Slashdot Mirror
Best Way To Avoid Keyloggers On Public Terminals?
goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. Kyps.net offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"
I click around on icons until I can copy and paste a lot of letters into a single file. Then, with my Alpha-pallette, I cut and paste each letter as needed.
Umm -- simple answer, don't access trusted information from an untrusted terminal? You can have no expectation of privacy while using that machine.
You could type the letters out-of-order, then rearrange them using drag+drop. Someone with a keylogger probably wouldn't bother using the mouse input to figure it out.
I'm not trolling here. If you're being keylogged, then even if your password isn't stolen, every single thing you do on that computer must be treated as public. Emails would be keylogged too.
Once you suspect a terminal is owned, that's it, game over, don't trust it. Probably not what you want to hear, and definitely not convenient for you, but every other solution is a compromise in security.
The ONLY alternative I could think of that I can stomach is to have a separate email address that you use only from public terminals. Change the password often and consider anything you say via that account to be as public as if it were announced over a PA system at an airport.
These posts express my own personal views, not those of my employer
Any smart keylogger will look at the raw text behind any password field on a website. Cut and Paste etc would be useless.
Enter your password in a different order than it is spelled? Simplest example: given your pass is "password", first write "pasrd", click between 3rd and 4th asterisk, complete it by entering "swo". The more complicated, the better.
I'm using this when I absolutelly need to use web cafe/etc....should fool most keyloggers, I guess. I still change my password afterwards as soon as possible.
One that hath name thou can not otter
To get root access on my server, I use a one time password system(rfc 2289). I use a S/KEY calculator on a palm pilot, and PAM Opie on the server. The public terminal never sees a long term password, it never leaves the PDA.
Not much else to be said. Maybe you could also use a crypto token and asymetric crypto, but considering that you need drivers, I'd say it's not practical. You might still use some sort of somewhat disposable private/public key. That should defeat keyloggers, but you risk getting your key compromised (that's why it's disposable).
GPG 0x1B479C78
When it comes to security, the best answer usually becomes the most unpopular and hard to swallow.
--- Grow a pair, liberals... stop letting the Republicans bully you!
What protection does that afford against a physical keylogger?
Not all keyloggers are software.
If I have nothing to hide, don't search me
He uses only the mouse, so it is invulnerable to that method, actually. You need to capture the mouse actions and the screen simultaneously. This is something not easily done in separate hardware.
Setup a Knoppix or other (Ubuntu?) livecd using the available tools. Don't worry about anything except setting up an IPSEC tunnel, with preset keys to a machine at home. Presumably this machine should be pulling down your email and other data that you need to access. Since the boot is fresh from a trusted CD it defeats software keyloggers, and using the secure keys also sets it up so you don't have to worry about hardware keyloggers getting your passwords.
Frankly, you ARE better off with some form of wireless PDA or PDA Phone... but if you want to be cheap, it will still cost you time.
" What luck for rulers that men do not think" - Adolf Hitler
So, thinking about this a bit...the point is you need a password that can't be used later. The digital services are fine, but do we really need more than a 1-5 minute resolution here?
So a clever IT department could make passwords dependant on the time and date. Print out a code sheet, different for each employee, with words substituted for the date and time, a short word for the date and a short word for the ten minute time period you're in, something like that.
This way the password would be useless to a logger, you'd need a code sheet to log in, but it doesn't seem like it would be THAT much trouble (if your info is so important you're this paranoid...)...
I call the patent!
...then don't use a public terminal.
I'm really not being flippant here. The posters above have listed some ways around a basic keylogger, but there are other ways a system can be compromised. You could be dealing with a program that takes screenshots and/or reads the clipboard at random intervals. Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.
My policy on using public access computers is that I only use them when I have no other choice, and the more valuable the data I need to protect, the less likely I am to use one.
There are so many more attack vectors than a keylogger that, if I were you, I wouldn't just focus on that one thing. If your data really needs to be secure and accessed remotely, get yourself a laptop and a data card from one of the cell carriers. At least that way, you can keep physical control over your machine and avoid the risks of using a hotspot. Of course, if you think that someone will be able to tap into your wireless connection through a cell phone carrier, than you likely have more issues than we can address here.
A LiveCD will not save you from a hardware based key logger
You could try running Portable Firefox with KeyScrambler from a thumb drive. https://addons.mozilla.org/en-US/firefox/addon/3383
If you've got to stay in touch on the road then take your own machine along - either a laptop or a portable device like an iPhone. You can find wireless access almost anywhere and while that wireless may be hacked, at least the machine you're using won't be.
The suggestions to use a Linux CD or Firefox from a USB memory stick aren't going to give you the safety you're looking for. Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.
Remember: do NOT enter any information into a public terminal that you wouldn't want to publish in the newspaper.
I once had to remote support a customer in another country and they sent us a little card-sized gadget that displayed a random code that changed every few minutes. It was synchronised (by the clock being pretty accurate I suppose, or possibly by radio signal) to an identical random code list at their site. So whenever we wanted to log in we just looked at the current code on the card, typed it in and at their end the code was checked against the current code.
