Slashdot Mirror
Best Way To Avoid Keyloggers On Public Terminals?
goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. Kyps.net offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"
Umm -- simple answer, don't access trusted information from an untrusted terminal? You can have no expectation of privacy while using that machine.
I'm not trolling here. If you're being keylogged, then even if your password isn't stolen, every single thing you do on that computer must be treated as public. Emails would be keylogged too.
Once you suspect a terminal is owned, that's it, game over, don't trust it. Probably not what you want to hear, and definitely not convenient for you, but every other solution is a compromise in security.
The ONLY alternative I could think of that I can stomach is to have a separate email address that you use only from public terminals. Change the password often and consider anything you say via that account to be as public as if it were announced over a PA system at an airport.
These posts express my own personal views, not those of my employer
Any smart keylogger will look at the raw text behind any password field on a website. Cut and Paste etc would be useless.
Enter your password in a different order than it is spelled? Simplest example: given your pass is "password", first write "pasrd", click between 3rd and 4th asterisk, complete it by entering "swo". The more complicated, the better.
I'm using this when I absolutelly need to use web cafe/etc....should fool most keyloggers, I guess. I still change my password afterwards as soon as possible.
One that hath name thou can not otter
When it comes to security, the best answer usually becomes the most unpopular and hard to swallow.
--- Grow a pair, liberals... stop letting the Republicans bully you!
...then don't use a public terminal.
I'm really not being flippant here. The posters above have listed some ways around a basic keylogger, but there are other ways a system can be compromised. You could be dealing with a program that takes screenshots and/or reads the clipboard at random intervals. Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.
My policy on using public access computers is that I only use them when I have no other choice, and the more valuable the data I need to protect, the less likely I am to use one.
There are so many more attack vectors than a keylogger that, if I were you, I wouldn't just focus on that one thing. If your data really needs to be secure and accessed remotely, get yourself a laptop and a data card from one of the cell carriers. At least that way, you can keep physical control over your machine and avoid the risks of using a hotspot. Of course, if you think that someone will be able to tap into your wireless connection through a cell phone carrier, than you likely have more issues than we can address here.
If you've got to stay in touch on the road then take your own machine along - either a laptop or a portable device like an iPhone. You can find wireless access almost anywhere and while that wireless may be hacked, at least the machine you're using won't be.
The suggestions to use a Linux CD or Firefox from a USB memory stick aren't going to give you the safety you're looking for. Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.
Remember: do NOT enter any information into a public terminal that you wouldn't want to publish in the newspaper.
What kind of place doesn't allow phones and also has publicly available computers to use?
...I carry my own means to do so. Wether that be a smartphone, iPod touch, PSP, laptop with wifi, wireless broadband or (a consideration when I am travelling in developing nations) a satellite modem...
IMO, the use of a public terminal for private purposes is the height of stupidity.
The only problem with this, is that you have input the domain into the computer with the key logger. So even if you do clear all private data from the browser cache, the domain is still logged.
I actually have flash disabled in all my browsers, mostly because I can only use a fraction of my pipe for surfing.
All the sites I patronize have, thus far, operated perfectly fine without flash. Once they begin to demand flash or other such crap, I'll find alternatives or do without. Flash has FAR too much risk of being abused (and has been) in the past. Same with javascript and especially Java. I surf for information, not flashy buttons and popups.
Speaking of funny, I checked out "classmates.com" recently, and I must say DEAR GOD... (my personal profile is full of bullshit per my specification) ye gods those people have put up everything but their online banking password on those entries. But that isn't the worst part. The worst part is loading that website, and receiving twenty different batches of advertising tracking cookies, three batches of tracking cookies from the site, and watching it load and move around slower than mollases.
Is that truly necessary? Hell, they charge these people for memberships. I actually test drove a membership some years back just to see, and even then, even for "paying members" they still didn't remove the adverts and other sluggish bloat on their site.
I restate my question. Is that kind of bloat TRULY necessary?
" What luck for rulers that men do not think" - Adolf Hitler
Which does you what good, exactly, when malicious software already has control of the OS and can see (and alter) everything that passes through memory?
I'm aghast at all the people suggesting nonsense like copying and pasting or making silly efforts to run trusted copies of applications. If the OS is compromised, absolutely nothing you can do at higher layers that will not be compromised.
As (terrifyingly few) people have already said, the answer to the original question is that you can't. If the machine itself is untrusted, any attempts to add security atop that is just building castles on quicksand.
It blows my mind when I see someone logged into their bank/email/etc from a public terminal.
I was once friends with a guy that carried around a PS/2 keylogger that he would plug into university terminals for a day or two then pick it up later. He just wanted to see what he could find. He found everything from people doing homework, cybersex, and even bank info. Now if he was actually out to do harm, he could have really made things bad for hundreds of people.
If it's not yours then just assume that it has a loudspeaker on it broadcasting everything you do to everyone around you.
And for those that think cut&paste, screen keyboards, etc will protect them. I personally installed a keylogger on a friend's PC to catch her then, 12 year old son, looking at porn. The log files had a play button which would replay every mouse movement, screen change, and keyboard input for up to 96 hours. This was about 7 years ago so I'm sure they've gotten better.
When I was in charge of government laptops, we disabled booting off of anything but the hard drive and locked the BIOS with a password. Sure, the user could reset it, but we'd know that they did so.
The point isn't whether you think that what you're doing is OK. The point is that you aren't authorized to make that decision.
It's always a long day... 86400 doesn't fit into a short.
The only caveat with s/key is that you can't run the generator program (which takes your secret passphrase and tosses out a bunch of new one-time passwords) on an untrusted system. If you do, you've just blown the whole business.
So if you're going to be traveling and won't have access to any computer that you can trust, even a disconnected one, you need to generate a lot of passwords and write them down, and then cross each one off the list as you use it. (But hey, I think this lends a very nice cloak-and-dagger feel to computing that you just don't get very often.) Although I see that now somebody has whipped up a Java version of the s/key generator that will run on your cellphone, so it's not terribly likely that you wouldn't be able to run it.
I think SSH+skey is probably the most secure way of working from untrusted systems. The only downside is that it restricts you to working in a text shell, and you still have issues with websites, but at least you can do email and IM without worrying too much.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."