Protecting Your Personal Info While Traveling? 360
AdEbh asks: "I was just listening an interesting article on a local radio station regarding computer security. In it a member from the AFP cybercrime unit mentioned that they are starting to see keylogger software installed on public access terminals, such as internet cafes. With friends & family overseas at the moment or soon to be what advice should I give them? Is this a real concern?"
Tell them (Score:3, Informative)
Re:Tell them (Score:5, Interesting)
Agreed. When I travel what I do is change my password on all my accounts to one which I will throw away when I return home. Yes, there's still a risk of abuse, but the window is hopefully small enough if you're only gone for a few weeks that it won't be a problem.
What I also do is forward all my email accounts to a throw-away Gmail account. Again, so I can read and respond to email but not be concerned someone could try and break into my box. It also means I'll avoid at all costs trying to ssh into my machine.
The final really geeky thing I sometimes do is setup an almost honeypot box. A machine that I can ssh into with a throw-away password that is on an isolated network. I then place an ssh key somewhere on this box and use it to ssh to one of my other boxes if needed. This way the only password I will type will be to this honeypot box, not to the actual machine I need access to (being a sysadmin, sometimes you need to pop in to a machine while away, but I'll never 'su' - I'll ask whoever is covering for me to actually do that 'work'). Again one great advantage of this is you can then just erase the key from that honeypot box, so even if the keylogging person is somewhat techno-savvy, they can't get access to that key. If you hide about 3 keys on the machine, you can do this use/erase method 3 times over your trip.
And I know others will probably suggest an ssh-key on a usb key, another very good idea - as long as you're going somewhere that has a high enough level of computing to be able to use this method. Most of my trips have been to the developing world, where machines are still running win98. USB keys don't exactly work too well on those machines, if they even have USB slots.
The key takeaway message is - use a one-time password and create a throw-away email account for communication. And I agree, no banking! Leave your online banking info with someone at home and email them to do it for you. Nothing wrong with being a little paranoid.
Re:Tell them (Score:3, Informative)
If I am going to less civilised places, I don't need to email or do anything with the computer.
I don't suggest people ssh into remote boxes. This would mean you need to allow ssh access from unknown ips. This could subject your box to attack. Always keep your box safe by using the hosts.allow and hosts.deny files. What you could do is to find a "secure" machine at your place of travel and call yer man back home to open the s
Re:Tell them (Score:2)
(That was until I found a bug in a local operator service..
Needless to say everything ran over an SSH tunnel.
Re:Tell them (Score:3, Insightful)
Keylogger (Score:2, Funny)
Re:Keylogger (Score:3, Insightful)
and boot CD
Re:Keylogger (Score:3, Funny)
Re:Keylogger (Score:2)
Re:Keylogger (Score:2)
A tip (Score:5, Insightful)
Re:A tip (Score:5, Interesting)
Security vs. Obscurity... (Score:5, Interesting)
Ideally, you should change your password before you leave, and then change it back when you get home, because if you're like most people there are lots of things online for which you use the same password.
Oh, and if you need to do any kind of transactions _other_ than email while you're abroad, definitely bring your computer. Doing serious transactions on a public workstation is about the same as writing your PIN on your bank card and leaving it stashed near your favorite ATM so you don't have to carry it in your wallet.
Re:Security vs. Obscurity... (Score:2, Interesting)
And, the interface is a javascript keyboard on the login page for input of letters and numbers. HTTPS too. AFAIK, they wouldn't be able to use a mouse-logger, eh?
Re:Security vs. Obscurity... (Score:2)
You'd have to make sure the keyboard is a non-standard layout, so Querty, Dvorak, Alphabetical-order are all out.
Re:Security vs. Obscurity... (Score:4, Interesting)
In the case of banking transactions when you're backpacking, you have a few choices. One is to appoint someone to manage your bank account while you're unavailable - this is what people did before online banking was ubiquitous.
For example, when I traveled to Nepal in 1993, I left a stack of envelopes with my sister (if I remember correctly). Each had a date on it, and she mailed it on the appropriate date. I had direct deposit at work, so that was no problem.
If you need someone to make decisions, as opposed to just doing something for you, there are people who provide this service professionally. Check them out to make sure they're legit, but if they are, then unless you are inordinately wealthy, they aren't going to be tempted by the contents of your bank account.
