Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Privacy Security Your Rights Online

Protecting Your Personal Info While Traveling? 360

Posted by Cliff from the careful-where-you-browse dept.
AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"
This discussion has been archived. No new comments can be posted.

Protecting Your Personal Info While Traveling? More

Protecting Your Personal Info While Traveling?

Comments Filter:

  • Tell them (Score:3, Informative)

    by 2names ( 531755 ) on Monday June 13, 2005 @04:34PM (#12806157)
    not to use the public machines for any financial or private communications.

    • Re:Tell them (Score:5, Interesting)

      by antarctican ( 301636 ) on Monday June 13, 2005 @05:55PM (#12806975) Homepage
      not to use the public machines for any financial or private communications.

      Agreed. When I travel what I do is change my password on all my accounts to one which I will throw away when I return home. Yes, there's still a risk of abuse, but the window is hopefully small enough if you're only gone for a few weeks that it won't be a problem.

      What I also do is forward all my email accounts to a throw-away Gmail account. Again, so I can read and respond to email but not be concerned someone could try and break into my box. It also means I'll avoid at all costs trying to ssh into my machine.

      The final really geeky thing I sometimes do is setup an almost honeypot box. A machine that I can ssh into with a throw-away password that is on an isolated network. I then place an ssh key somewhere on this box and use it to ssh to one of my other boxes if needed. This way the only password I will type will be to this honeypot box, not to the actual machine I need access to (being a sysadmin, sometimes you need to pop in to a machine while away, but I'll never 'su' - I'll ask whoever is covering for me to actually do that 'work'). Again one great advantage of this is you can then just erase the key from that honeypot box, so even if the keylogging person is somewhat techno-savvy, they can't get access to that key. If you hide about 3 keys on the machine, you can do this use/erase method 3 times over your trip.

      And I know others will probably suggest an ssh-key on a usb key, another very good idea - as long as you're going somewhere that has a high enough level of computing to be able to use this method. Most of my trips have been to the developing world, where machines are still running win98. USB keys don't exactly work too well on those machines, if they even have USB slots. ;)

      The key takeaway message is - use a one-time password and create a throw-away email account for communication. And I agree, no banking! Leave your online banking info with someone at home and email them to do it for you. Nothing wrong with being a little paranoid. :)

      • Re:Tell them (Score:3, Informative)

        by DenDave ( 700621 )
        If I am going to a civilised place I drag my iBook along and use wireless service.

        If I am going to less civilised places, I don't need to email or do anything with the computer.

        I don't suggest people ssh into remote boxes. This would mean you need to allow ssh access from unknown ips. This could subject your box to attack. Always keep your box safe by using the hosts.allow and hosts.deny files. What you could do is to find a "secure" machine at your place of travel and call yer man back home to open the s

  • Keylogger (Score:2, Funny)

    by casualgeek ( 851422 )
    Bring your own keyboard!

    • Re:Keylogger (Score:3, Insightful)

      by MarkGriz ( 520778 )
      "Bring your own keyboard!"

      and boot CD
    • The easiest trick is to pour water in the back of the machine just below the power switch. This is where the key loggers are inserted. The water will short it out. Most key loggers do not have a plastic cover, but just incase, insert a small screwdriver and try to puncture the plastic cover to pour in the water.
    • Better than this, and much more portable, is simply use the mouse to switch the keyboard layout to Dvorak or something.... the hardware will still send the key as it is labeled on the keyboard, but the OS should convert it on the fly to whatever appropriate dvorak key.... and of course boot from a trusted Knoppix CD or something...

  • A tip (Score:5, Insightful)

    by ylikone ( 589264 ) on Monday June 13, 2005 @04:34PM (#12806160) Homepage
    Don't type anything you wouldn't want anybody else to see when you using public terminals. Kind of obvious?

    • Re:A tip (Score:5, Interesting)

      by cjellibebi ( 645568 ) on Monday June 13, 2005 @04:39PM (#12806221)
      But in order to log into your e-mail account, you would need to supply your password. One way to get round this is to type the first few letters of the password, switch to an other app, type some gibberish, and then switch back to your web-browser / telnet-session (doing more switching if you're feeling insecure). If this is one of those hardware devices that sit between the PC and the keyboard, it cannot know what belongs where, but there might be some software out there that can detect app-switching and record kepresses on a per-app basis.

