys know if you can have a backdoor in the firmware of your network card for example?
Before you go out of town, forward all emails you want to check to one email account... say your work account. Now, reset your work password (i'd say one not too hard to remember since it'll be temporary). Then limit your email checking to once or twice a day and call your friend back home and have him/her reset your password to a new one after each time you expose your current password. That way if you got keylogged, the password they have will be useless. Would work great for my limited travel needs. If you travel a lot, time to get that PDA or laptop maybe.
USB+VM+SSH/VPN
http://yro.slashdot.org/article.pl?sid=04/10/21/176235
Dont reply w/o trying it.
Depends on what you build into it. Tinfoil Hat Linux has some interesting ideas:
http://tinfoilhat.shmoo.com/readme.txt
Instead of a floppy, one might use a multisession LiveCD.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Problem solved :)
Oh wait...
When I'm traveling and expect to have to use public terminals, I change my passwords before leaving. Then, anything that gets logged will get them into my email for as long as my trip. I don't do business on public terminals. If I'm expected to do business, I'll have my work laptop with me and will pay for (and get reimbursed for) anything I spend doing work. And, as others have said, expect that everything you do will be monitored, so don't be explicit when sending out private emails you wouldn't want revealed.
Learn to love Alaska
Get yourself a 1 to 4 gig usb key and load it up with software from portable apps. They have firefox, thunderbird, pidgin, etc. Everything is kept on the thumb-drive, you don't have to type passwords, it can contain your documents, etc.
You could also use a thumb drive with DSL, or Slax and boot into it using Qemu for windows.
... of an excellent acronym opportunity. Personal Identification by Mobile Phone. PIMP.
Yo, my g-mail is totally PIMP.
-
If where you are going has hot-spots (and who doesn't now adays?), a Nokia 810 is perfect, I have one.
Search for this program. It has 3 different styles of keyboard that appear in different places on the screen to prevent coordinate logging. To defeat keylogging, you click buttons to spell your PW into a masked field, then drag/drop onto the form field.
It's only Windows as far as I know, but it works pretty well.
That leads to the classic look at the back of the computer method. If theres something suspicious unhook it and take it home with you, you now have a free $50 toy.
Of course not all hardware keyloggers are of the type that are sold at thinkgeek. There have been instances of keyloggers actually built into keyboards. In that case the ideas posted about entering the password in the wrong order or with gibberish that you selected and delete with the mouse would be sufficient.
In general if the bad guy has access to the hardware, you've already lost. There could be a logger attached to the computer's network cable under the floor in which case the only solution is some kind of one-time password.
and if you buy it now you get added to the Carnivore tracking list for free!
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Start > Programs > Accessories > System Tools > Character Map. But a software clipboard hook will still get you.
College-Pages.com - Online Colleges, Degrees, and Programs
If a key logger just traps key presses, you could conceivably type out your password by clicking on letters in the Character Map mini-app under Accessories, then copy and paste it into the password field (which most will allow pasting.)
If the key logger is a little more robust and smart enough to copy the clipboard changes and the like, this method wouldn't work.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
concerned about security? never use a public terminal.
An UMPC like Asus' eeepc is a perfect small and secure device for dealing with email on your vacation and they are cheap too. There are wi-fi hotspots many places and you could also use a bluetooth dongle so you could surf by using the mobile phone as a modem.
--
Regards
Put a virtual image, with the basic applications you need, on a USB stick, together with its player; 2Gb should be enough. If possible, install the player on the public PC and then run your own OS from the USB stick. This should provide enough isolation from the host.
Someone needs to make an opensource onscreen keyboard that generates the keys in random sequence. That's a lot of hunt and peck, but how long is the average person's password anyway...8 characters? This way, no keyloggers or clipboard copiers will work. So until they get screencapture loggers that work well...I think it may work. So, someone get on it.
Bring your own laptop. There is no other way.
Of course, that won't protect you from keyloggers on your own laptop, which may be even more damaging, but still...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Why not use the on-screen keyboard. It's quick, simple and short of macro recording is pretty safe.
-=LaptopZZ=-
This is the kind of problem the FreeAuth Project was created to solve. You use a one-time pad program on your phone or PDA that can run Java MIDlets. However, you have to use a site that supports FreeAuth or have control of your own webserver to support this.
http://www.freeauth.org/
get an eee or similar cheap, portable machine and use it instead of the public terminal.