This sort of set-up could be very useful for people who frequently use public terminals. Your code can still be compromised but the crooks would only have a few minutes to retrieve and use it. Maybe you could even have it so that when you use a code once, the central code verification server invalidates it, so no-one else can log in, even if they do get the code quickly.
I don't believe anything like this exists for the average person wanting to use normal email accounts though. Anyway, none of this changes the possibility that there are screenshots being taken every few seconds so that all of your private emails will be viewed later anyway.
Certain sectors of the defense industry, for one. Mostly it stems from fear of camera phones, so they ban all phones from the facility period, camera or not. But there are also other concerns that they have, rightly or not.
Touch everywhere, even when inappropriate.
I built a system in the late 90's where you had a web-page where you entered an account-name. That name was tied to a cellphone number which was sent a generated password as a text-message. The password was only valid for 5 minutes.
AFAIK it's still in use and have never been cracked.
--- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
What kind of place doesn't allow phones and also has publicly available computers to use?
...I carry my own means to do so. Wether that be a smartphone, iPod touch, PSP, laptop with wifi, wireless broadband or (a consideration when I am travelling in developing nations) a satellite modem...
IMO, the use of a public terminal for private purposes is the height of stupidity.
This would require server-side scripting, but what if each account kept a phone number on file? If the person uses the correct password, keep them out but text message them a single-use password. They can now log-in with the single-use password.
Now the system requires something you know (your password) and something you have (your phone).
The ______ Agenda
I bring it with me - I have a macbookPro and I don't use public terminals. You can get cooties that way.
RS
Shoes for Industry. Shoes for the Dead.
Identity Theft International bans phones but offers free internet access in most cities. Don't worry about that funny message about site certificates not matching, it's just our https proxy. Click OK! Click OK!
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I actually have flash disabled in all my browsers, mostly because I can only use a fraction of my pipe for surfing.
All the sites I patronize have, thus far, operated perfectly fine without flash. Once they begin to demand flash or other such crap, I'll find alternatives or do without. Flash has FAR too much risk of being abused (and has been) in the past. Same with javascript and especially Java. I surf for information, not flashy buttons and popups.
Speaking of funny, I checked out "classmates.com" recently, and I must say DEAR GOD... (my personal profile is full of bullshit per my specification) ye gods those people have put up everything but their online banking password on those entries. But that isn't the worst part. The worst part is loading that website, and receiving twenty different batches of advertising tracking cookies, three batches of tracking cookies from the site, and watching it load and move around slower than mollases.
Is that truly necessary? Hell, they charge these people for memberships. I actually test drove a membership some years back just to see, and even then, even for "paying members" they still didn't remove the adverts and other sluggish bloat on their site.
I restate my question. Is that kind of bloat TRULY necessary?
" What luck for rulers that men do not think" - Adolf Hitler
Which does you what good, exactly, when malicious software already has control of the OS and can see (and alter) everything that passes through memory?
I'm aghast at all the people suggesting nonsense like copying and pasting or making silly efforts to run trusted copies of applications. If the OS is compromised, absolutely nothing you can do at higher layers that will not be compromised.
As (terrifyingly few) people have already said, the answer to the original question is that you can't. If the machine itself is untrusted, any attempts to add security atop that is just building castles on quicksand.
Setup VNC or something similar on your home desktop. Create a list of passwords you'll use for the duration of your trip.
Every time you stop by at a cybercafe, connect to your VNC, do your business with all your passwords pre-saved safely on your home desktop. Once done, execute a script which will change the password to the next password on the list, log out, and move on.
I haven't done this myself, but last time I went to Italy and had to use some really shady cybercafes, I really wished I had a system like this in place...
- shazow
>Is that truly necessary?
The LAST thing I want is contact with anybody from my High School.
So
-fb Everything not expressly forbidden is now mandatory.
Many areas are accurately classified as "secure." Rent-a-cop manning a checkpoint at a facility surrounded by a scalable fence? Secure. Unguarded arms room? Secure. Building with armed guards, roving K9 patrols, and access controlled by multifactor authentication? (Probably) secure. The restrictions in effect depend on the nature of what is being safeguarded; comparing two situations is like apples and oranges. What I can tell you is how data/equipment of different classifications are treated.
FOUO/Unclassified-Pretty much the catch-all for government owned IT-equipment. Could have just a OEM copy of WinXP (standalone systems), or our enterprise's standard image. IT BBP applies: no end-user admin rights, but no restrictions on networking, only "approved" hardware/software. If lost/stolen/compromised, investigation is launched to determine possible risk (in aggregate, even unclassified data can yield vital information on operations) as well as verify that data was in fact only FOUO. Standard WPA/WPA2 is not considered acceptable for work-related activities, but there are approved solutions for official wireless use out there (AirFortress being the most popular).