      • Security vs. Obscurity... (Score:5, Interesting)

        by mellon ( 7048 ) * on Monday June 13, 2005 @04:44PM (#12806293) Homepage
        If you want to access your email remotely, and you want to be sure it won't be hacked, bring your own computer. Otherwise, just accept the risk that your password will be sniffed, and change your password when you get home.

        Ideally, you should change your password before you leave, and then change it back when you get home, because if you're like most people there are lots of things online for which you use the same password.

        Oh, and if you need to do any kind of transactions _other_ than email while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.
        • If you're really paranoid, you would have access to your own mail access interface, and you could write your own interface like I did. (Whoops, did I say that out loud?)

          And, the interface is a javascript keyboard on the login page for input of letters and numbers. HTTPS too. AFAIK, they wouldn't be able to use a mouse-logger, eh?
          • >And, the interface is a javascript keyboard on the login page for input of letters and numbers. HTTPS too. AFAIK, they wouldn't be able to use a mouse-logger, eh?

            You'd have to make sure the keyboard is a non-standard layout, so Querty, Dvorak, Alphabetical-order are all out.

      • Re:A tip (Score:5, Informative)

        by mattspammail ( 828219 ) on Monday June 13, 2005 @04:55PM (#12806396)

        Or go to a web page and copy and paste characters into the password blank. It might take awhile, but it's key-free.

        AND make sure you only log in to https sessions.

        • If you're doing the cut-and-paste thing, you can even enter the letters out of order. Just make sure you use the mouse to position the cursor and not the arrow-keys.

        • Re:A tip (Score:2, Funny)

          by tekiegreg ( 674773 ) *
          Here I'll help you out if you or anyone is trying. Karma be dammed here :-)

          abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789!@#$%^&*()-_+=;:'",/?~`\|

          Hope I didn't miss anything!
          • Here I'll help you out if you or anyone is trying. Karma be dammed here :-)

            abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789!@#$%^&*()-_+=;:'",/?~`\|

            Hope I didn't miss anything!

            My passwords are really secure - they use characters that aren't even on the keyboard!

            BTW, can anyone tell my why register.com limits your password to 8 characters? Seems counter-secure.

      • Or you could cut & paste the individual characters from a webpage for example, though it would be a pain... Then nothing would show up.

      • Re:A tip (Score:5, Insightful)

        by Anonymous Coward on Monday June 13, 2005 @05:41PM (#12806857)
        You're kidding right? Have you ever seen keylogging software?
        They spyware varieties rarely log every key. Instead, they intercept web submission forms, or data from specific applications. Switching windows and typing gibberish won't do anything to prevent information loss.

        The best approach is one of:

        - Bring your own computer. Use SSH or other VPN software to access your home computer and then your email. Do not trust public systems. Do not trust public WiFi networks.

        - Setup a web interface for accessing email. The password should change automatically after every successful login.

        - Bring putty on a floppy disk and use it to SSH into your home computer for accessing email. But don't trust the local web browser to not be infected.

        - Knoppix. Boot off your own software, check email or surf, then reboot back to the (likely) infect operating system.

        Things you should not do:
        - Do not assume the computer is not infected. Even if it runs a virus scanner or you're told that it is clean. If it isn't yours, don't trust it.
        - Do not assume the wireless network is safe.
        - Do not assume the connection between the internet cafe and the internet is safe. (Who knows what is being tapped.)
        - Do not assume that if you "just login for a moment" that you won't compromise your information. It only takes one login and the bad guys don't miss.
        - Do not assume the risk is limited to public terminals. Hotels and coffee shops with "free" wireless are commonly monitored by 3rd-parties. Any place that isn't "home" should be considered a risk.

        If you want to have fun, run 'netstat' on the public terminal. See any open ports? You probably will...

        Infected public terminals is a much bigger problem than even most government cybercrime investigators believe.
    • Don't type anything you wouldn't want anybody else to see when you using public terminals. Kind of obvious?

      You know, little things. Like login and password, and everything that comes afterwards.

  • ctl+alt+del (Score:4, Interesting)

    by natron 2.0 ( 615149 ) <`moc.liamg' `ta' `97sretepdn'> on Monday June 13, 2005 @04:35PM (#12806170) Homepage Journal
    If I am forced to use a public terminal I like to check the tasks that are running in the background, to see if there is anything suspicious. It has saved me a few times, of course not all kiosks will let you use that command.