You can also carry a small computer, rather than a big one. Unless your bank is really evil, you should be able to do transactions from a Palm Pilot or wince machine. I'd recommend a Linux PDA, personally, but they're harder to find. The new Nokia would be an excellent choice. You can also now get fully-featured notebooks from, e.g., ASUS, that weigh only two pounds. Bringing one of these along is not as bad as you suggest.
I've heard that some European banks do one-time passwords - you just print out a sheet and bring it with you. This would be the ideal solution if you don't care about privacy, but of course if, like me, you live in the U.S., you probably don't have this option.
Re:Next best option (Score:4, Interesting)
Nobody has mentioned the simple way to limit your losses. Open a travel account at another bank. Set up automatic weekly transfers. Use it for gas and such. My travel account gets $200/week. If it gets hit, I contact my bank. My potential loss is very limited. The checking account is not backed up with overdraft protection. Keep track of your balance and use the bank ATM whenever possible. The rest of the bills are set up from the primary account at another bank with auto payments. If the electric is a little off one month, it can be adjsted upon my return. They are happy to receive a regular payment even if it is a little over or under. Let them know what's up. They are very good working with you to get paid.
Re:A tip (Score:5, Informative)
Or go to a web page and copy and paste characters into the password blank. It might take awhile, but it's key-free.
AND make sure you only log in to https sessions.
Re:A tip (Score:2)
Re:A tip (Score:2, Funny)
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW
Hope I didn't miss anything!
Re:A tip (Score:2)
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789!@#$%^&*()-_+=;:'",/?~`\|
Hope I didn't miss anything!
My passwords are really secure - they use characters that aren't even on the keyboard!
BTW, can anyone tell my why register.com limits your password to 8 characters? Seems counter-secure.
Re:A tip (Score:2)
Re:A tip (Score:5, Insightful)
They spyware varieties rarely log every key. Instead, they intercept web submission forms, or data from specific applications. Switching windows and typing gibberish won't do anything to prevent information loss.
The best approach is one of:
- Bring your own computer. Use SSH or other VPN software to access your home computer and then your email. Do not trust public systems. Do not trust public WiFi networks.
- Setup a web interface for accessing email. The password should change automatically after every successful login.
- Bring putty on a floppy disk and use it to SSH into your home computer for accessing email. But don't trust the local web browser to not be infected.
- Knoppix. Boot off your own software, check email or surf, then reboot back to the (likely) infect operating system.
Things you should not do:
- Do not assume the computer is not infected. Even if it runs a virus scanner or you're told that it is clean. If it isn't yours, don't trust it.
- Do not assume the wireless network is safe.
- Do not assume the connection between the internet cafe and the internet is safe. (Who knows what is being tapped.)
- Do not assume that if you "just login for a moment" that you won't compromise your information. It only takes one login and the bad guys don't miss.
- Do not assume the risk is limited to public terminals. Hotels and coffee shops with "free" wireless are commonly monitored by 3rd-parties. Any place that isn't "home" should be considered a risk.
If you want to have fun, run 'netstat' on the public terminal. See any open ports? You probably will...
Infected public terminals is a much bigger problem than even most government cybercrime investigators believe.
Re:A tip (Score:3, Insightful)
Yeah, it's a pain, but you could shorten it by just making sure everything's out of order and with some gibberish.
Of course, nothing's 100% secure, especially while traveling...
Re:A tip (Score:2)
You know, little things. Like login and password, and everything that comes afterwards.
ctl+alt+del (Score:4, Interesting)
Re:ctl+alt+del (Score:2, Insightful)
Re:ctl+alt+del (Score:3, Informative)
What's that supposed to mean? And why would one expect them to be interrupted?
I guess the point is (which I think you were making), is that a keyboard logger could be at a device driver level and thus not show up as an individual process.
Re:ctl+alt+del (Score:2)
On windows Ctrl-Alt-Del is the "Secure Attention Key". In theory, when you hit Ctrl-Alt-Del the only program that can respond to it should be the OS itself, making it safe to enter a password (to log on to the OS that is) after hitting Ctrl-Alt-Del, since you can be sure no login-simulators can hook into it.
