Internet Cafe Computer and Passwords, etc.

Discussion in 'other security issues & news' started by BillyH, Nov 24, 2004.

Thread Status:
Not open for further replies.
  1. BillyH

    BillyH Registered Member

    Joined:
    Nov 24, 2004
    Posts:
    4
    I'll be traveling and will have to use Internet cafe computers to pay bills, etc. Will I be able to download Spyware on any cafe computer and will that guarantee (or help) security from people getting into my stuff?

    Any suggestions? Thanks so much.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Billy,

    I have taken the liberty to move your thread out of the SpywareBlaster Forum and into a Forum where you possibly will receive more responses. This is a question that I feel you need answers to....irrespective of SpywareBlaster

    Personally....I would never conduct Bill paying in a Internet Cafe.
     
  3. mccarob

    mccarob Registered Member

    Joined:
    Nov 23, 2004
    Posts:
    31
    Hello,

    Most internet cafe's will be using something similiar to Centurion which will keep people from installing different software so that the machine will not get full of spyware. However, nothing is ever perfectly secure, and depends if the cafe was willing to spend the money on software/hardware to protect their customers.

    I think the best advice is only use an connection and a system that you trust and feel comfortable using. An internet cafe is just a breeding ground for possible trouble. I'd steer clear of it.

    Good Luck!
     
  4. j2callie

    j2callie Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    35
    Location:
    Oregon USA
    I'm having the same problem about traveling/using internet cafes, and have been researching it up the wazoo. Unfortunately, the main suggestion is just "don't do it".

    What's really interesting is that all the banks I ask about it, and the internet cafe people themselves, don't really understand what I'm asking. They just assure me that their site is encrypted. I even sent a link to that article about the key logger they found on a Kinko's machine, and they still didn't get it.

    I have a laptop I thought I might drag along to use, but it's 98SE and is having trouble with the wireless. It also weighs a ton, but I don't want to shell out for a newer one (need the money for the traveling, eh?).

    Wireless isn't totally secure either, but at least I would have control over the computer itself. I got one suggestion to use dial up to my home ISP, but of course that's not going to be cheap.

    Microsoft has an article that suggests using disposable passwords, but I haven't found out how to do that. Everyone will let me change the password, but if there's a key logger on the machine, it would have the new one too.

    There was another suggestion on the MS article, about putting XCleaner on a floppy and scanning the computer before you use it. However, I haven't been real happy wtih X-cleaner because it claims to have found a LOT of "severe" spyware but wouldnt' remove it until I paid for the program. Makes me suspicious they're using a phony report to sell the product. (I use Spyware Blaster, Ad-aware, and Spybot and they haven't found anything at all.)

    Sooo, what I'm wondering is if there's a way to carry Spyware Blaster on a thumb drive that will protect me while I'm on that public machine?

    Or some other way to use it totally anonymously and safely? If anyone can figure this out, I bet someone here can.

    Thanks,

    Callie

    PS I'm glad to have found this because I was going to post and didn't know where to put it. Started out in the Spyware Blaster forum...
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I hate to use public computers because IMHO I feel that public computers especially those in schools, their security just sucks.
     
  6. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    BillyH and anyone else thinking of using a public wireless system: Granted some cafés have a wired system -

    To completely secure one's own wireless system at home is very complex and needs quite a bit of learning to do it (yes WPA is already cracked for those who have not heard!) so do not even think about using a public wireless system in a café or hotel or otherwise unless you do not care if someone intercepts the transmission.

    Best wishes
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Using an encrypted anonymising service (see Don't Fear Internet Anonymity Tools for a long discussion on them) like JAP or Tor can provide useful protection for wireless connections, preventing others from seeing what data you send or receive. However they cannot counter keyloggers (hardware or software) - using your own computer is the best way to avoid hardware keyloggers and securing it with software like Process Guard or SSM (or even a specialised anti-keylogger) is the best defence for the software ones.
     
  8. j2callie

    j2callie Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    35
    Location:
    Oregon USA
    Yes, I was reading about Anonomizer, although I thought that still wouldn't stop eavesdroppers on the wireless connection, just once it got to Anonomizer.

    But it's mainly the keyloggers that worried me if I wasn't using my own computer. (I really do not want to drag it along.) What I'm hoping for is something I can take along and use to protect myself when I'm on a public computer (that my definition I can't trust).

    Is there a way I can use perhaps some kind of a hardware device like you mentioned on the PUBLIC computer to secure it?