    • Re:ctl+alt+del (Score:2, Insightful)

      by dcfix ( 65207 )
      There are plenty of keyboard sniffers that are not interrupted by the Ctl+Alt+Del. Of course, hiding a process from taskmanager is a pretty easy thing to do too. If it's not your computer, it's not safe.

      • Re:ctl+alt+del (Score:3, Informative)

        by Malc ( 1751 )
        " There are plenty of keyboard sniffers that are not interrupted by the Ctl+Alt+Del."

        What's that supposed to mean? And why would one expect them to be interrupted?

        I guess the point is (which I think you were making), is that a keyboard logger could be at a device driver level and thus not show up as an individual process.
        • What's that supposed to mean? And why would one expect them to be interrupted?

          On windows Ctrl-Alt-Del is the "Secure Attention Key". In theory, when you hit Ctrl-Alt-Del the only program that can respond to it should be the OS itself, making it safe to enter a password (to log on to the OS that is) after hitting Ctrl-Alt-Del, since you can be sure no login-simulators can hook into it.

          Of course, Ctrl-Alt-Del does nothing to secure machines that have been tampered with on the system level, and does noth

          • Why would you be logging on to a third party machine when travelling with your own password?

            The Cisco VPN Client hooks in to the Ctrl+Alt+Del. It pops up its own dialog. It makes me wonder if a malicious app could do the same, but subvert the dialog the OS puts up (e.g. obscure it with an identical one of its own, or post messages to control it).
            • Given administrator access, you can simply replace the windows logon screen. Just replace msgina.dll with your own concoction. Microsoft offers handy guides for this, and even the sourcecode to stock msgina.dll with MSDN, IIRC.
            • speaking of the cisco VPN client. use that on your own laptop. depending on your country of travel, wifi may be available for a modest fee.

    • Re:ctl+alt+del (Score:4, Informative)

      by nine-times ( 778537 ) <nine.times@gmail.com> on Monday June 13, 2005 @05:06PM (#12806526) Homepage
      That works so long as the keylogger (or whatever) is software-based. There are also hardware-based loggers that sit between the keyboard and ps/2 port, for example.

      • Hardware based keyloggers are a little easier to spot, though. You could show them pictures of hardware loggers so they'd know what to look out for. A quick Google found this one [keyghost.com] and this one [staticusers.net], which are pretty much the only two types I've seen so far.

        It should be noted though, that finding these things on an Internet kiosk would be near impossible as most of the hardware is hidden from the user's view.

    • In addition to other people's concerns, I've seen spyware that kills taskman.exe everytime it starts. Checking like that is definitely a good habit, but beware its shortcomings.

  • No financial activities (Score:5, Insightful)

    by fembots ( 753724 ) on Monday June 13, 2005 @04:35PM (#12806175) Homepage
    If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.

    Sensitive information should be transmitted separately, for example, credit numbers via email and expiry date via phone.

    • Re:No financial activities (Score:4, Interesting)

      by Gorath99 ( 746654 ) on Monday June 13, 2005 @04:53PM (#12806378)
      If you're using a public machine, you shouldn't do any financial activities like banking, paypal etc., at all.

      Try and find a bank that requires one-time passwords. I don't know how common such systems are internationally, but over here in the Netherlands, it's pretty much standard.

      My own bank provides its users with a small calculator that, when unlocked with your PIN, will also generate one-time login numbers. For extra security every transaction requires an extra one-time number keyed to that particular transaction (so highjacking the connection after the login is provided is mostly harmless).

      I'm sure it's still not 100% safe, but crackers will definitely have to work for their money.
    • There is a large number of interesting travel sources that travelers will want to use. The modern vacation now includes a lot of information resources along with the recreational and scenic resources.

      Being forced into living a state of fear by cyber thugs is really not that great of an option. The fact that we are essentially asking travelers to ignore an intriguing new aspect of travel is quite sad.

      I am also disappointed to see our technological elite offering little more than a probation against using

  • Well... (Score:3, Interesting)

    by Poromenos1 ( 830658 ) on Monday June 13, 2005 @04:36PM (#12806180) Homepage
    I am becoming increasingly paranoid about typing passwords in public terminals... I am even reluctant to type my password in a friend's computer... Generally avoid typing your password for anything you don't need while at a public terminal, and if you're REALLY paranoid you could have it written in a file in a USB keychain and pasted (keyloggers don't log pasting, do they?).

