Best Way To Avoid Keyloggers On Public Terminals?

goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. Kyps.net offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"

I don't type

[dmomo]

I click around on icons until I can copy and paste a lot of letters into a single file. Then, with my Alpha-pallette, I cut and paste each letter as needed.

Context menu is your friend

[Shadow of Eternity]

Copy and paste your password from random letters around the page. Unless they log everything that goes into the clipboard they can't tell what you put in. You can also copy/paste extra letters and paste over them for added security if you're really paranoid (or they log the clipboard).

Simple idea

[Mieckowski]

You could type the letters out-of-order, then rearrange them using drag+drop. Someone with a keylogger probably wouldn't bother using the mouse input to figure it out.

S/KEY

[Ernesto Alvarez]

To get root access on my server, I use a one time password system(rfc 2289). I use a S/KEY calculator on a palm pilot, and PAM Opie on the server. The public terminal never sees a long term password, it never leaves the PDA.

Not much else to be said. Maybe you could also use a crypto token and asymetric crypto, but considering that you need drivers, I'd say it's not practical. You might still use some sort of somewhat disposable private/public key. That should defeat keyloggers, but you risk getting your key compromised (that's why it's disposable).

Re:Anonymous Coward

[corsec67]

What protection does that afford against a physical [thinkgeek.com] keylogger?

Not all keyloggers are software.

Re:Anonymous Coward

[TerranFury]

He uses only the mouse, so it is invulnerable to that method, actually. You need to capture the mouse actions and the screen simultaneously. This is something not easily done in separate hardware.

Re:Phone?

[DaedalusHKX]

Setup a Knoppix or other (Ubuntu?) livecd using the available tools. Don't worry about anything except setting up an IPSEC tunnel, with preset keys to a machine at home. Presumably this machine should be pulling down your email and other data that you need to access. Since the boot is fresh from a trusted CD it defeats software keyloggers, and using the secure keys also sets it up so you don't have to worry about hardware keyloggers getting your passwords.

Frankly, you ARE better off with some form of wireless PDA or PDA Phone... but if you want to be cheap, it will still cost you time.

How about this...

[stwf]

So, thinking about this a bit...the point is you need a password that can't be used later. The digital services are fine, but do we really need more than a 1-5 minute resolution here?

So a clever IT department could make passwords dependant on the time and date. Print out a code sheet, different for each employee, with words substituted for the date and time, a short word for the date and a short word for the ten minute time period you're in, something like that.

This way the password would be useless to a logger, you'd need a code sheet to log in, but it doesn't seem like it would be THAT much trouble (if your info is so important you're this paranoid...)...

I call the patent!

Photographic Authentication

[Anonymous Coward]

http://doi.ieeecomputersociety.org/10.1109/MPRV.2003.1186723

KeyScrambler

[techMech]

You could try running Portable Firefox with KeyScrambler from a thumb drive. https://addons.mozilla.org/en-US/firefox/addon/3383 [mozilla.org]

Synchronized Random Code List

[MrSteveSD]

I once had to remote support a customer in another country and they sent us a little card-sized gadget that displayed a random code that changed every few minutes. It was synchronised (by the clock being pretty accurate I suppose, or possibly by radio signal) to an identical random code list at their site. So whenever we wanted to log in we just looked at the current code on the card, typed it in and at their end the code was checked against the current code.

This sort of set-up could be very useful for people who frequently use public terminals. Your code can still be compromised but the crooks would only have a few minutes to retrieve and use it. Maybe you could even have it so that when you use a code once, the central code verification server invalidates it, so no-one else can log in, even if they do get the code quickly.

I don't believe anything like this exists for the average person wanting to use normal email accounts though. Anyway, none of this changes the possibility that there are screenshots being taken every few seconds so that all of your private emails will be viewed later anyway.

Re:Phone?

[PyroMosh]

Certain sectors of the defense industry, for one. Mostly it stems from fear of camera phones, so they ban all phones from the facility period, camera or not. But there are also other concerns that they have, rightly or not.

Cheap and quick option

[Anonymous Coward]

I often have to log into one of many unprotected semi-public terminals at work (in a hospital) to check my email. I type my username and password in a random order but use the mouse to reposition the cursor after each keystroke for the proper position. Sounds cumbersome, but my username and password are all typed with my left hand and I simultaneously reposition the cursor with the mouse in my right hand. The keylogger would presumably record only the scrambled order, which, although not perfect, seems a reasonable alternative.

Texting 1 time password

[Knightman]

I built a system in the late 90's where you had a web-page where you entered an account-name. That name was tied to a cellphone number which was sent a generated password as a text-message. The password was only valid for 5 minutes.

AFAIK it's still in use and have never been cracked.

Re:I don't type

[dietlein]

Yes, and forms that don't allow pasting (certain Flash forms, etc)???

Easy. If your password is "secret", type "s", then something random, like "jd#'2;Knfn>", then highlight those last characters (except for the "s"), and type "e". Continue until done. Takes a while but is fairly safe.