Good trick. +1
Using a mouse does not necessarily make you invulnerable to hardware (or software) attacks. If the mouse actions are being logged (whether in addition to or rather than keystrokes, whether via hardware logging or via software logging), a replay attack using your exact mouse sequence is still possible.
the JoshMeister on Security
just open Notepad and type the alphabet in upper and lower. Then when it comes time to enter sensitive paswords, copy each letter from notepad and paste it into place. thay may fake out the key loggers
Please read this article about CSIRO's TED, a solution meant to solve this exact security problem:
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339286124-130061744t-110000005c
While at vacation set up a program at your home computer that automatically changes your password when you send an email to it. That way you can use one time passwords and screw anyone trying to screw you. ;)
+1 Agree -1 Disagree
The best possible way that I see to avoid problems such as potential keyloggers is simple enough: Avoid using public terminals.
Carry your own laptop. Take advantage of Lord only knows how many free WiFi points are available. If you're self-hosted (as in retrieving from your own mail server), set up an encrypted VPN link.
Public terminals consistently trade security risks for convenience. Remember that the first line of computing security is the computer user. That being the case, ask yourself if it's really that wise to use a potentially insecure terminal for anything that you feel is sensitive.
Happy travels.
Bruce Lane, KC7GR,
Blue Feather Technologies
The easiest way is to carry a copy of Dasher (http://www.inference.phy.cam.ac.uk/djw30/dasher/) on a USB stick. Use the mouse to enter a password at any time, and it will be hard for a key logger to capture your input.
The keyloggers i have seen did not track the mouse, so you can enter extra characters into your username and password fields, then use the mouse to select the ones that shouldn't be there and press delete. This way the keylogger gets lots of extra chars, but doesn't know what is supposed to be there and what is junk.
We build castles on quicksand every single day we use the Internet.
They ARE out to get you simply because They are in it for themselves and they don't care about you.
say, a password and an RSA dongle -- the number on the token changes every 30 seconds.
Also, use SSL to log into your webmail, and verify that the presented certificate is signed by a reputable CA, to avoid the possibility of a man-in-the-middle attack.
Or, use your own data-enabled phone, and avoid the public terminal.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
Bring a laptop or other Internet-capable portable device with you, and don't use public terminals. This seems the only surefire way to avoid keylogging and other security issues. If you're so worried about someone stealing your information through what is probably a pretty rare method, don't use the damn things.
Thanks a million. Push Start to replay.
Yes, but a LiveCD configured to provide an onscreen keyboard or simply using cut and paste of letter and characters to enter information is a pretty good combination. The LiveCD generally protects from software logging(the keyword is generally, there are some exotic techniques it won't protect against, such as software logging occuring at the BIOS level)) and using the cut and paste or onscreen keyboard generally protects from the most common hardware keyloggers.
Of course, this still isn't perfect and there are other more exotic ways to snoop, but this combination will provide pretty good protection against the most common keylogging methods. IMO, if you need more defense than this, then you probably shouldn't be using public terminals at all.
You're screwed. The premise is that you are using a machine that serves someone else's interests, and you want it to serve your own, instead. You can't become the sole master of the machine non-invasively.
I get why you want it; I want free money. But neither of us can have that. If it's really important to you, to have peace-of-mind in knowing that your email and the access credentials are not intercepted, then you must bring your own machine.
No matter what you do to the other person's computer to try to subvert it to serve you, you'll never be sure you've done enough, unless you've really done enough. And if you've really done enough, then the owner is going to be pissed, because now it's your computer and not his.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
USB with U3 or something similar may be ideal.
Some apps you can run from a USB stick before using a public terminal:
Avast! AV
Spybot S&D
These will attempt to detect the presence of keyloggers.
And don't forget to check the keyboard port for a physical keylogger sitting inline with the cord.
No sig here...
Bring a laptop you lazy idiot.
Start, programs, Accessories, accessibility, on-screen keyboard.
If security is *that* critical, then regardless, stay away from public terminals.
If checking on a personal account is *that* critical, then it should be important enough to plan ahead so that you do not have to resort to a public terminal. Take a laptop and look for hotspots (and pay, if no free ones can be found). Or plan on going back to the hotel room during the day and check from your laptop there.