Of course, Ctrl-Alt-Del does nothing to secure machines that have been tampered with on the system level, and does noth
Re:ctl+alt+del (Score:2)
The Cisco VPN Client hooks in to the Ctrl+Alt+Del. It pops up its own dialog. It makes me wonder if a malicious app could do the same, but subvert the dialog the OS puts up (e.g. obscure it with an identical one of its own, or post messages to control it).
Re:ctl+alt+del (Score:2)
Re:ctl+alt+del (Score:2)
Re:ctl+alt+del (Score:4, Informative)
Hardware Loggers (Score:2)
Hardware based keyloggers are a little easier to spot, though. You could show them pictures of hardware loggers so they'd know what to look out for. A quick Google found this one [keyghost.com] and this one [staticusers.net], which are pretty much the only two types I've seen so far.
It should be noted though, that finding these things on an Internet kiosk would be near impossible as most of the hardware is hidden from the user's view.
Re:ctl+alt+del (Score:2)
No financial activities (Score:5, Insightful)
Sensitive information should be transmitted separately, for example, credit numbers via email and expiry date via phone.
Re:No financial activities (Score:4, Interesting)
Try and find a bank that requires one-time passwords. I don't know how common such systems are internationally, but over here in the Netherlands, it's pretty much standard.
My own bank provides its users with a small calculator that, when unlocked with your PIN, will also generate one-time login numbers. For extra security every transaction requires an extra one-time number keyed to that particular transaction (so highjacking the connection after the login is provided is mostly harmless).
I'm sure it's still not 100% safe, but crackers will definitely have to work for their money.
A new aspect of travel (Score:2)
Being forced into living a state of fear by cyber thugs is really not that great of an option. The fact that we are essentially asking travelers to ignore an intriguing new aspect of travel is quite sad.
I am also disappointed to see our technological elite offering little more than a probation against using
Re:A new aspect of travel (Score:2)
Unfortunately, slashdot does not have a way to reply to multiple posts. So, I just stopped randomly. Of course, luddites are probably quicker to post than those who will actually see more to the answer than just a prohibition against using the internet on the road.
Re:A new aspect of travel (Score:3, Insightful)
Unfortunately, you will never be able to trust the routers or connections that you come across when traveling.
Judging from the large number of people who've had their laptops, PDAs and cell phones stolen, I suspect that the chance of your getting your laptop stolen on vacation is greater than the chance of losing your email password at a local library.
Well... (Score:3, Interesting)
They caught on to this a long time ago (Score:5, Informative)
Re:They caught on to this a long time ago (Score:3, Insightful)
This counteracts copy&paste, type-edit-type, etc.
If the OS can be modified (software attacks, physical attacks, boot disks, etc)...you cannot trust the system at all.
And of course, even if the OS isn't modified, hardware keyloggers and/or spy cameras could also be a risk.
I suspect multifactor authentication is going to quickly becom
Don't trust an unknown computer (Score:2, Insightful)
Browse the web: Yes
Check my Accounts: No
Simple Rules (Score:3, Interesting)
You wouldnt give your credit card # to someone over the phone in a public place.
You dont throw away check stubs without shredding them.
You dont give strangers your home address.
I guess I dont understand how people can not connect the dots.
Create a disposable webmail address (Score:5, Interesting)
Then use only this adress while traveling, and only for casual messages, nothing important. Specify to your correspondants that this adress is temporary, and subject to be "stolen", so they should be suspicious regarding messages coming from it.
Interesting problem and no good solution... (Score:2)
I've seen web pages with a checkbox allowing you to indicate that you are on a public computer, presumably to avoid caching personal information. That would not protect against a keylogger program, however.
When in doubt.. (Score:2)
It's just good rule of thumb. And to be even more paranoid, you should assume the same about any hardware that isn't in a locked room 100% of the time.
If you're really concerned about this, make sure the passwords on things you do access aren't the same as other passwords you use and make sure you change it when you're done from a "secure" location.
Realistically speaking (Score:2)
However, if you're using public machines that have keloggers on them, then someone put those keyloggers there for a reason. That reason probably isn't to monitor the effectiveness of internet filtering at that particular location.