    • They caught on to this a long time ago (Score:5, Informative)

      by jeffmeden ( 135043 ) on Monday June 13, 2005 @04:42PM (#12806277) Homepage Journal
      A good key logger will monitor anything coming and going from the clipboard. If you want to be paranoid, dont trust info on a machine you cant verify, assume whatever you do is going to end up on a billboard.
      • Heck, good theftware will hook into the web browser, and look for certain fields (e.g. login, username, password, pin, etc) in HTML forms, and just save that data.

        This counteracts copy&paste, type-edit-type, etc.

        If the OS can be modified (software attacks, physical attacks, boot disks, etc)...you cannot trust the system at all.

        And of course, even if the OS isn't modified, hardware keyloggers and/or spy cameras could also be a risk.

        I suspect multifactor authentication is going to quickly becom

  • I would never trust an unknown computer like that. I even clean my parents computer up before I use it for anything.

    Browse the web: Yes
    Check my Accounts: No

  • Simple Rules (Score:3, Interesting)

    by COMON$ ( 806135 ) on Monday June 13, 2005 @04:37PM (#12806201) Journal
    Its just like anything else, why should computers be any different when it comes to common sense?

    You wouldnt give your credit card # to someone over the phone in a public place.

    You dont throw away check stubs without shredding them.

    You dont give strangers your home address.

    I guess I dont understand how people can not connect the dots.

  • Create a disposable webmail address (Score:5, Interesting)

    by cactux ( 632871 ) on Monday June 13, 2005 @04:38PM (#12806207)
    If you want to keep in touch with friends and family during travel, create an email address with one of the many free webmail services available.

    Then use only this adress while traveling, and only for casual messages, nothing important. Specify to your correspondants that this adress is temporary, and subject to be "stolen", so they should be suspicious regarding messages coming from it.
  • All public computers (as well as friends computers) are suspect. Never use them for anything requiring user ID and password access myself. Along the same lines, all public wireless access points are suspect as well.

    I've seen web pages with a checkbox allowing you to indicate that you are on a public computer, presumably to avoid caching personal information. That would not protect against a keylogger program, however.
  • Always assume that any hardware you don't own and isn't in your control is insecure.

    It's just good rule of thumb. And to be even more paranoid, you should assume the same about any hardware that isn't in a locked room 100% of the time.

    If you're really concerned about this, make sure the passwords on things you do access aren't the same as other passwords you use and make sure you change it when you're done from a "secure" location.
  • Realistically speaking, it's unlikely that your accounts are going to get p0wn3d by anyone.

    However, if you're using public machines that have keloggers on them, then someone put those keyloggers there for a reason. That reason probably isn't to monitor the effectiveness of internet filtering at that particular location.

    The best advice would be to make sure their hotmail (or whatever webmail they're using) password isn't the same as the password on their other accounts. Delete all the mail after it's read,
  • Try some software like KL-Detector.

    http://dewasoft.com/privacy/kldetector.htm [dewasoft.com]

    • Unfortunately, it doesn't do anything for hardware....
    • Cute app, it's not correct in it's assumption that it can detect all software keyloggers. It can't detect sw ones the dont write out to disk (sending it out over the network would seem usefull) it also cant detect sw ones the write out to a fixed size file or write out rather sporadicaly say at shutdown (a few megs of memory would be plenty to cover all data input for a long time and no reason it cant grow say in swap)
  • ...to log on to online banking or even to access your Gmail or Hotmail account - just take a notebook computer along.

    It also helps to have two or three sets of passwords:
    - The least sensitive password should be used for "subscription required" sites, like the NYT.
    - The medium sensitive password should be used to protect your web mail accounts, like Gmail
    - The most sensitive password should be used for online banking

    • Agreed. I maintain about 10 different styles of passwords in the memory of my brain, ranging from simple (54321 anyone?) on non-critical devices all the way to 15-character intense passwords. My best suggestion to travelling would be to use a second e-mail account and use mail forwarding to that account. Set it all up beforehand, and then you don't have to worry about your passwords being violated since you use a lower-rated password for the fake account. Change accounts often while travelling and don't acc

  • First do your homework... (Score:5, Funny)

    by feloneous cat ( 564318 ) on Monday June 13, 2005 @04:42PM (#12806279)
    1. Get professional sweep gear.
    2. Cordon off the area and do a thorough sweep of the Internet Cafe in question.
    3. Make sure that and patrons and workers empty their nastly little pocketses.
    4. Disassemble any electronic hardware that is shielded to make sure the keylogger isn't hidden in its nasty bowels.
    5. Once the all clear is given, log in to AOL, download porn.