I can't imagine a scenario where I would be desperate enough to resort to a public terminal.
If on vacation and I just want to check in...hey, I'm on vacation. I'll check personal email when I get back to the hotel at night, if at all. (When *I'm* on vacation, that includes computers & cell phones as much as possible, and friends and families should understand that I will be out having fun and may not get back to them quickly)
If worried about contact in case of an emergency, you probably shouldn't get out of cell phone range to begin with...rent one if in a foreign country.
Forgot to pay a bill before leaving? Either go back immediately to the hotel and do it or if you are already late, what's the harm in waiting until you get back later?
One way might be to make your website randomly generate a "fake" keyboard layout and display it as an image. You then touch-type in your real password by looking at the randomly generated layout image it gave you. The server would remap your password entry based on the random keyboard layout it generated for that one login.
Thus a hardware logger would only log the remapped version of your password, which would be essentially random keys.
A software keylogger would have to record the login image from the website and manually remap the logged keys based on that image.
For extra credit you could make the key remapping image appear as a captcha to further frustrate automated techniques.
It might be more user friendly to generate the keyboard layout as an image that has buttons you can click on with the mouse, but that'd be more vulnerable to shoulder-surfing and mouse-click recording than the previous scheme.
120 characters isn't enough to explain it.
It is not impossible to use a public terminal securely -- it's just another example of tunneling secure data over an insecure link. One thing that some reponses neglect is that for many applications, the data coming back is just as critical to keep secure as the data (passwords etc.) going in. Unless you want everyone reading your email and seeing your bank account balances and pictures of your cute naked children.
Of course, to tunnel over an insecure link, you need secure endpoints. The remote endpoint is easy; it can be your server or proxy or whatever. It sounds like the Blackdog is an example of something that can provide the local endpoint. All that is needed is something that encrypts outgoing data and decrypts incoming.
I suggest Pig Latin. You use your laptop/PDA/whatever normally, except you convert your password to pig latin and your home proxy server transforms all incoming text in the same way. Sure, that only works for text, but I have a brilliant idea for an image transformation that works on the same principle: you take every image, move the first column of pixels to the end, and add 13 to each of the RGB values in that column (modulo 256). I think it should be pretty much invulnerable to decryption by unwanted snoopers, because it combines the full security of pig latin with that of ROT13.
I plan to file for a patent and start up a company based on this technique. Anyone who would like to get in on this incredible opportunity now is encouraged to send me their seed investments in small unmarked bills. No need to put on your return address; I have another algorithm that I plan to use to infer the sender's contact info based purely on the rest of the packaging. So far it only accurately estimates the sender's intelligence level, but I'm sure that by the time you send me the cash, I'll have it working well enough that I'll be able to tell everything I need to know about you.
I don't believe it's possible to trust a public terminal. I'm planning on getting the 9" eee so it's at least more portable.
MojoPac is a clever piece of software which will bypass any software keyloggers on a windows system and give you your own (Windows) environment with all your files and programs. It also presents only a black screen to the system (not to you) so any screenshots taken by keyloggers see only black. I have the results of a bunch of testing I've done with mojopack and keyloggers on my blog: http://ryrw.blogspot.com/2007/05/how-to-travel-invisibly.html
One time password, based on the time of day. :)
Memorize a simple algorithm, and keep your watch synced well.
Says jarlod
just use a usb drive with a pop3 client, the password will be already in the client config... if your drive gets stolen, just change the passwd in a trusted terminal.
you never can have the perfect security ... refer my comments above on a rsa widget that changes the code every minute ...i think etrade provides this widget if you have more than 50g in the account ... ... the only way out is to use the most defensive weapon out there - ur brain. .. libraries with good univs, good public library in a nice locality has less chance of having such people than an overcrowded bar or at special places in airports ... look who all are around ... no suspicions people, use some common sense and then go ahead ... .. that way u will know in case something has been done .. increase this frequency like once every week in the event u use public terminals ... it is more of a matter of policy than any one single process.
but the point is no matter what ur security can any time be overcome - howsoever secure u claim to be
in public places - u need to look around for terminals just like u would for your personal physical security.
if at all u need to access in public terminals - then first see what kind of public place is it
finally periodically check ur account
- the good nerd.