The best advice would be to make sure their hotmail (or whatever webmail they're using) password isn't the same as the password on their other accounts. Delete all the mail after it's read,
KL-Detector (Score:2)
http://dewasoft.com/privacy/kldetector.htm [dewasoft.com]
Re:KL-Detector (Score:2)
Re:KL-Detector (Score:2)
Never use a computer in an internet cafe... (Score:2, Interesting)
It also helps to have two or three sets of passwords:
- The least sensitive password should be used for "subscription required" sites, like the NYT.
- The medium sensitive password should be used to protect your web mail accounts, like Gmail
- The most sensitive password should be used for online banking
Re:Never use a computer in an internet cafe... (Score:2)
First do your homework... (Score:5, Funny)
2. Cordon off the area and do a thorough sweep of the Internet Cafe in question.
3. Make sure that and patrons and workers empty their nastly little pocketses.
4. Disassemble any electronic hardware that is shielded to make sure the keylogger isn't hidden in its nasty bowels.
5. Once the all clear is given, log in to AOL, download porn.
I'm just saying...
Always consider public terminals insecure. (Score:2)
Even if they have a policy in place to keep terminals "clean" they don't nessiarly follow it.
I'd personally recomend that they use a throwaway email account while abroad if they plan on accessing it often.
The usual things too... user name and password unrelated to others etc.
If they're really paranoid, and have someone that they trust back home, they can get that person to change the passwords on the accounts during their trip.
Take a laptop? (Score:3, Informative)
When I went to DefCon a few years ago, I loaded a fresh laptop and set it up to VPN all traffic leaving it, plus I didn't access any private resources, I had my e-mail copied to a webmail account on another box I was running. It worked great.
Sean
Re:Take a laptop? (Score:2)
Does anyone know how feasible this is in Europe? More specifically will this work in Germany, Austria, and the Czech Republic? I know here in the states most internet cafes now have wifi, but how common is that overseas?
Advice? (Score:5, Informative)
2) ssh into your home server, or use HTTPS for webmail.
Using your own laptop means nobody is keylogging you, unless they get access to your machine, in which case you're screwed anyway. Sticking to SSH or HTTPS means you're not sending anything worthwhile unencrypted up the pipe.
Also, you'd be amazed at the number of compromised terminals at universities and colleges, too. Better warn your kids before they go off to college not to do any financial transactions, etc., from them, no matter if school policy is to run antivirus and spybot killers. Those are no match for good old fashioned hardware keyloggers, assuming they even use the latest updated programs to check.
Advise (Score:2, Funny)
I would advise them that spell checkers don't know nouns from verbs.
-Peter
Disposable Password List (Score:2)
My rule of thumb is... (Score:2)
Use the mouse (Score:4, Interesting)
Re:Use the mouse (Score:2)
I startup some text editor, then i type random characters in it. Then I move to the password field and type 1 char. Then back to the text editor typing random chars again. Then I type the 2nd char of my password after switching windows. I go on like that.
Of course, for financial stuff, I do not trust this. But for login into an email account, I believe that this is secure enough. They won't bother trying to figure out what the password is with the keylogger.
Re:Use the mouse (Score:2)
Fun Experiment (Score:3, Interesting)
Re:Fun Experiment (Score:3, Informative)
Not just while travelling... (Score:2, Interesting)
The only machines I trust are those that I own and have direct, constant control of. Period.
My mother-in-law on the other hand decided that she'd keep doing her online banking/shopping, etc even after I advised her not to (it was going to be 2
Morse Code (Score:5, Funny)
A reason to embrace Trustworthy Computing? (Score:2, Interesting)
Now imagine this scenerio to fight this:
The keyboard and OS are NGSCB (Microsoft's Next-Generation Secure Computing Base (NGSCB)) -aware.
They have been
Re:A reason to embrace Trustworthy Computing? (Score:2)
Re:A reason to embrace Trustworthy Computing? (Score:2)
The key presses are now recorded by the underlay.
Made specifically for the Microsoft trusted keyboard, stores multi-GB of data to an onboard storage and key log data can be retrieved via Zigbee wireless.
These will be on sale once 10% of computers have a "trusted" keyboard.
Re:A reason to embrace Trustworthy Computing? (Score:2)
At this point... both software and hardware keystroke loggers become useless.
