Tell me how secure you think my anti-keylogger idea is (Backpacking Europe)

Discussion in 'other security issues & news' started by HappyGoUnlucky, Jan 29, 2006.

Thread Status:
Not open for further replies.
  1. HappyGoUnlucky

    HappyGoUnlucky Registered Member

    Joined:
    Jan 29, 2006
    Posts:
    3
    Before I explain my idea, let me make it clear that I know this is a compromise. I'm not going to be able to bring a laptop/pda or only use locked down PCs (like easyInternetCafe). This is the best I have been able to come up with for bad situation.

    I am going to be backpacking Europe in the near future for a few months. Even though I'll be all over Europe, I still will need to access a computer weekly to take care of some business. I have a handful of websites I will be logging into to do various things. Some I have control over, but many I do not, so I can't implement one-time passwords.

    This is the idea I came up with.

    Set up a secure, .htaccess passworded page. Instead of logging into this page with the same password everytime, it will ask for random characters from a sequence of letters and numbers that I memorize.

    For example, it could ask for the characters at the 4th, 10th, 2nd, 25th and 14th positions. That would be the password that time, but the next time it would be completely different positions. I can memorize really long strings of random letters and numbers using memory systems (search amazon.com if you are curious), so I could potentially have a 50 character "password".

    How would the .htaccess password and description (so I know which positions to enter) be changed? I haven't quite decided yet. I'll either have it changed by a cron job or manually when I "log out". Maybe both, just to be safe that it gets changed.

    Now, I know you're thinking, how would this help you log into a third party website without a keylogger getting your passsword.

    Each third party website I want to be able to access would have a link on the .htaccess passworded page. The link would take you to a dynamically generated page (also protected via .htaccess) that would have a form and hidden variables populated with the username and password (stored in database) for the website pre-entered. The form would submit automatically (via javascript) to the third party website and log me in.

    I guess some keyloggers/etc. could potentially track post variables, but I doubt it's very common, when in most cases you can just track what the user has entered via the keyboard.

    Thoughts? Better ideas?

    Edit: I posted on another forum and got quite a few ideas on having rotating/dynamic passwords!

    My main concern now is finding the most secure way to log into a third party website (like Gmail) without having to physically type the login/password (because otherwise a keylogger will pick it up and it can't be rotated automatically).
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hi,
    Here's a solution to your problem:

    BartPE or Ultimate Boot CD for Windows

    Bootable CDs for Windows with Internet access.
    Ultimate Boot CD is particularly good, since it comes with tons of applications, including anti-virii, anti-spyware, diagnostics etc. But for you, most importantly, it includes Firefox browser, and even a mail client.
    You can boot from CD, do whatever you need, reboot and no trace of your work will remain. Plus, the local system keyloggers, if existing, will not be effective.
    Mrk
     
  3. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    There's also Kubuntu, Knoppix, Damn Small Linux, and a host of other Live linux CDs that will let you do what you need to do without having to spend time setting up your workaround. I used to be a hardcore anti-penguin, now I can't live without my Kubuntu disk. I think it would make a great travelling companion for this trip.
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hardware keyloggers will still work.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hi,
    True...how about a virtual keyboard plugin...?
    Mrk
     
  6. securityn00b

    securityn00b Guest


    But running a virtual keyboard off the Linux or other cd would then be able to defeat any hardware keyloggers that may be covertly installed along the keyboard cable or hidden within the keyboard itself. ;)
     
  7. Snowie

    Snowie Guest

    NOTE: not having NET framework installed on this particular computer I was not able to "test" this program.....so, use caution..as always




    http://www.absolis.com/thesecureproject/index.html



    *****Simply speaking, it is possible to create a virtual keyboard that uses the mouse instead of the keys. Such virtual boards appear on the screen and let the user interact with it in order to produce safe and stealth text. However, even virtual keyboards have a security vulnerability: as the mouse produces system messages, it is possible to record them secretly and then to play them back. As a consequence, it is possible to reproduce mouse clicks on the virtual keyboard and thus acquire the sensible data.