    Also, I'm not familiar with Process Guard. Is that something that I could take along and use on the PUBLIC computer?

    Do you think I could use a scanner/killer on a USB thumb drive, for instance.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Anonymizer, Tor, JAP and similar systems encrypt the data sent between your computer and the first server (with Anonymizer, it is then decrypted and sent on to its proper destination, with Tor and JAP it may be re-encrypted and sent to one or more servers before being decrypted and sent to its destination). This would provide significant protection against any wireless eavesdropping and ISP monitoring (many ISPs are now legally required to keep logs of your Internet traffic, including the sites you visit).
    The best defence against keyloggers is not to use the keyboard - using an on-screen keyboard (which should be available via Windows' Accessibility Options) for key data (passwords, etc) is the best option. It is still possible to monitor your mouse or desktop to identify what is happening, but this either requires installed software or a separate video connection to another monitor (which should be harder to disguise than a keylogger).
    There is no hardware device I know of that can counter hardware keyloggers.
    It is most unlikely that any Internet café owner would allow others to install software on their machines! If they are running Windows, then suggesting they investigate Process Guard as a means of securing their systems is the best option. For more information, check out DiamondCS' Process Guard page and the Process Guard forum here.
    You would only have restricted access to a public computer which would prevent most anti-virus/anti-trojan scanners from working properly. Hardware keyloggers cannot be countered (or even detected) by any software.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    For internet Banking: JUST DON'T DO IT!!! I had a customer lose $12,000 in Thailand, he for certain will never ever use an internet cafe for banking ever again...

    Cheers :D
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Some banks have changed their security mechanisms to reduce the chance of passwords being found out in this way (e.g. using an on-screen keypad or requiring 2 letters from your password rather than the whole word). With these systems, accessing accounts via a public machine is safer - but doing this as infrequently as possible (and using different machines/cafés each time) would be prudent.
     
  12. j2callie

    j2callie Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    35
    Location:
    Oregon USA
    I'm not concerned about hardware keyloggers, or cameras watching the screen (both of which seem unlikely in a public computer), but I thought I understood from one of the articles I'd read about (software/spyware) keyloggers that some of them could capture screenshots without a camera?

    I'm sure that "no internet cafe owner would allow someone to install software on their machines" except that although they might not "allow" software to be installed on their machine, I'm not sure they'd understand how it might happen without their permission --- just like the 92% of home users who have spyware and don't realize it. (or whatever the article said, I've lost the source sorry).

    Using an onscreen keypad sounds like a great idea, the Windows one or one on the bank site, if they had one. At least the likeilhood of the machine having a keylogger, AND one of the ones that can monitor the screen, is getting smaller.

    Speaking of sources, here's the Fred Langa article in response to an inquiry I made of him:

    http://langa.com/newsletters/2004/2004-11-29.htm

    I've also heard from Brandon Watts that he'll be addressing the issue(s).

    thanks for all your suggestions --- I've read even MORE about the problem with all the references.

    PS: Probably what I'll do is really interrogate the admin at a couple of places I might use for sensitive transactions. Fortunately, I'll mostly be in one place.

    I think Kinko's might be the best bet, as they've been burned once and are surely more aware now (although they're also the most expensive place to use --- and don't have espresso bars)
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A hardware keylogger can be installed surreptitiously far more easily than software on a properly secured system (and a well-run café would likely reload a disk image onto their systems every day, wiping out any changes made previously which would give software keyloggers a short lifespan). See Fyodor's Chapter of Stealing the Network: How to Own a Continent for a (fictional but detailed) account of hardware keylogger usage (about halfway down, do a search for KeyGhost).
    Sounds a good idea - though using your own laptop in a public wifi hotspot (running JAP or Tor to get an encrypted connection) would be better still security-wise - less chance of any keyloggers!
     
  14. j2callie

    j2callie Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    35
    Location:
    Oregon USA
    1) would *looking* at the cable between keyboard and computer be enough to make sure there wasn't a hardware keylogger?

    2) it sounds like jap and tor and anonomizer encrypt the data from the website onward but NOT between my laptop and the wireless access point. So doesn't that mean that everything I type on my own computer is visible while it's in the air? -- since most public access points don't have any log on or encryption of their own.

    Since, with wireless, I was more concerned about eavesdropping at a wi-fi (war driving etc), I thought that if I was in some resort cyber cafe that wouldn't be too likely.

