Tell me how secure you think my anti-keylogger idea is (Backpacking Europe)

Before I explain my idea, let me make it clear that I know this is a compromise. I'm not going to be able to bring a laptop/pda or only use locked down PCs (like easyInternetCafe). This is the best I have been able to come up with for bad situation.

I am going to be backpacking Europe in the near future for a few months. Even though I'll be all over Europe, I still will need to access a computer weekly to take care of some business. I have a handful of websites I will be logging into to do various things. Some I have control over, but many I do not, so I can't implement one-time passwords.

This is the idea I came up with.

Set up a secure, .htaccess passworded page. Instead of logging into this page with the same password everytime, it will ask for random characters from a sequence of letters and numbers that I memorize.

For example, it could ask for the characters at the 4th, 10th, 2nd, 25th and 14th positions. That would be the password that time, but the next time it would be completely different positions. I can memorize really long strings of random letters and numbers using memory systems (search amazon.com if you are curious), so I could potentially have a 50 character "password".

How would the .htaccess password and description (so I know which positions to enter) be changed? I haven't quite decided yet. I'll either have it changed by a cron job or manually when I "log out". Maybe both, just to be safe that it gets changed.

Now, I know you're thinking, how would this help you log into a third party website without a keylogger getting your passsword.

Each third party website I want to be able to access would have a link on the .htaccess passworded page. The link would take you to a dynamically generated page (also protected via .htaccess) that would have a form and hidden variables populated with the username and password (stored in database) for the website pre-entered. The form would submit automatically (via javascript) to the third party website and log me in.

I guess some keyloggers/etc. could potentially track post variables, but I doubt it's very common, when in most cases you can just track what the user has entered via the keyboard.

Thoughts? Better ideas?

Edit: I posted on another forum and got quite a few ideas on having rotating/dynamic passwords!

My main concern now is finding the most secure way to log into a third party website (like Gmail) without having to physically type the login/password (because otherwise a keylogger will pick it up and it can't be rotated automatically).

 

Hi,
Here's a solution to your problem:

BartPE or Ultimate Boot CD for Windows

Bootable CDs for Windows with Internet access.
Ultimate Boot CD is particularly good, since it comes with tons of applications, including anti-virii, anti-spyware, diagnostics etc. But for you, most importantly, it includes Firefox browser, and even a mail client.
You can boot from CD, do whatever you need, reboot and no trace of your work will remain. Plus, the local system keyloggers, if existing, will not be effective.
Mrk

 

There's also Kubuntu, Knoppix, Damn Small Linux, and a host of other Live linux CDs that will let you do what you need to do without having to spend time setting up your workaround. I used to be a hardcore anti-penguin, now I can't live without my Kubuntu disk. I think it would make a great travelling companion for this trip.

 

Hardware keyloggers will still work.

 

Hi,
True...how about a virtual keyboard plugin...?
Mrk

 

But running a virtual keyboard off the Linux or other cd would then be able to defeat any hardware keyloggers that may be covertly installed along the keyboard cable or hidden within the keyboard itself.

 

NOTE: not having NET framework installed on this particular computer I was not able to "test" this program.....so, use caution..as always




http://www.absolis.com/thesecureproject/index.html



*****Simply speaking, it is possible to create a virtual keyboard that uses the mouse instead of the keys. Such virtual boards appear on the screen and let the user interact with it in order to produce safe and stealth text. However, even virtual keyboards have a security vulnerability: as the mouse produces system messages, it is possible to record them secretly and then to play them back. As a consequence, it is possible to reproduce mouse clicks on the virtual keyboard and thus acquire the sensible data.



Ganymede Generation I is the very first software that blocks any keyloggers as well as any other system spyers. Ganymede transparently unables any system spyer being it a viruse or a custom program, without depending on the user. It also provides a virtual keyboard that cannot be monitored using system recorders.

*******************************


Regards

Snowie

 

But how could a program even run on a computer where you've booted to a cd and thereby are bypassing the OS completely? Are you saying this program would have to be hidden on the cd somehow? And where would the recorded data go?

 

Yet another interesting program for consiferation:


http://www.metropipe.net/ProductsPVPM.shtml


No installation needed - just plug the drive into any Windows or Linux computer, and click on the Virtual Privacy Machine icon and you're ready to go.

The VPM's network connection will auto configure and run seamlessly on any machine with a working internet connection..

All Internet session data (cookies, history, downloads, etc.) are stored on the VPM, not the host computer.

Runs on any rewriteable media (USB drives, Flash Memory cards, Secure Digital devices, iPods, etc.)

This PR1 release runs on Windows and Linux - final release version will also run on OS X.

Runs in full screen mode (press SHIFT


Regards

Snowie

 

Snowie,

That's very, very interesting.

So basically Virtual Privacy Machine stops software keyloggers from recording keystrokes and stops any data from being cached.

If I were to combine Virtual Privacy Machine with something like Ganymede Generation I (or another virtual keyboard), then I wouldn't have to worry about software or hardware keyloggers, right?

I have two tiny 1GB flash "thumb" drives on their way here right now. I'll definitely be testing this out.

Thanks everyone for your suggestions.

 

Not wanting to be a killjoy, but seriously i think you should do a forum search on metropipe etc, before you flash the plastic and sign up !

There are Freeware alternatives available that can run on a flash drive. I'll post back later with more info, and maybe others will too.


StevieO

 

After seeing the post by SteveO I did a little quick googling an came up with this.......VERY MUCH SHOULD READ



http://jclement.ca/blog/2004-10-21T22_21_34.html



The Link bears posting here an should be read.......if in fact the program is a scam.....then my apology is offered for having placed it here......was not awear at the time that it was a possible scam..........will continue to look into this issue.

SteveO.....thank you for the heads-up.....



Snowie

 

Thanks for the heads up and link guys.

I was reading about it on Slashdot and became a little sceptical.

http://yro.slashdot.org/comments.pl?sid=126599&threshold=-1&mode=thread&commentsort=0&op=Change

 

HAPPYGO


Yes, perhaps you should skip the VPM...........sorry for my error in posting the info........will keep my eyes open for something else......

have a safe and enjoyable trip.......an do be careful, if I may say..


Regards

Snowie The Snowman

 

If they will let you connect to a USB port then there are solutions.

This should keep you going for a while.


Portable apps for USB flash Drives

http://www.techtastic.ca/articles/portable.html

Portable Firefox your browser, your way... in your pocket

http://portableapps.com/apps/internet/browsers/portable_firefox

Oscar's zero footprint shield for private browsing

http://www.mediachance.com/free/footprint.htm

Tor + Portable Browser + Flash Drive

http://archives.seul.org/or/talk/Sep-2005/msg00216.html

StealthSurfer II PrivacyStick

http://stealthsurfer.biz/


StevieO