Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Way To Avoid Keyloggers On Public Terminals?

Posted by Soulskill on from the it's-not-paranoia-if-they're-actually-out-to-get-you dept.

goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. Kyps.net offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"

34 of 701 comments (clear)

  1. Phone? by Anonymous Coward · · Score: 1, Insightful

    Buy an iPhone and use that for net access (or blackberry, whatever). Problem solved...

    1. Re:Phone? by maglor_83 · · Score: 4, Insightful

      What kind of place doesn't allow phones and also has publicly available computers to use?

    2. Re:Phone? by DaedalusHKX · · Score: 3, Insightful

      I actually have flash disabled in all my browsers, mostly because I can only use a fraction of my pipe for surfing.

      All the sites I patronize have, thus far, operated perfectly fine without flash. Once they begin to demand flash or other such crap, I'll find alternatives or do without. Flash has FAR too much risk of being abused (and has been) in the past. Same with javascript and especially Java. I surf for information, not flashy buttons and popups.

      Speaking of funny, I checked out "classmates.com" recently, and I must say DEAR GOD... (my personal profile is full of bullshit per my specification) ye gods those people have put up everything but their online banking password on those entries. But that isn't the worst part. The worst part is loading that website, and receiving twenty different batches of advertising tracking cookies, three batches of tracking cookies from the site, and watching it load and move around slower than mollases.

      Is that truly necessary? Hell, they charge these people for memberships. I actually test drove a membership some years back just to see, and even then, even for "paying members" they still didn't remove the adverts and other sluggish bloat on their site.

      I restate my question. Is that kind of bloat TRULY necessary?

      --
      " What luck for rulers that men do not think" - Adolf Hitler
    3. Re:Phone? by Gewalt · · Score: 2, Insightful

      If I'm staying in a hotel at nights, then I'm bringing my own laptop and thus, STILL don't need to use a public terminal.

      --
      Modding Trolls +1 inciteful since 1999
    4. Re:Phone? by nahdude812 · · Score: 2, Insightful

      I don't know whether keyloggers like this exist, but unless you physically toggled the power, you may have only thought you rebooted the system. Even still it's possible a false BIOS was installed which lies about the boot order, with a hypervisor booted off a small partition which runs your live CD inside a VM.

      But anyway: Hardware-based keyloggers. Even if you check the keyboard cable, it could still be installed inside the case - a lot of USB ports aren't soldered to mainboard. Or it could even be installed in the keyboard itself.

      In short, if you want to be super paranoid, you have to assume that any keystroke you make will be captured.

      Maybe a system involving single-use SSH keys would be feasible. I'm surprised there isn't some sort of RSA token solution for personal use.

      --
      Slay a dragon... over lunch!
    5. Re:Phone? by ceswiedler · · Score: 2, Insightful

      Well, you could type a massive amount of random letters into a text document, with your password buried somewhere in the middle. Then copy and paste the password into the password field of the form. If the OS doesn't let you paste into password fields, then you could just have the text doc and web page open side-by-side, type in random stuff, switch to the web page (via the mouse) and type your password, switch back to the text doc, and type more random stuff.

      Depending on how much random stuff you're willing to type in, how long your passwords are, and how many times the site lets an attacker try a password, this is at least an annoyance to keyloggers. If you're being specifically targetted I'm sure they could get your password, but it would be enough to prevent 'casual' keyloggers from getting your password, and presumably that's the sort that would install a keylogger on a public terminal.

  2. Simple Answer -- by barbam · · Score: 5, Insightful

    Umm -- simple answer, don't access trusted information from an untrusted terminal? You can have no expectation of privacy while using that machine.

    1. Re:Simple Answer -- by bogado · · Score: 2, Insightful

      Because that's the correct answer. If you ask me how can I fix a broken egg I would say don't break it in the first place.

      Seriously, when a terminal is not trusted everything you do on it can be watched. The attacker could plug into any application in the same way your debugger do and watch the bit directly from within the application, even if the executable is pristine and in you read-only USB dongle.

