Internet Cafe Computer and Passwords, etc.

[BillyH]

I'll be traveling and will have to use Internet cafe computers to pay bills, etc. Will I be able to download Spyware on any cafe computer and will that guarantee (or help) security from people getting into my stuff?

Any suggestions? Thanks so much.

[Bubba]

Hey Billy,

I have taken the liberty to move your thread out of the SpywareBlaster Forum and into a Forum where you possibly will receive more responses. This is a question that I feel you need answers to....irrespective of SpywareBlaster

Personally....I would never conduct Bill paying in a Internet Cafe.

[mccarob]

Hello,

Most internet cafe's will be using something similiar to Centurion which will keep people from installing different software so that the machine will not get full of spyware. However, nothing is ever perfectly secure, and depends if the cafe was willing to spend the money on software/hardware to protect their customers.

I think the best advice is only use an connection and a system that you trust and feel comfortable using. An internet cafe is just a breeding ground for possible trouble. I'd steer clear of it.

Good Luck!

[j2callie]

I'm having the same problem about traveling/using internet cafes, and have been researching it up the wazoo. Unfortunately, the main suggestion is just "don't do it".

What's really interesting is that all the banks I ask about it, and the internet cafe people themselves, don't really understand what I'm asking. They just assure me that their site is encrypted. I even sent a link to that article about the key logger they found on a Kinko's machine, and they still didn't get it.

I have a laptop I thought I might drag along to use, but it's 98SE and is having trouble with the wireless. It also weighs a ton, but I don't want to shell out for a newer one (need the money for the traveling, eh?).

Wireless isn't totally secure either, but at least I would have control over the computer itself. I got one suggestion to use dial up to my home ISP, but of course that's not going to be cheap.

Microsoft has an article that suggests using disposable passwords, but I haven't found out how to do that. Everyone will let me change the password, but if there's a key logger on the machine, it would have the new one too.

There was another suggestion on the MS article, about putting XCleaner on a floppy and scanning the computer before you use it. However, I haven't been real happy wtih X-cleaner because it claims to have found a LOT of "severe" spyware but wouldnt' remove it until I paid for the program. Makes me suspicious they're using a phony report to sell the product. (I use Spyware Blaster, Ad-aware, and Spybot and they haven't found anything at all.)

Sooo, what I'm wondering is if there's a way to carry Spyware Blaster on a thumb drive that will protect me while I'm on that public machine?

Or some other way to use it totally anonymously and safely? If anyone can figure this out, I bet someone here can.

Thanks,

Callie

PS I'm glad to have found this because I was going to post and didn't know where to put it. Started out in the Spyware Blaster forum...

[nadirah]

I hate to use public computers because IMHO I feel that public computers especially those in schools, their security just sucks.

[Q Section]

BillyH and anyone else thinking of using a public wireless system: Granted some cafés have a wired system -

To completely secure one's own wireless system at home is very complex and needs quite a bit of learning to do it (yes WPA is already cracked for those who have not heard!) so do not even think about using a public wireless system in a café or hotel or otherwise unless you do not care if someone intercepts the transmission.

Best wishes

[Paranoid2000]

Quote:

Originally Posted by Q Section

To completely secure one's own wireless system at home is very complex and needs quite a bit of learning to do it (yes WPA is already cracked for those who have not heard!) so do not even think about using a public wireless system in a café or hotel or otherwise unless you do not care if someone intercepts the transmission.

Using an encrypted anonymising service (see Don't Fear Internet Anonymity Tools for a long discussion on them) like JAP or Tor can provide useful protection for wireless connections, preventing others from seeing what data you send or receive. However they cannot counter keyloggers (hardware or software) - using your own computer is the best way to avoid hardware keyloggers and securing it with software like Process Guard or SSM (or even a specialised anti-keylogger) is the best defence for the software ones.

[j2callie]

Quote:

Originally Posted by Paranoid2000

However they cannot counter keyloggers (hardware or software) - using your own computer is the best way to avoid hardware keyloggers and securing it with software like Process Guard or SSM (or even a specialised anti-keylogger) is the best defence for the software ones.