    Sigh, this means I have to go buy a laptop cuz the one I have (win98SE) isn't doing too well with the wireless idea. Not to mention it weighs a ton...

    btw, this is fascinating information I'm reading up about -- I'm certainly the most expert of anyone I know around here!!
     
  15. j2callie

    j2callie Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    35
    Location:
    Oregon USA
    Was he just using the regular old public computer? wireless? had he taken any kind of precautions? was his password hacked or stolen by keyloggers etc?

    (I don't *have* $12,000, but of course can't afford to lose what I do have)
     
  16. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    With all apologies to Paranoid2000's expertise JAP may be compromised. Please see this article regarding a very good discussion about the possibility.
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For the KeyGhost mentioned in the article, yes. However it is possible to get keyboards with hardware keyloggers built in which are not then visible (although it is more likely to be the computer/network owner using these).
    JAP and Tor encrypt traffic between your PC and the first Jap/TOR server - this will include your wireless connection but won't include the connection to the website itself (it expects a clear connection so the last JAP/Tor server decrypts the traffic before sending it on. See Architecture of the Anonymization Service for details (although it covers JAP, much of it applies to Tor also).
    This issue has been pretty much done to death in the Don't Fear Internet Anonymity Tools thread. To summarise, JAP operators have the ability to monitor access attempts to specific IP addresses in the event of receiving a court order requiring logging of this data. This has happened once to date and was overturned on appeal.

    Whether you think JAP is spyware/compromised/unusable as a result (as some of the hot-air vendors on that Sourceforge thread seem to think) is your choice but even with this feature, using JAP is far more secure than browsing in the clear (where everything you do is visible to your ISP - who may not even need a court order to spill the beans).
     
  18. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    We can generally agree with this.
     
  19. BillyH

    BillyH Registered Member

    Joined:
    Nov 24, 2004
    Posts:
    4
    I'm on the road now (going 'round the world). I copied and pasted some of the text for my "stuff", but don't plan to pay bills, etc.

    Thanks for all of the great input and happy travels.
     
  20. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    If only any of the Internet cafes would allow me to install my ipGuardian, then my worries about someone stealing my passwords (when I am logging to my internet bank, my discount stock broker etc to pay my bills and to check my stocks) will be lessened. Where I have to use a foreign PC, I normally ask for permission to install my ipguardian (which is my password manager cum anti-phishing tool). That would give me a peace of mind for a safer surfing experience.

    The other alternative, if I can plug my laptop into the (hotel) network, I should feel safer too!

    P/S I remember when I was young, there was a TV series : "have gun will travel". Nowadays, my new phrase is a "Have USB will travel" :). With my usb, it carries my encrypted password file, so I do not need to type in any password on the foreign PC.
     
  21. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    As long as they are secure on your disk. Don't keep passwords as plain text files on anything. Some of the more sophisticated keyloggers also intercepts form inputs and even though the password shows as stars to you, it is plain text to the spy software. Cut and paste doesn't always work. Also, a good icafe will let you run a scan for spyware off of your USB drive.
     
  22. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I would never ever use the computers in a public internet cafe, they're just too insecure. You never know whether the computers have trojans or malware on them.
    I only log on to this forum from my own computer at home, because my home computer has been secured by me very tightly. I once tried to log on to wilders by using the computers in my school, but after seeing all the malware and tons of tracking cookies on the computers in my school, I decided to use my own computer at home instead.
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Do bear in mind that even if a password is stored in encrypted form and entered on a web page via software (bypassing the keyboard), it will still be sent "in the clear" for non-https websites (like this forum...*cough*) and can therefore be picked up by a packet sniffer.

    Anonymizing proxies like JAP or Tor will prevent this by encrypting the connection from the PC to the first mix server but they do require client software installation. The best bet would seem to be a low-footprint browser (like Ghostzilla) not requiring installation with an anonymizing client built-in.
     
  24. soundcheck

    soundcheck Guest

    What about using Roboform for managing those passwords? You can get a free version too. http://www.roboform.com There is also a version that can be used off a thumb drive/usb disk, though I don't think it's free.
     
  25. securityuser

    securityuser Guest

    ping: PARANOID

    Paranoid, Do you have any idea how I can get a copy of Ghostzilla 1.0.1?? That is the one with the trace elimination, anonymity features and it's no longer available. You can still get 1.0, but it's nothing. The developer apparently "felt bad" about what the software could do and has pulled it. Any ideas?
    secuser at yahoo.com
     
Loading...
Thread Status:
Not open for further replies.