Best Way To Avoid Keyloggers On Public Terminals?

goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. Kyps.net offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"

I don't type

I click around on icons until I can copy and paste a lot of letters into a single file. Then, with my Alpha-pallette, I cut and paste each letter as needed.

Re:I don't type

I store my password at mydomain.com/password.txt so I can just copy/paste when I'm remote.

Re:I don't type

Start > Programs > Accessories > System Tools > Character Map. But a software clipboard hook will still get you.

Re:I don't type

Apparently* many modern keyloggers also capture the clip-board and record mouse movements (so as to defeat those "visual keypads" that some banking sites have implemented to thwart keyloggers). I guess the additional steps of assembling your password from pieces will prevent some attacks (e.g. where the attacker just uses the logged keystrokes, in order, for a dictionary attack on your account)... but a determined attacker may still be able to reconstruct your password from the combined key/mouse/clipboard history.

Every bit of security helps, but I don't think we should be under the illusion that keylog-writers haven't caught on to these kind of tactics.

*This is based upon a talk I was recently at where a Symantec security analyst was asked about keyloggers.

Re:I don't type

Yes, and forms that don't allow pasting (certain Flash forms, etc)???

Easy. If your password is "secret", type "s", then something random, like "jd#'2;Knfn>", then highlight those last characters (except for the "s"), and type "e". Continue until done. Takes a while but is fairly safe.

Simple Answer --

Umm -- simple answer, don't access trusted information from an untrusted terminal? You can have no expectation of privacy while using that machine.

Don't use public terminals

I'm not trolling here. If you're being keylogged, then even if your password isn't stolen, every single thing you do on that computer must be treated as public. Emails would be keylogged too.

Once you suspect a terminal is owned, that's it, game over, don't trust it. Probably not what you want to hear, and definitely not convenient for you, but every other solution is a compromise in security.

The ONLY alternative I could think of that I can stomach is to have a separate email address that you use only from public terminals. Change the password often and consider anything you say via that account to be as public as if it were announced over a PA system at an airport.

someone mod parent up please

When it comes to security, the best answer usually becomes the most unpopular and hard to swallow.

Re:someone mod parent up please

I thought the best answer would be using a powerful electromagnet or maybe a defibrillator on the offending machine.

Re:someone mod parent up please

When it comes to security, the best answer usually becomes the most unpopular and hard to swallow.

Hard to swallow? Then you don't want to know where I hide the thumb drive with my SSH keys.

I don't think you truely can

Any smart keylogger will look at the raw text behind any password field on a website. Cut and Paste etc would be useless.

Obfuscate password entering process

Enter your password in a different order than it is spelled? Simplest example: given your pass is "password", first write "pasrd", click between 3rd and 4th asterisk, complete it by entering "swo". The more complicated, the better.

I'm using this when I absolutelly need to use web cafe/etc....should fool most keyloggers, I guess. I still change my password afterwards as soon as possible.

S/KEY

To get root access on my server, I use a one time password system(rfc 2289). I use a S/KEY calculator on a palm pilot, and PAM Opie on the server. The public terminal never sees a long term password, it never leaves the PDA.

Not much else to be said. Maybe you could also use a crypto token and asymetric crypto, but considering that you need drivers, I'd say it's not practical. You might still use some sort of somewhat disposable private/public key. That should defeat keyloggers, but you risk getting your key compromised (that's why it's disposable).

If you're that worried...

...then don't use a public terminal.

I'm really not being flippant here. The posters above have listed some ways around a basic keylogger, but there are other ways a system can be compromised. You could be dealing with a program that takes screenshots and/or reads the clipboard at random intervals. Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.

My policy on using public access computers is that I only use them when I have no other choice, and the more valuable the data I need to protect, the less likely I am to use one.

There are so many more attack vectors than a keylogger that, if I were you, I wouldn't just focus on that one thing. If your data really needs to be secure and accessed remotely, get yourself a laptop and a data card from one of the cell carriers. At least that way, you can keep physical control over your machine and avoid the risks of using a hotspot. Of course, if you think that someone will be able to tap into your wireless connection through a cell phone carrier, than you likely have more issues than we can address here.

A LiveCD will not save you from a hardware based..

A LiveCD will not save you from a hardware based key logger

Think about it for a minute

When you're talking about a public terminal - a machine that everyone and his dog has had access to - then you have to assume that it's totally compromised. You can't take countermeasures against exploits that you don't know and can't identify.

If you've got to stay in touch on the road then take your own machine along - either a laptop or a portable device like an iPhone. You can find wireless access almost anywhere and while that wireless may be hacked, at least the machine you're using won't be.

The suggestions to use a Linux CD or Firefox from a USB memory stick aren't going to give you the safety you're looking for. Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.

Remember: do NOT enter any information into a public terminal that you wouldn't want to publish in the newspaper.

Synchronized Random Code List

I once had to remote support a customer in another country and they sent us a little card-sized gadget that displayed a random code that changed every few minutes. It was synchronised (by the clock being pretty accurate I suppose, or possibly by radio signal) to an identical random code list at their site. So whenever we wanted to log in we just looked at the current code on the card, typed it in and at their end the code was checked against the current code.

This sort of set-up could be very useful for people who frequently use public terminals. Your code can still be compromised but the crooks would only have a few minutes to retrieve and use it. Maybe you could even have it so that when you use a code once, the central code verification server invalidates it, so no-one else can log in, even if they do get the code quickly.

I don't believe anything like this exists for the average person wanting to use normal email accounts though. Anyway, none of this changes the possibility that there are screenshots being taken every few seconds so that all of your private emails will be viewed later anyway.

Texting 1 time password

I built a system in the late 90's where you had a web-page where you entered an account-name. That name was tied to a cellphone number which was sent a generated password as a text-message. The password was only valid for 5 minutes.

AFAIK it's still in use and have never been cracked.

If I NEED access to the internet...

...I carry my own means to do so. Wether that be a smartphone, iPod touch, PSP, laptop with wifi, wireless broadband or (a consideration when I am travelling in developing nations) a satellite modem...

IMO, the use of a public terminal for private purposes is the height of stupidity.

"In particular, how do people with Mac..."

"In particular, how do people with Mac or Linux home computers deal with this?"

I bring it with me - I have a macbookPro and I don't use public terminals. You can get cooties that way.

RS

Re:Anonymous Coward

What protection does that afford against a physical [thinkgeek.com] keylogger?

Not all keyloggers are software.

Re:Anonymous Coward

He uses only the mouse, so it is invulnerable to that method, actually. You need to capture the mouse actions and the screen simultaneously. This is something not easily done in separate hardware.

Re:Phone?

What kind of place doesn't allow phones, even left in the car? Pretty much every business and organization uses cel phones these days; what kind of company is paranoid enough to ban them that completely?

Any site doing classified work will restrict cell phones. Camera phones are prohibited, and most privately owned phones without cameras still can't be taken into restricted areas (which sometimes will include the parking lot).

Re:Phone?

Certain sectors of the defense industry, for one. Mostly it stems from fear of camera phones, so they ban all phones from the facility period, camera or not. But there are also other concerns that they have, rightly or not.

Auto Password Send?

This would require server-side scripting, but what if each account kept a phone number on file? If the person uses the correct password, keep them out but text message them a single-use password. They can now log-in with the single-use password.

Now the system requires something you know (your password) and something you have (your phone).