Sensitive but Unclassified(SBU)-generally anything with SSNs or personnel data warrants this classification. Not approved for travel/remote use unless there's encryption in place. Aside from that, same as FOUO.
Confidential-Never encountered it applied to data. Should never be on a Unclassified system.
Secret-Computers, CDs/floppies, printers/copiers: everything Secret must be accounted for. Efforts are made to ensure only Secret devices touch the secret network (for me, SIPR). Secret devices are secured when not in use (otherwise they're hand-carried; oh yes, I was a COMSEC courier), and should never touch unclassified networks. Treated very similar to individually-issued firearms: nobody carries a device home for the night. Wireless is definitely out of the question.
I don't have experience with anything higher than Secret.
It blows my mind when I see someone logged into their bank/email/etc from a public terminal.
I was once friends with a guy that carried around a PS/2 keylogger that he would plug into university terminals for a day or two then pick it up later. He just wanted to see what he could find. He found everything from people doing homework, cybersex, and even bank info. Now if he was actually out to do harm, he could have really made things bad for hundreds of people.
If it's not yours then just assume that it has a loudspeaker on it broadcasting everything you do to everyone around you.
And for those that think cut&paste, screen keyboards, etc will protect them. I personally installed a keylogger on a friend's PC to catch her then, 12 year old son, looking at porn. The log files had a play button which would replay every mouse movement, screen change, and keyboard input for up to 96 hours. This was about 7 years ago so I'm sure they've gotten better.
We had an Internet Cafe (through a commercial ISP) at two locations inside the fence. It served two purposes -- first, we had a lot of folks visiting us who might need to access blocked sites. Second, it could be used by visiting foreign nationals who weren't cleared to use NIPRNet (we also had a classified LAN for them to use). We periodically re-imaged the cafe, but we didn't really care enough to do it frequently.
It's always a long day... 86400 doesn't fit into a short.
When I was in charge of government laptops, we disabled booting off of anything but the hard drive and locked the BIOS with a password. Sure, the user could reset it, but we'd know that they did so.
The point isn't whether you think that what you're doing is OK. The point is that you aren't authorized to make that decision.
It's always a long day... 86400 doesn't fit into a short.
"The restrictions in effect depend on the nature of what is being safeguarded; comparing two situations is like apples and oranges."
:)
Very true and *must* be remembered when at a govt installation - especially ones that had ever done nuke stuff at some point. There are MANY reasons for a "secure" rating and it may be more to protect you than the what is inside the compound.
There was an incident shortly after 9/11 where some reporter showed how "insecure" a sight at LANL was by scaling a fence, cutting a lock off a building, and taking many photos. It also included a rant about why spend security on those empty buildings. After some posting across the internet he finally found out why (and anyone who has worked in such installations immediately knew the answer) - the building was contaminated with highly radioactive dust that is nearly impossible to clean up so just lock it off. Yep, that guy sure showed them by breathing in some gamma emitting particles.
I have been in facilities where real weapons research was going on and it had fully manned machine gun turrets and was (maybe) mined outside of the official walkway (the mines were according to lore at the area - hard to know if true though the machine guns were quite visible and would have been sufficient. I know much of the lore about the area I worked in wasn't true and the machines guns should have been sufficient). Never knew what they did there more than "weapons research" - I ate lunch a time or two with one of the principle designers of our Neutron Bomb and that was where his office was and that is far as I knew anything (and wanted to know - you don't ask about those areas).
"FOUO/Unclassified-Pretty much the catch-all for government owned IT-equipment."
I would add that much of what you post is on machines that the IT guys managed. I worked in the research division and because our research was on scalable system administration we did pretty much what we wanted with them. I know a number of other researchers mostly administered their own system as they sometimes required some software that IT wouldn't support.
The security of those systems ranges from good to horrid, shortly before my contract ran out we had an incident where well over 50 systems were compromised due to those peoples computers using a symmetric SSH key system from their office in a university (in this case the person didn't log out of a public terminal telnetted - yes telnetted - to their university desktop) to *all* the machines they had access too. Amusingly enough the hacker had access to the Big Iron machine (an IBM sp2) and didn't know what it was so he went for more desktops. It was an amusing meeting - after two hours of listening to a guy drone on about ssh keys, telnet, encrypted and unencrypted connections, keyloggers on public terminals, etc he asked any questions. First one: "What's SSH?" (note this included the chemists, physicists, biologist, and a few more "..ists" that had no real reason to know, we were all were giggling at this point).
Unfortunately some of the researchers were not very good at watching what systems they ran on. I know of at least once where someone was having trouble running on our stuff and I (being root) logged into their account and debugged their software. Found out later the reason they freaked when I told them what was wrong was that they were in the "sensitive unclassified" category. They had no idea root could do that and figured we normally ran a tighter ship security wise than the official systems did (which in some ways was true, in others not and they found out the latter the hard way).
*note - anonymous because even though it has been a number of years still not sure what I am allowed to talk about. So feel free to write me off