Nero Safekey

[Anonymous Coward]

i'm usually a lurker, but here,
I found that nero's safekeys work the best at public terminals. Granted, i don't do anything sensitive at them in the first place (i try to get my email on my phone when i'm on vacation). But i like nero, it prevents (or so it says) keylogger from reading what i type and i can keep it on a flashdrive for use on any machine. This won't stop a hardware keylogger, but people should look before they use them anyway.
-BMJ out

Auto Password Send?

[cgenman]

This would require server-side scripting, but what if each account kept a phone number on file? If the person uses the correct password, keep them out but text message them a single-use password. They can now log-in with the single-use password.

Now the system requires something you know (your password) and something you have (your phone).

Re:Don't use public terminals

[faust2097]

I make one address on gmail for each trip I take and have my other important messages forward on to that and tell my friends and family to use it. The most important part is that the password to this temp account is 100% unique.

I'll usually do some "click obfuscation" as I type in the password as well but I have a feeling that's mostly a placebo feature.

Re:S/KEY

[goombah99]

Could you expand on this. How does one go about setting this up on say a mac?

What I'd really like to skip the PDA. Instead just take a page of say 100 one-time passwords. But how might one set this up? I'm handy with perl but I'd prefer a robust worked out solution.

Re:I don't type

[JustinOpinion]

Apparently* many modern keyloggers also capture the clip-board and record mouse movements (so as to defeat those "visual keypads" that some banking sites have implemented to thwart keyloggers). I guess the additional steps of assembling your password from pieces will prevent some attacks (e.g. where the attacker just uses the logged keystrokes, in order, for a dictionary attack on your account)... but a determined attacker may still be able to reconstruct your password from the combined key/mouse/clipboard history.

Every bit of security helps, but I don't think we should be under the illusion that keylog-writers haven't caught on to these kind of tactics.

*This is based upon a talk I was recently at where a Symantec security analyst was asked about keyloggers.

Re:I don't type

[complete loony]

Start > Programs > Accessories > System Tools > Character Map. But a software clipboard hook will still get you.

Re:I don't type

[Neodudeman]

The problem with this is that any capable keylogger catches it. In fact, all the good keyloggers catch all Copy/Paste commands, and even the input from Windows+U 'Virtual Keyboard.' A good solution would be to type your password backwards. After ever letter, use the mouse, not the keyboard, to select before the asterisk you just made, and type the next (previous) letter.

Re:I don't type

[dietlein]

Your points are correct to some extent. My method is indeed invalid if the following are simultaneously true: (1) the password field is using a fixed-width font, (2) all keystrokes and mouse activity are timestamped, (3) the password field coordinates on the screen are known.

Many methods can be imagined to add to the difficulty, including moving the window around, selecting other objects intermittently and entering keystrokes while they are active, and so on and so forth.

Remember, no single method is perfect, assuming there is a keylogger. Hopefully the keylogger owner is after the low-hanging fruit, which you won't be if you do any of these things. If he's actually targeting you specifically, you have bigger things to worry about.

Forward your emails to a throwaway account

[Anonymous Coward]

Forward your emails to a throwaway account, then immediately delete them after checking them on a public terminal.

This way, the danger is limited to a few current emails and your main account cannot be misused or compromised.

You could also prevent emails from particularly sensitive sources from being forwarded with filter rules, if you know you wouldn't need them over the holidays.

Re:Obfuscate password entering process

[mysidia]

This does not necessarily work. Complacency that once upon a time it fooled keyloggers does not make it a sound tactic for evading them.

The strategy is well-known, and you can expect an advanced keylogger to detect it.

The keylogger can pick up on the keystroke and identify the active window handle. The text boxes that have password masking turned on stick out like a sore thumb.

Identifying the cursor position is not hard.

The mouse coordinates you click on will be within the text box and will tip off any eavesdropping program that cares about the change of cursor position

Automatically determining the final value of the password field when you press 'enter' or now click a 'button' instead of the text field is a clear possibility.

Re:Anonymous Coward

[Anonymous Coward]

One can purchase keyboards with the logger built in. See Amecisco's website [amecisco.com]

Does cloicking on the onscreen keyboard get logged

[dweezeldude]

Windows xp Start>Accessories>Accessibility>on screen keyboard. i typed this on it.... do key loggers record clicks or screen shots cause I really dont know?

Use VNC with temporary passwords

[Shazow]

Setup VNC or something similar on your home desktop. Create a list of passwords you'll use for the duration of your trip.

Every time you stop by at a cybercafe, connect to your VNC, do your business with all your passwords pre-saved safely on your home desktop. Once done, execute a script which will change the password to the next password on the list, log out, and move on.

I haven't done this myself, but last time I went to Italy and had to use some really shady cybercafes, I really wished I had a system like this in place...

- shazow

Freshly rebooted OS from read-only network image

[crocodill]

Quite a lot of internet terminals in airports and around the place now use a network booted OS image. As soon as a user is finished and logs out, the system reboots and boots up off a read-only image on the network.