    I'm just saying...
  • Don't trust anyone.

    Even if they have a policy in place to keep terminals "clean" they don't nessiarly follow it.

    I'd personally recomend that they use a throwaway email account while abroad if they plan on accessing it often.

    The usual things too... user name and password unrelated to others etc.

    If they're really paranoid, and have someone that they trust back home, they can get that person to change the passwords on the accounts during their trip.

  • Take a laptop? (Score:3, Informative)

    by jafo ( 11982 ) * on Monday June 13, 2005 @04:43PM (#12806286) Homepage
    Take a laptop that you use for your communications. With the availability of WiFi, you can use your laptop most places where there are computers and many places where there aren't. You have to worry less about what someone else may have installed, and you don't have to wait for a terminal to open up. Don't forget to use secure protocols to speak to your server though.

    When I went to DefCon a few years ago, I loaded a fresh laptop and set it up to VPN all traffic leaving it, plus I didn't access any private resources, I had my e-mail copied to a webmail account on another box I was running. It worked great.

    Sean
    • "Take a laptop that you use for your communications. With the availability of WiFi, you can use your laptop most places where there are computers and many places where there aren't."

      Does anyone know how feasible this is in Europe? More specifically will this work in Germany, Austria, and the Czech Republic? I know here in the states most internet cafes now have wifi, but how common is that overseas?

  • Advice? (Score:5, Informative)

    by artifex2004 ( 766107 ) on Monday June 13, 2005 @04:43PM (#12806292) Journal
    1) Carry a laptop
    2) ssh into your home server, or use HTTPS for webmail.

    Using your own laptop means nobody is keylogging you, unless they get access to your machine, in which case you're screwed anyway. Sticking to SSH or HTTPS means you're not sending anything worthwhile unencrypted up the pipe.

    Also, you'd be amazed at the number of compromised terminals at universities and colleges, too. Better warn your kids before they go off to college not to do any financial transactions, etc., from them, no matter if school policy is to run antivirus and spybot killers. Those are no match for good old fashioned hardware keyloggers, assuming they even use the latest updated programs to check.

  • Advise (Score:2, Funny)

    by pete-classic ( 75983 )
    what advise should I give them?


    I would advise them that spell checkers don't know nouns from verbs.

    -Peter
  • If I were to make a site in which I would need to log into remotely I would have it use a disposable password list; a list of passwords that will only work once, no worry about key loggers (though session highjacking would be another matter), as an added bonus if you log your password entries you can also use your list to figure out where the more nefarious spots are.
  • If you have no idea what's installed in the computer you are using, everything you do with it may no longer be exclusively your's. I am not just talking about software, hardware is also included (think the Key Katcher Thinkgeek sells). If I wanted security, I would bring my own computer, use SSL on all communication channels, and even that may not be completely safe in a public location (hidden cameras, etc...). I guess hiding in the basement and keep the windows shut, because who knows if they (http://news [com.com]

  • Use the mouse (Score:4, Interesting)

    by BenjiTheGreat98 ( 707903 ) on Monday June 13, 2005 @04:48PM (#12806335)
    When you are on a public terminal you can type in your username and/or password by typing in the last half of it then use your mouse and go the front of the text box and type in the 1st half. It's not full proof but at least someone won't have your password in plain view in front of them.
    • I have a variation of this.

      I startup some text editor, then i type random characters in it. Then I move to the password field and type 1 char. Then back to the text editor typing random chars again. Then I type the 2nd char of my password after switching windows. I go on like that.

      Of course, for financial stuff, I do not trust this. But for login into an email account, I believe that this is secure enough. They won't bother trying to figure out what the password is with the keylogger.

  • Fun Experiment (Score:3, Interesting)

    by deadtree9 ( 772882 ) on Monday June 13, 2005 @04:50PM (#12806352) Journal
    While in Hawaii on vacation last September I prepaid for an hour of web cafe time. After answering all my emails and checking what news I felt like reading, I still had a good chunk of time left over and my GF was still in the same strip mall shopping. I decided it might be interesting to download and install ad-aware. (They were old windows 98 machines, so there was absolutely NO security.) In the 15 minutes or so I hung around watching and chatting with the clerk running the place, ad-aware ticked off over 2,000 spyware items found, and it wasn't anywhere near done!
  • I do very little 'sensitive' work while I'm visiting my folks, or the in-laws too. I just finished reinstalling the in-laws' machine and patching/updating it due to a huge spyware/virus problem. They could have had keylogging crap installed there unknowingly too.