      Don't put your password in a public computer. That's a way to be safe. The only possible solution for this would be to have a one time password solution, but this would require changing the server witch is not possible for most of people.

      --
      []'s Victor Bogado da Silva Lins

      ^[:wq

  3. Don't use public terminals by syousef · · Score: 5, Insightful

    I'm not trolling here. If you're being keylogged, then even if your password isn't stolen, every single thing you do on that computer must be treated as public. Emails would be keylogged too.

    Once you suspect a terminal is owned, that's it, game over, don't trust it. Probably not what you want to hear, and definitely not convenient for you, but every other solution is a compromise in security.

    The ONLY alternative I could think of that I can stomach is to have a separate email address that you use only from public terminals. Change the password often and consider anything you say via that account to be as public as if it were announced over a PA system at an airport.

    --
    These posts express my own personal views, not those of my employer
  4. I don't think you truely can by JazzXP · · Score: 5, Insightful

    Any smart keylogger will look at the raw text behind any password field on a website. Cut and Paste etc would be useless.

  5. Obfuscate password entering process by sznupi · · Score: 4, Insightful

    Enter your password in a different order than it is spelled? Simplest example: given your pass is "password", first write "pasrd", click between 3rd and 4th asterisk, complete it by entering "swo". The more complicated, the better.

    I'm using this when I absolutelly need to use web cafe/etc....should fool most keyloggers, I guess. I still change my password afterwards as soon as possible.

    --
    One that hath name thou can not otter
  6. use a temp account by Anonymous Coward · · Score: 2, Insightful

    I used a temporary account for email while on vacation. Stolen? No big deal. Throw away when done.

  7. someone mod parent up please by Travoltus · · Score: 5, Insightful

    When it comes to security, the best answer usually becomes the most unpopular and hard to swallow.

    --
    --- Grow a pair, liberals... stop letting the Republicans bully you!
  8. Why bother keeping it up to date? by bluemonq · · Score: 2, Insightful

    Just always run Firefox off of the stick (even while you're at home). Otherwise, the only thing I can suggest to you is to pull up the virtual keyboard and input using the mouse; you'd have to move the window around after every few characters to try to fend off programs that track mouse movements also. If the machines Tempest-ed (or its local equivalent) or the screen is being recorded, you're out of luck anyways. If it's not your machine, you really can't do anything about this sort of thing.

  9. If you're that worried... by ISurfTooMuch · · Score: 5, Insightful

    ...then don't use a public terminal.

    I'm really not being flippant here. The posters above have listed some ways around a basic keylogger, but there are other ways a system can be compromised. You could be dealing with a program that takes screenshots and/or reads the clipboard at random intervals. Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.

    My policy on using public access computers is that I only use them when I have no other choice, and the more valuable the data I need to protect, the less likely I am to use one.

    There are so many more attack vectors than a keylogger that, if I were you, I wouldn't just focus on that one thing. If your data really needs to be secure and accessed remotely, get yourself a laptop and a data card from one of the cell carriers. At least that way, you can keep physical control over your machine and avoid the risks of using a hotspot. Of course, if you think that someone will be able to tap into your wireless connection through a cell phone carrier, than you likely have more issues than we can address here.

    1. Re:If you're that worried... by jamesh · · Score: 3, Insightful

      Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.

      That would be dead easy to do on the part of the public terminal provider... Figure out the top (say) 10 banks that visitors normally use. Set up local DNS records that point to your phishing site, or just use IP DNAT to redirect them. Install certificates for each of your phishing sites on the public terminal so that they are trusted.

      Unless you knew the fingerprint for your banks certificate you'd never know the difference, and even that could be spoofed if they had complete control. If they were using IP DNAT then even the IP address would appear correct.

      In short, there is no solution if you don't have complete control over your terminal!

      In the above example, if the phishing site was acting as a 'man in the middle' then even 2 factor authentication on logon wouldn't help you. Once you'd logged on the phishing site could just report 'Connection error - please try again later' and then go off and do stuff on its own. If you had it set up so that any funds transfers required another authentication with your 2nd factor device then that simple hack wouldn't work but it wouldn't be too hard to come up with something that did.
  10. Think about it for a minute by Whuffo · · Score: 4, Insightful
    When you're talking about a public terminal - a machine that everyone and his dog has had access to - then you have to assume that it's totally compromised. You can't take countermeasures against exploits that you don't know and can't identify.