Yes, I was reading about Anonomizer, although I thought that still wouldn't stop eavesdroppers on the wireless connection, just once it got to Anonomizer.

But it's mainly the keyloggers that worried me if I wasn't using my own computer. (I really do not want to drag it along.) What I'm hoping for is something I can take along and use to protect myself when I'm on a public computer (that my definition I can't trust).

Is there a way I can use perhaps some kind of a hardware device like you mentioned on the PUBLIC computer to secure it?

Also, I'm not familiar with Process Guard. Is that something that I could take along and use on the PUBLIC computer?

Do you think I could use a scanner/killer on a USB thumb drive, for instance.

[Paranoid2000]

Quote:

Originally Posted by j2callie

Yes, I was reading about Anonomizer, although I thought that still wouldn't stop eavesdroppers on the wireless connection, just once it got to Anonomizer.

Anonymizer, Tor, JAP and similar systems encrypt the data sent between your computer and the first server (with Anonymizer, it is then decrypted and sent on to its proper destination, with Tor and JAP it may be re-encrypted and sent to one or more servers before being decrypted and sent to its destination). This would provide significant protection against any wireless eavesdropping and ISP monitoring (many ISPs are now legally required to keep logs of your Internet traffic, including the sites you visit).

Quote:

But it's mainly the keyloggers that worried me if I wasn't using my own computer. (I really do not want to drag it along.) What I'm hoping for is something I can take along and use to protect myself when I'm on a public computer (that my definition I can't trust).

The best defence against keyloggers is not to use the keyboard - using an on-screen keyboard (which should be available via Windows' Accessibility Options) for key data (passwords, etc) is the best option. It is still possible to monitor your mouse or desktop to identify what is happening, but this either requires installed software or a separate video connection to another monitor (which should be harder to disguise than a keylogger).

Quote:

Is there a way I can use perhaps some kind of a hardware device like you mentioned on the PUBLIC computer to secure it?

There is no hardware device I know of that can counter hardware keyloggers.

Quote:

Also, I'm not familiar with Process Guard. Is that something that I could take along and use on the PUBLIC computer?

It is most unlikely that any Internet café owner would allow others to install software on their machines! If they are running Windows, then suggesting they investigate Process Guard as a means of securing their systems is the best option. For more information, check out DiamondCS' Process Guard page and the Process Guard forum here.

Quote:

Do you think I could use a scanner/killer on a USB thumb drive, for instance.

You would only have restricted access to a public computer which would prevent most anti-virus/anti-trojan scanners from working properly. Hardware keyloggers cannot be countered (or even detected) by any software.

[Blackspear]

Quote:

Originally Posted by BillyH

Any suggestions? Thanks so much.

For internet Banking: JUST DON'T DO IT!!! I had a customer lose $12,000 in Thailand, he for certain will never ever use an internet cafe for banking ever again...

Cheers

[Paranoid2000]

Quote:

Originally Posted by Blackspear

For internet Banking: JUST DON'T DO IT!!! I had a customer lose $12,000 in Thailand, he for certain will never ever use an internet cafe for banking ever again...

Some banks have changed their security mechanisms to reduce the chance of passwords being found out in this way (e.g. using an on-screen keypad or requiring 2 letters from your password rather than the whole word). With these systems, accessing accounts via a public machine is safer - but doing this as infrequently as possible (and using different machines/cafés each time) would be prudent.

[j2callie]

Quote:

Originally Posted by Paranoid2000

Some banks have changed their security mechanisms to reduce the chance of passwords being found out in this way (e.g. using an on-screen keypad or requiring 2 letters from your password rather than the whole word). With these systems, accessing accounts via a public machine is safer - but doing this as infrequently as possible (and using different machines/cafés each time) would be prudent.

Quote:

Originally Posted by Paranoid2000

It is still possible to monitor your mouse or desktop to identify what is happening, but this either requires installed software or ...

I'm not concerned about hardware keyloggers, or cameras watching the screen (both of which seem unlikely in a public computer), but I thought I understood from one of the articles I'd read about (software/spyware) keyloggers that some of them could capture screenshots without a camera?