    The only machines I trust are those that I own and have direct, constant control of. Period.

    My mother-in-law on the other hand decided that she'd keep doing her online banking/shopping, etc even after I advised her not to (it was going to be 2

  • Morse Code (Score:5, Funny)

    by spoonyfork ( 23307 ) <[moc.liamg] [ta] [krofynoops]> on Monday June 13, 2005 @04:51PM (#12806358) Journal
    I thought Cryptonomicon was required reading here. I guess times have changed. Use Morse Code [wikipedia.org].
  • Right now in existing operating systems, some sort of keyboard driver will translate the keystrokes coming down the wire into characters and pass it where it needs to be. Of course, anywhere between the driver and the keryboard can be compromised. You can tamper with the physical cable, between the cable and the keyboard port, or directly in the software.

    Now imagine this scenerio to fight this:

    The keyboard and OS are NGSCB (Microsoft's Next-Generation Secure Computing Base (NGSCB)) -aware.

    They have been

  • Practical (Score:5, Interesting)

    by Markus Registrada ( 642224 ) on Monday June 13, 2005 @04:56PM (#12806410)
    Don't worry about hardware keyloggers. They cost more than software loggers, so they won't be there. Cops and spooks break in to install them on dissidents' machines; they are probably very rare otherwise. Just bring along an Ubuntu LiveCD, and boot from it. If you can't do that, and you can arrange to produce your own web site, have web-page javascript password-entry scheme that uses just the mouse, unrepeatably. (That is, each time the page is (re-)loaded the buttons appear in different places on the screen.) Or, bring along a USB key with a pile of temporary-use private keys in it, and a copy of ssh configured to use only those key files. Be sure to delete the corresponding public key after each use. Even if they log keystrokes they won't copy the entire contents of every USB key plugged in; and it doesn't matter so much if they do, anyway.

    • Re:Practical (Score:5, Informative)

      by Locke2005 ( 849178 ) on Monday June 13, 2005 @05:21PM (#12806654)
      Uh, those methods do nothing for you if the software is designed to simply record HTTP POST and SMTP operations, in which case it doesn't really matter how the data was entered into the machine. Yes, one-time-use keys would work, except that none of the mail readers support them, do they? Hmm... bringing your own copy of ssh might work... do public access terminals let you run your own software? Seems to me that I would disable floppy, CD, and USB file system.

  • Stop worrying! :) (Score:4, Funny)

    by caluml ( 551744 ) <slashdot@spamgoe ... minus herbivore> on Monday June 13, 2005 @04:58PM (#12806433) Homepage
    You know what I say? Stop worrying about things. Live life. Life is dangerous. You might be killed tomorrow. Disease, car crash, something like that. And there are lots of people in the world. What are the chances it will happen to you. Set your root password to password. Run an open SMTP server. Do whatever you want. It's better to regret the things you have done than the things you haven't.

  • I limit my on-line activities on kiosks to anonymous surfing, though if I am travelling, I usually have my tablet PC and my cell phone with me, the combination of which can be used to browse the web.

    But I admit to being more paranoid than the average bear. :)

  • I don't check email when I am on vacation. Things are supposed to be a change of pace. Isn't that why you are on vacation?

  • Something to consider... (Score:3, Informative)

    by IcyNeko ( 891749 ) on Monday June 13, 2005 @05:05PM (#12806506) Journal
    I once worked at a computer lab where I was able to test some software (iOpus, I believe) that had some keylogging software. This software was incredibly ingenius, and would very accurately tell me what was typed where, when, and by whom. I also had the option to take screenshots every once in a while (I could set how often the screenshots were taken). These files (log and screenies) could then be saved on a location where the current user would not be able to access due to user restrictions.

    Be wary of this, since I was able to catch the logins of several users. (My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing. Needless to say, with the screenshots and logs, I caught him rather red-handed.)

    But these days, such precautions are to be expected with terrorism on the rise and such. My only advice: Be very careful when doing this on a public location where spying and keylogging is easy to implement. Not all people were as nice as I was and let the small info go. A small slip of the Credit Card number, and away goes several thousand dollars!