Just the fact that this thread is so popular means that if there doesn't already exist a major (cheap or free) webmail provider where one can set up temporary travel accounts with one-time-passwords plus transparent forwarding, this certainly sounds like an interesting dot-com business opportunity.
you can do it yourself
http://www.keelog.com/diy.html
Got 3 tips for you:
1) Use cut & paste (as stated in more comments), but store your passwords in an NTFS-stream. This worls only on NTFS formatted devices. It's simple, create a dummy textfile like music.txt and put some silly information into it. Then open it using the command "notepad music.txt:pass". this 'pass' will be an NTFS stream wich is attached to this file but the contents is not visible in the original textfile, neither will the filesize inclease if you fill the stream with information. Besides that, it's relatively hard to detect wether a file has streams or not, what the names of the streams are, so if you lose your memory-stick the information will probably not even fall into the wrong hands. But be aware, copying the file to a non NTFS formatted device will erase the stream, so store a copy at home in a safe place!
2) If you do not trust publicly installed applications, build and use your own using virtualisation-software like "Thinstall"! It results in 1 single executable wich can be run from any device you like!
3) If possible, check all wiring of the keyboard. Many keyloggers are simply a small piece of hardware no larger than a plug, connected between the PC and the keyboard, and many of these can be accessed wirelessly to extract the collected information.
1. Create a throwaway free email account.
2. Set your real email to forward to it.
3. ???
4. PROFIT!!!
as found on https://www.grc.com/ppp.htm you use the list that you generate, scratch off item #1, only next attempt to login will accept item #2 (rinse/repeat.) very easy to use ONE TIME PAD; truly, it can not get any easier. CAH
The on-screen keyboard is designed for accessibility, not security. It can be easily defeated not only by a screenshot-taking keylogger, but by any keylogger; the article explains why.
False sense of security can be dangerous.
The saddest poem
It isn't cheap but it stores your password based on the biometrics of how you type. No one can duplicate!
Not good at all.
The saddest poem
and I know I can't use my PDA to get my email (because there is no connection or the cost is too high), I create a dummy email address such as: going2Reno2008@hotmail.com and I forward a copy of all my email to that account for the duration of my trip. I use a simple password and read what I need to and once I'm done for that session, I delete the emails I don't want anyone to see (empty the trash as well). When I get back home, I turn off auto-forwarding and forget about the email address. Who cares if someone hacks it - they will find nothing in it and no links back to me. Enjoy! HyperHyper
Before someone leaves for vacation, they can create a list of twenty or so personal questions (like who is your 7th grade teacher?). The account can somehow store the information so that each time someone tries to log into a username, they have to know the answer to a personal question. Each time someone tries to log on, the displayed question can be the next one on the list. Keyloggers may know your password, but they do not know the name of your first pet. And they have only one chance to guess right to each question. This feature shouldn't be too hard to make if you have your own server. ...
Or, if you're especially good on those IQ tests, you can just make one of those your password and only let people with IQ's higher than a certain number (ie 200) in. xd There are plenty of ways to recognize someone without seeing if they know a secret series of letters.
http://www.HUGEurl.com/
copy-paste a couple of -ahem- DEgenerated URLs from it, et Voila!
The sane answer, of course, is to boot into Knoppix, and don't touch the HD.
Gotta find somewhere where that is allowed, tho...
From the supposedly insecure terminal, log on to a secure machine, so that you can exchange text data with it, by using some kind of one time password.
Associated with every one time password is a set of one time parameters for a encoding/decoding algorithm. The association should be purely random, so that the parameters cannot be infered from the password. Then if you want to exchange text data with the secure machine, you will have to encode or decode the text data by using the algorithm with given parameters. By this, the knowledge of the password alone is of no use.
Of course, this solution leaves the question on the implementation open, and the implementation might not even be very handy, but it surely defeats keyloggers and screen recorders.
Yeah, yeah, like that is a threat assessment on keyloggers and the black-market where such tools are SOLD to merchant operations such as large-scale phishing.
Moron.
Making laws based on opinions that stem up from false informations leads to witch hunts.
For email set up forwarding on your main account(s) to a disposable account to be used for the duration of the trip. If possible, change the password via your cellphone after each public terminal use, and delete any emails after reading them. This will at least ensure your main accounts are never compromised. A similar strategy can be used with most blogs, by assigning posting rights to a new, disposable user account. All banking should be done via cell phone or at the bank in person if possible.