    If you've got to stay in touch on the road then take your own machine along - either a laptop or a portable device like an iPhone. You can find wireless access almost anywhere and while that wireless may be hacked, at least the machine you're using won't be.

    The suggestions to use a Linux CD or Firefox from a USB memory stick aren't going to give you the safety you're looking for. Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.

    Remember: do NOT enter any information into a public terminal that you wouldn't want to publish in the newspaper.

    1. Re:Think about it for a minute by jdowland · · Score: 2, Insightful

      Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.

      Can you confirm this? I could accept that BIOSes might scan each device for the presence of an MBR, but I highly doubt they execute any of them.

  11. Re:Two things... by Anonymous Coward · · Score: 1, Insightful

    Third, I have been away from slashdot for a long time so, um, what the hell is this thing I am typing into? Good question. I think it has something to do with Web 2.0.
  12. Re:I don't type by g0at · · Score: 2, Insightful

    Why not simply type the alphabet into the file, and save yourself ten minutes at the outset?

    -b

    --
    myselfmusic
  13. If I NEED access to the internet... by riprjak · · Score: 5, Insightful

    ...I carry my own means to do so. Wether that be a smartphone, iPod touch, PSP, laptop with wifi, wireless broadband or (a consideration when I am travelling in developing nations) a satellite modem...

    IMO, the use of a public terminal for private purposes is the height of stupidity.

    1. Re:If I NEED access to the internet... by maxume · · Score: 2, Insightful

      How many people encrypt their email?

      People use public servers for private purposes all the time. I'm not saying that it is a good thing, just pointing out the disconnect between the way most people use the internet and the level of privacy that you are talking about maintaining. Trusting a public terminal is at a different level than trusting Google not to show your email to a person, but it's in the same category.

      --
      Nerd rage is the funniest rage.
  14. Re:I don't type by Anonymous Coward · · Score: 3, Insightful

    The only problem with this, is that you have input the domain into the computer with the key logger. So even if you do clear all private data from the browser cache, the domain is still logged.

  15. Re:Hardware encrypted USB key with preinstalled ap by Onan · · Score: 4, Insightful

    Which does you what good, exactly, when malicious software already has control of the OS and can see (and alter) everything that passes through memory?

    I'm aghast at all the people suggesting nonsense like copying and pasting or making silly efforts to run trusted copies of applications. If the OS is compromised, absolutely nothing you can do at higher layers that will not be compromised.

    As (terrifyingly few) people have already said, the answer to the original question is that you can't. If the machine itself is untrusted, any attempts to add security atop that is just building castles on quicksand.

  16. Re:I don't type by porl · · Score: 2, Insightful

    it is odd that this question came up today, as (for some unknown reason, just my mind wondering i thing) i was thinking of how to do this just last night. my thought was almost the same as yours, but i was thinking more randomly building the password with clicks and keys, eg if the password is 'dogfood' then maybe type 'g', then click to the left, type 'd', click to the right and another 'd', then click between first d and g and type 'o' etc. would be a real pain, but more of a pain to decipher, especially if you are moving windows around a lot etc. also maybe typing into 'nothingness' in between the real keystrokes may help (clicking other places that aren't the password box and typing characters there as well)

    just some thoughts. i don't expect them to be foolproof thought :)

    porl

  17. Re:I don't type by mcpkaaos · · Score: 2, Insightful
    That still gives the person logging keystrokes a valid password, even if it's scrambled (unless I misunderstand your approach). It would be trivial for them to try all possible combinations when they realize what you entered doesn't work as-is. An automated attack program probably already does this unless it's trying to keep a very low profile.

    all the good keyloggers This type of attack might also include a packet sniffer on the machine, rendering any clever input techniques useless. The only real way to avoid loggers/sniffers on a public terminal is to never use one. It isn't even a good idea to use public networks with your own device unless you use something like SSH to tunnel into your home and use a local (to your home network) proxy (IMO).
    --
    It goes from God, to Jerry, to me.
  18. Re:KeyScrambler by Sancho · · Score: 2, Insightful

    Honestly, that seems pretty suspicious. Also, if it's a kernel driver, it's going to require admin access to the public terminal--highly unlikely.