    • Re:Something to consider... (Score:5, Insightful)

      by fuzzybunny ( 112938 ) on Monday June 13, 2005 @05:13PM (#12806582) Homepage Journal
      (My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing

      What you did is strongly illegal in many countries, including parts of the US (look up state & federal wiretapping laws) especially if done without informing users. Aside from that, it pushes the ethical boundaries of what's acceptable (I think it's filthy, personally, but I'm giving the benefit of the doubt and being diplomatic.)

      Not all people were as nice as I was and let the small info go

      If you can't tell what's wrong with this statement, you shouldn't be administering systems used by other people. You're perfectly correct about being wary of using boxes beyond your exclusive control; however, we're talking about crime and not exercising control over your own computers.

  • Solution (Score:2, Informative)

    by firepacket ( 809106 )
    Start > Run > osk.exe

    The onscreen keyboard doesnt get picked up by any keylogger i know of.
  • Someone out there must have a list of the default passwords for all the keyloggers... Just fire up notepad and type these passwords in. If nothing happens, you're probably in the clear.
  • Under windows, shouldn't you be able to use the character map application to "type" in your password using the mouse, thus circumventing any hardware keyloggers? Of course, if I was going to capture passwords, I'd modify the browser itself to record all POST data, so it doesn't matter how you input your password.

  • keylogger dongle (Score:3, Interesting)

    by freeze128 ( 544774 ) on Monday June 13, 2005 @05:12PM (#12806567)
    If it's keylogger software you are worried about, it sounds like a single use password (tear sheet style) would be ideal.

    If it's one of those little PS/2 keyboard devices that sits between your PC and keyboard, try this: Log in normally, use your password, do whatever, then logout. Before you walk away from the kiosk, tape down the left-arrow key. The auto-repeat will fill the buffer (might be a few Kb) and eventually overwrite your PW.

  • Since my laptop is my office machine, it goes where I go. I take the appropriate measures to secure my laptop at all times. As far as physical security goes, since I'm a field employee, my backpack is my office. I always keep the backpack in my presence.

  • I didn't have a problem (Score:5, Funny)

    by Cro Magnon ( 467622 ) on Monday June 13, 2005 @05:22PM (#12806667) Homepage Journal
    I posted to slashdot from an Internet Cafe, and nobody stole my password.
  • The reality is that people have to use untrusted machines every once in a while, and even if you then change your password from the next trusted machine you have access to there is still a window of opportunity. If I must use credentials at a public terminal I make extensive use of cutting, copying and pasting, and typing over selected text so a key logger would see a password like 'secret' as a string like 'fsdjn392e9c3sD$r@90ejfndt'. This won't protect you from things like browser helper objects (BHOs), b
  • How well would it work to make a point of entering your username and password wrong a few times before actually logging in? I've never seen the output of a keylogger before. Would that make it enough of a pain that they'd move on to the next poor schmuck?
  • Cut-n-paste your sensitive logins and passwords one character at a time. You need to type-in the alphabet (upper and lowercase) and numbers into a different window. This is all the keylogger sees (that and cut-n-paste commands).

    Hopefully nobody is looking at your screen remotely (and see the mouse movements)... anyone have a technique around that?

  • My semi-solution (Score:3, Interesting)

    by ZorbaTHut ( 126196 ) on Monday June 13, 2005 @06:12PM (#12807103) Homepage
    I've got kind of a weird system brewing in the back of my head. I have RDP set up on my home computer (think VNC, only faster, and Windows). Ideally I want to log in to that. But I don't want it open 24/7, so I have the port completely closed. What I *will* have (don't have it yet) is a few ports open to a virtual private server I own. I connect to the virtual private, type in a one-time password, and it sends an instruction to my home computer to open a port to a certain IP for a minute. During which time I connect to it via Remote Desktop and use my home computer.

    Since my home computer has passwords saved, of course, I wouldn't need to type in passwords from here. This assumes the connection is secure from being hijacked (I don't honestly know if it is) and there's a little vulnerability where someone could immediately RDP into my computer again, from the same IP, with the password that they've presumably just logged, since *that's* not a one-time password. (I suppose I could try to set it up to only allow one connection in.) But they'd only have a minute to do it in.

    Of course, the point is entirely moot since I haven't set any of this stuff up - it turned out I needed a laptop for work, so they gave me a laptop, and I've just been using that with ssh and cygwin. Heh.

    But that's the plan. :)

Slashdot Top Deals

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Close