I'm sure that "no internet cafe owner would allow someone to install software on their machines" except that although they might not "allow" software to be installed on their machine, I'm not sure they'd understand how it might happen without their permission --- just like the 92% of home users who have spyware and don't realize it. (or whatever the article said, I've lost the source sorry).

Using an onscreen keypad sounds like a great idea, the Windows one or one on the bank site, if they had one. At least the likeilhood of the machine having a keylogger, AND one of the ones that can monitor the screen, is getting smaller.

Speaking of sources, here's the Fred Langa article in response to an inquiry I made of him:

http://langa.com/newsletters/2004/2004-11-29.htm

I've also heard from Brandon Watts that he'll be addressing the issue(s).

thanks for all your suggestions --- I've read even MORE about the problem with all the references.

PS: Probably what I'll do is really interrogate the admin at a couple of places I might use for sensitive transactions. Fortunately, I'll mostly be in one place.

I think Kinko's might be the best bet, as they've been burned once and are surely more aware now (although they're also the most expensive place to use --- and don't have espresso bars)

[Paranoid2000]

Quote:

Originally Posted by j2callie

I'm not concerned about hardware keyloggers, or cameras watching the screen (both of which seem unlikely in a public computer), but I thought I understood from one of the articles I'd read about (software/spyware) keyloggers that some of them could capture screenshots without a camera?

A hardware keylogger can be installed surreptitiously far more easily than software on a properly secured system (and a well-run café would likely reload a disk image onto their systems every day, wiping out any changes made previously which would give software keyloggers a short lifespan). See Fyodor's Chapter of Stealing the Network: How to Own a Continent for a (fictional but detailed) account of hardware keylogger usage (about halfway down, do a search for KeyGhost).

Quote:

PS: Probably what I'll do is really interrogate the admin at a couple of places I might use for sensitive transactions. Fortunately, I'll mostly be in one place.

I think Kinko's might be the best bet, as they've been burned once and are surely more aware now (although they're also the most expensive place to use --- and don't have espresso bars)

Sounds a good idea - though using your own laptop in a public wifi hotspot (running JAP or Tor to get an encrypted connection) would be better still security-wise - less chance of any keyloggers!

[j2callie]

Quote:

Originally Posted by Paranoid2000

using your own laptop in a public wifi hotspot (running JAP or Tor to get an encrypted connection) would be better still security-wise - less chance of any keyloggers!

1) would *looking* at the cable between keyboard and computer be enough to make sure there wasn't a hardware keylogger?

2) it sounds like jap and tor and anonomizer encrypt the data from the website onward but NOT between my laptop and the wireless access point. So doesn't that mean that everything I type on my own computer is visible while it's in the air? -- since most public access points don't have any log on or encryption of their own.

Since, with wireless, I was more concerned about eavesdropping at a wi-fi (war driving etc), I thought that if I was in some resort cyber cafe that wouldn't be too likely.

Sigh, this means I have to go buy a laptop cuz the one I have (win98SE) isn't doing too well with the wireless idea. Not to mention it weighs a ton...

btw, this is fascinating information I'm reading up about -- I'm certainly the most expert of anyone I know around here!!

[j2callie]

Quote:

Originally Posted by Blackspear

For internet Banking: JUST DON'T DO IT!!! I had a customer lose $12,000 in Thailand, he for certain will never ever use an internet cafe for banking ever again...

Cheers

Was he just using the regular old public computer? wireless? had he taken any kind of precautions? was his password hacked or stolen by keyloggers etc?

(I don't *have* $12,000, but of course can't afford to lose what I do have)

[Q Section]

With all apologies to Paranoid2000's expertise JAP may be compromised. Please see this article regarding a very good discussion about the possibility.

[Paranoid2000]

Quote:

Originally Posted by j2callie

1) would *looking* at the cable between keyboard and computer be enough to make sure there wasn't a hardware keylogger?

For the KeyGhost mentioned in the article, yes. However it is possible to get keyboards with hardware keyloggers built in which are not then visible (although it is more likely to be the computer/network owner using these).