    Ganymede Generation I is the very first software that blocks any keyloggers as well as any other system spyers. Ganymede transparently unables any system spyer being it a viruse or a custom program, without depending on the user. It also provides a virtual keyboard that cannot be monitored using system recorders.

    *******************************


    Regards

    Snowie
     
  8. securityn00b

    securityn00b Guest

    But how could a program even run on a computer where you've booted to a cd and thereby are bypassing the OS completely? Are you saying this program would have to be hidden on the cd somehow? And where would the recorded data go?
     
  9. Snowie

    Snowie Guest

    Yet another interesting program for consiferation:


    http://www.metropipe.net/ProductsPVPM.shtml


    No installation needed - just plug the drive into any Windows or Linux computer, and click on the Virtual Privacy Machine icon and you're ready to go.

    The VPM's network connection will auto configure and run seamlessly on any machine with a working internet connection..

    All Internet session data (cookies, history, downloads, etc.) are stored on the VPM, not the host computer.

    Runs on any rewriteable media (USB drives, Flash Memory cards, Secure Digital devices, iPods, etc.)

    This PR1 release runs on Windows and Linux - final release version will also run on OS X.

    Runs in full screen mode (press SHIFT


    Regards

    Snowie
     
  10. HappyGoUnlucky

    HappyGoUnlucky Registered Member

    Joined:
    Jan 29, 2006
    Posts:
    3
    Snowie,

    That's very, very interesting.

    So basically Virtual Privacy Machine stops software keyloggers from recording keystrokes and stops any data from being cached.

    If I were to combine Virtual Privacy Machine with something like Ganymede Generation I (or another virtual keyboard), then I wouldn't have to worry about software or hardware keyloggers, right?

    I have two tiny 1GB flash "thumb" drives on their way here right now. I'll definitely be testing this out.

    Thanks everyone for your suggestions.
     
    Last edited: Jan 29, 2006
  11. StevieO

    StevieO Guest

    Not wanting to be a killjoy, but seriously i think you should do a forum search on metropipe etc, before you flash the plastic and sign up !

    There are Freeware alternatives available that can run on a flash drive. I'll post back later with more info, and maybe others will too.


    StevieO
     
  12. Snowie

    Snowie Guest

    After seeing the post by SteveO I did a little quick googling an came up with this.......VERY MUCH SHOULD READ



    http://jclement.ca/blog/2004-10-21T22_21_34.html



    The Link bears posting here an should be read.......if in fact the program is a scam.....then my apology is offered for having placed it here......was not awear at the time that it was a possible scam..........will continue to look into this issue.

    SteveO.....thank you for the heads-up.....



    Snowie
     
  13. HappyGoUnlucky

    HappyGoUnlucky Registered Member

    Joined:
    Jan 29, 2006
    Posts:
    3
  14. Snowie

    Snowie Guest

    HAPPYGO


    Yes, perhaps you should skip the VPM...........sorry for my error in posting the info........will keep my eyes open for something else......

    have a safe and enjoyable trip.......an do be careful, if I may say..


    Regards

    Snowie The Snowman
     
  15. StevieO

    StevieO Guest

    If they will let you connect to a USB port then there are solutions.

    This should keep you going for a while.


    Portable apps for USB flash Drives

    http://www.techtastic.ca/articles/portable.html

    Portable Firefox your browser, your way... in your pocket

    http://portableapps.com/apps/internet/browsers/portable_firefox

    Oscar's zero footprint shield for private browsing

    http://www.mediachance.com/free/footprint.htm

    Tor + Portable Browser + Flash Drive

    http://archives.seul.org/or/talk/Sep-2005/msg00216.html

    StealthSurfer II PrivacyStick

    http://stealthsurfer.biz/


    StevieO
     
Loading...
Thread Status:
Not open for further replies.