And so does your computer, should you spill a drink on your keyboards.
Practical (Score:5, Interesting)
Re:Practical (Score:5, Informative)
Re:Practical (Score:2)
Re:Practical (Score:3, Insightful)
Stop worrying! :) (Score:4, Funny)
Re:Stop worrying! :) (Score:2)
And by the way, if you see your Mom this weekend, would you be sure to tell her...
Pretty simple, really (Score:2)
I limit my on-line activities on kiosks to anonymous surfing, though if I am travelling, I usually have my tablet PC and my cell phone with me, the combination of which can be used to browse the web.
But I admit to being more paranoid than the average bear. :)
Relax, you are on vacation... (Score:2)
Something to consider... (Score:3, Informative)
Be wary of this, since I was able to catch the logins of several users. (My purpose of installing this was to catch someone was using our network traffic downloading porn and illegal filesharing. Needless to say, with the screenshots and logs, I caught him rather red-handed.)
But these days, such precautions are to be expected with terrorism on the rise and such. My only advice: Be very careful when doing this on a public location where spying and keylogging is easy to implement. Not all people were as nice as I was and let the small info go. A small slip of the Credit Card number, and away goes several thousand dollars!
Re:Something to consider... (Score:5, Insightful)
What you did is strongly illegal in many countries, including parts of the US (look up state & federal wiretapping laws) especially if done without informing users. Aside from that, it pushes the ethical boundaries of what's acceptable (I think it's filthy, personally, but I'm giving the benefit of the doubt and being diplomatic.)
Not all people were as nice as I was and let the small info go
If you can't tell what's wrong with this statement, you shouldn't be administering systems used by other people. You're perfectly correct about being wary of using boxes beyond your exclusive control; however, we're talking about crime and not exercising control over your own computers.
Solution (Score:2, Informative)
The onscreen keyboard doesnt get picked up by any keylogger i know of.
Mod Parent Up (Score:2)
zerg (Score:2)
Sounds obvious, but... (Score:2)
keylogger dongle (Score:3, Interesting)
If it's one of those little PS/2 keyboard devices that sits between your PC and keyboard, try this: Log in normally, use your password, do whatever, then logout. Before you walk away from the kiosk, tape down the left-arrow key. The auto-repeat will fill the buffer (might be a few Kb) and eventually overwrite your PW.
Laptop (Score:2)
Since my laptop is my office machine, it goes where I go. I take the appropriate measures to secure my laptop at all times. As far as physical security goes, since I'm a field employee, my backpack is my office. I always keep the backpack in my presence.
I didn't have a problem (Score:5, Funny)
Re:I didn't have a problem (Score:5, Funny)
Simple (temporary) solution? (Score:2)
Throw them off (Score:2)
use a mouse to paste your login & password (Score:2, Interesting)
Hopefully nobody is looking at your screen remotely (and see the mouse movements)... anyone have a technique around that?
My semi-solution (Score:3, Interesting)
Since my home computer has passwords saved, of course, I wouldn't need to type in passwords from here. This assumes the connection is secure from being hijacked (I don't honestly know if it is) and there's a little vulnerability where someone could immediately RDP into my computer again, from the same IP, with the password that they've presumably just logged, since *that's* not a one-time password. (I suppose I could try to set it up to only allow one connection in.) But they'd only have a minute to do it in.
Of course, the point is entirely moot since I haven't set any of this stuff up - it turned out I needed a laptop for work, so they gave me a laptop, and I've just been using that with ssh and cygwin. Heh.
But that's the plan.
Re:It's so frigging simple! (Score:2)
Re:medium threat (Score:5, Insightful)
This threat is not any different than the threat that almost all wireless users at cafes have faced for years....
This threat is completely different from wireless cafes. At a wireless cafe if you're using your own machine, all you have to do is be sure to use the SSL protected https site when checking mail, doing bank transactions (which should be SSL only anyway). If you're using a public terminal, there's basically nothing you can do to protect any sensitive information.
My advice is buy a portable PDA with wireless capability if you need to do anything involving sensitive information while away on vacation.
Re:Man, do I hate those public access terminals (Score:2)
Re:ever heard of live CDs? (Score:2)
Re:It should be "advice", not "advise". (Score:2)