  19. Re:I don't type by Anonymous Coward · · Score: 1, Insightful

    This does not work, as many "keyloggers" have transformed to read POST data to websites, not just password fields. Particularly effective when the website has anything saying :)

  20. Simple answer, don't bother by AsmordeanX · · Score: 5, Insightful

    It blows my mind when I see someone logged into their bank/email/etc from a public terminal.

    I was once friends with a guy that carried around a PS/2 keylogger that he would plug into university terminals for a day or two then pick it up later. He just wanted to see what he could find. He found everything from people doing homework, cybersex, and even bank info. Now if he was actually out to do harm, he could have really made things bad for hundreds of people.

    If it's not yours then just assume that it has a loudspeaker on it broadcasting everything you do to everyone around you.

    And for those that think cut&paste, screen keyboards, etc will protect them. I personally installed a keylogger on a friend's PC to catch her then, 12 year old son, looking at porn. The log files had a play button which would replay every mouse movement, screen change, and keyboard input for up to 96 hours. This was about 7 years ago so I'm sure they've gotten better.

  21. Sure it will! by explodingspleen · · Score: 2, Insightful
    It's called a security certificate.

    Your live cd has your security certificate. You have your password. Intercepting your password keystrokes will do no good unless they also steal your liveCD.

    They could still have a setup to catch you, but at that level of paranoia you should be equally worried that they will be snooping the electric field of the computer.

    Seriously, if your data is THAT sensitive which is to say THAT VALUABLE $$$, simply buying your own laptop is probably a very economic thing to do.

  22. Re:Simple solution by Curien · · Score: 3, Insightful

    When I was in charge of government laptops, we disabled booting off of anything but the hard drive and locked the BIOS with a password. Sure, the user could reset it, but we'd know that they did so.

    The point isn't whether you think that what you're doing is OK. The point is that you aren't authorized to make that decision.

    --
    It's always a long day... 86400 doesn't fit into a short.
  23. No perfect solution, S/KEY works for some problems by Anonymous+brave+dude · · Score: 2, Insightful

    There is no perfect solution to this problem: using a public terminal is fundamentally insecure, and nothing you can do will change that. However, when I am faced with this problem, I log in using SSH and S/KEY. This prevents a key logger from gathering useful password data. You still have to be careful that no sensitive information is inputted or returned, this without fail will go into the hands of your attackers.

  24. Re:I don't type by Kadin2048 · · Score: 5, Insightful

    Ah yes, under that assumption, what did he do about the password needed to log on to ssh? This is a solved problem. You use a one-time password system, like s/key, or one of its many variants.

    The only caveat with s/key is that you can't run the generator program (which takes your secret passphrase and tosses out a bunch of new one-time passwords) on an untrusted system. If you do, you've just blown the whole business.

    So if you're going to be traveling and won't have access to any computer that you can trust, even a disconnected one, you need to generate a lot of passwords and write them down, and then cross each one off the list as you use it. (But hey, I think this lends a very nice cloak-and-dagger feel to computing that you just don't get very often.) Although I see that now somebody has whipped up a Java version of the s/key generator that will run on your cellphone, so it's not terribly likely that you wouldn't be able to run it.

    I think SSH+skey is probably the most secure way of working from untrusted systems. The only downside is that it restricts you to working in a text shell, and you still have issues with websites, but at least you can do email and IM without worrying too much.
    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  25. Re:Texting 1 time password by Anonymous Coward · · Score: 1, Insightful
    I built a system in the late 90's where you had a web-page where you entered an account-name. That name was tied to a cellphone number which was sent a generated password as a text-message. The password was only valid for 5 minutes.

    AFAIK it's still in use and have never been cracked.

    Best of all, if the phone rings and gives you a password message, you know someone's at least been peeking.