Quote:

2) it sounds like jap and tor and anonomizer encrypt the data from the website onward but NOT between my laptop and the wireless access point. So doesn't that mean that everything I type on my own computer is visible while it's in the air? -- since most public access points don't have any log on or encryption of their own.

JAP and Tor encrypt traffic between your PC and the first Jap/TOR server - this will include your wireless connection but won't include the connection to the website itself (it expects a clear connection so the last JAP/Tor server decrypts the traffic before sending it on. See Architecture of the Anonymization Service for details (although it covers JAP, much of it applies to Tor also).

Quote:

Originally Posted by Q Section

With all apologies to Paranoid2000's expertise JAP may be compromised. Please see this article regarding a very good discussion about the possibility.

This issue has been pretty much done to death in the Don't Fear Internet Anonymity Tools thread. To summarise, JAP operators have the ability to monitor access attempts to specific IP addresses in the event of receiving a court order requiring logging of this data. This has happened once to date and was overturned on appeal.

Whether you think JAP is spyware/compromised/unusable as a result (as some of the hot-air vendors on that Sourceforge thread seem to think) is your choice but even with this feature, using JAP is far more secure than browsing in the clear (where everything you do is visible to your ISP - who may not even need a court order to spill the beans).

[Q Section]

Quote:

Originally Posted by Paranoid2000

...using JAP is far more secure than browsing in the clear (where everything you do is visible to your ISP - who may not even need a court order to spill the beans).

We can generally agree with this.

[BillyH]

I'm on the road now (going 'round the world). I copied and pasted some of the text for my "stuff", but don't plan to pay bills, etc.

Thanks for all of the great input and happy travels.

[sekuritas]

If only any of the Internet cafes would allow me to install my ipGuardian, then my worries about someone stealing my passwords (when I am logging to my internet bank, my discount stock broker etc to pay my bills and to check my stocks) will be lessened. Where I have to use a foreign PC, I normally ask for permission to install my ipguardian (which is my password manager cum anti-phishing tool). That would give me a peace of mind for a safer surfing experience.

The other alternative, if I can plug my laptop into the (hotel) network, I should feel safer too!

P/S I remember when I was young, there was a TV series : "have gun will travel". Nowadays, my new phrase is a "Have USB will travel" :-). With my usb, it carries my encrypted password file, so I do not need to type in any password on the foreign PC.

[LockBox]

Quote:

Originally Posted by Spanner intheWorks

To prevent typing in Any passwords Ever, what you can do is store them on a floppy for example or USB memory stick etc. Then copy and paste from that location into the password box and hey presto no keylogger or anyone can read ANY of it !

The only other thing you need to be aware of and DO, is clear the clipboard cache and your laughing.

As long as they are secure on your disk. Don't keep passwords as plain text files on anything. Some of the more sophisticated keyloggers also intercepts form inputs and even though the password shows as stars to you, it is plain text to the spy software. Cut and paste doesn't always work. Also, a good icafe will let you run a scan for spyware off of your USB drive.

[nadirah]

I would never ever use the computers in a public internet cafe, they're just too insecure. You never know whether the computers have trojans or malware on them.
I only log on to this forum from my own computer at home, because my home computer has been secured by me very tightly. I once tried to log on to wilders by using the computers in my school, but after seeing all the malware and tons of tracking cookies on the computers in my school, I decided to use my own computer at home instead.

[Paranoid2000]

Quote:

Originally Posted by Spanner intheWorks

Of course people can always encrypt the passwords on the floppy etc in 1 go, and then they Only have to remember 1 password to decrpyt/encrpyt the whole lot. Also the beauty with this approach is even if a keylogger etc captured just this 1 Master password it would be Completely useless to whoever as it's Not for logging in anywhere etc, bearing in mind what you said !

Do bear in mind that even if a password is stored in encrypted form and entered on a web page via software (bypassing the keyboard), it will still be sent "in the clear" for non-https websites (like this forum...*cough*) and can therefore be picked up by a packet sniffer.

Anonymizing proxies like JAP or Tor will prevent this by encrypting the connection from the PC to the first mix server but they do require client software installation. The best bet would seem to be a low-footprint browser (like Ghostzilla) not requiring installation with an anonymizing client built-in.