Stick to these types of internet cafes and there's less risk, as users aren't able to fiddle with the OS.

They are usually run by larger companies or are part of a franchise as well, and often coin operated, therefore don't have a flow of short-term staff coming through.

Also if the computer has a regular keyboard on a cable (not bolted into the desk) check the cable for hardware key logging devices...

http://images.google.com/images?hl=en&q=ps2+keylogger&btnG=Search+Images&gbv=2 [google.com]

Sometimes the smaller internet cafes and youth hostels simply just have unsecured windows boxes, pretty dodgy. I remember a couple of years back I was in a hostel in Madrid and was using the computer to book my next hostel in the next city I was traveling too. I put the first digit of my visa card in (they all start with 4) and the form auto-complete feature displayed every visa card that had been entered in the past. As Garth would say "that's not good, i'm not happy". I didn't book obviously.

Re:I don't type

[beav007]

The safer way seems to be to type out all the characters you need plus some (say the whole alphabet in uppercase AND lowercase, 0-9, and a smattering of punctuation) into Word or Wordpad (not fixed width), move the Window around the screen, and, then use the mouse and keyboard to copy and paste the characters into the password field.

Re:Phone?

[Fry-kun]

...and nobody ever thought that the batteries could be sneaked in? Hell, some (if not all) phones can work powered by USB connection alone.

Re:I don't type

[Anonymous Coward]

Ah yes, under that assumption, what did he do about the password needed to log on to ssh?

Re:I don't type

[Tmack]

Or setup a webpage that generates a random screen of characters including all characters you might use. If they logged mouse location, and even know the url to the page you used, it wont be the same, and unless they took screen shots or also timestamp and save the copy buffer, wont know what was actually used.

tm

Not just keylogging: cookie-stealing

[thisisauniqueid]

I keep a no-install copy of Firefox for Windows on a USB key, already logged into my Gmail account (cookies are kept on the USB key), and also with the password saved in case the cookie expires. However more sophisticated attacks are emerging such as cookie-stealing, so this is not as good an approach as it used to be.

HSBC Direct

[Anonymous Coward]

With my HSBC Direct bank account, you only enter a few letters of your password at a time. Each time you login, the required password characters are changed. So you don't end up entering your entire password until you've made several successful logins.

Re:I don't type

[neomunk]

How about a webpage like the one you're talking about bred with the horrible horrible idea of a webpage containing your passwords.

You take that horrible security abomination of a webpage that gives you your passwords to cut'n'paste and you sprinkle it with freshly randomized obfuscation characters every reload (or once an hour so someone who DID find your secret webpage wouldn't be able to constantly refresh to ascertain your passwords). Then you can copy the whole line and then just select-delete the bits that don't belong. Since the garbage parts are different each time (or nearly each time) even a mouse grabber won't be able to reproduce the password string by reproducing the technique.

None of this solves the problem of a logger grabbing the POST data.

My best guess at a platform-independent solution is to VPN using secure authentication to a network you trust and proxy-browse from there. Get your keys all set up nicely at the trusted computer, and you shouldn't even have to type in any passwords, right?
 

Re:S/KEY

[Anonymous Coward]

Actually, OpenBSD has built in S/KEY out of the box.

Re:Simple solution

[Anonymous Coward]

"The restrictions in effect depend on the nature of what is being safeguarded; comparing two situations is like apples and oranges."

Very true and *must* be remembered when at a govt installation - especially ones that had ever done nuke stuff at some point. There are MANY reasons for a "secure" rating and it may be more to protect you than the what is inside the compound.

There was an incident shortly after 9/11 where some reporter showed how "insecure" a sight at LANL was by scaling a fence, cutting a lock off a building, and taking many photos. It also included a rant about why spend security on those empty buildings. After some posting across the internet he finally found out why (and anyone who has worked in such installations immediately knew the answer) - the building was contaminated with highly radioactive dust that is nearly impossible to clean up so just lock it off. Yep, that guy sure showed them by breathing in some gamma emitting particles.

I have been in facilities where real weapons research was going on and it had fully manned machine gun turrets and was (maybe) mined outside of the official walkway (the mines were according to lore at the area - hard to know if true though the machine guns were quite visible and would have been sufficient. I know much of the lore about the area I worked in wasn't true and the machines guns should have been sufficient). Never knew what they did there more than "weapons research" - I ate lunch a time or two with one of the principle designers of our Neutron Bomb and that was where his office was and that is far as I knew anything (and wanted to know - you don't ask about those areas).

"FOUO/Unclassified-Pretty much the catch-all for government owned IT-equipment."

I would add that much of what you post is on machines that the IT guys managed. I worked in the research division and because our research was on scalable system administration we did pretty much what we wanted with them. I know a number of other researchers mostly administered their own system as they sometimes required some software that IT wouldn't support.

The security of those systems ranges from good to horrid, shortly before my contract ran out we had an incident where well over 50 systems were compromised due to those peoples computers using a symmetric SSH key system from their office in a university (in this case the person didn't log out of a public terminal telnetted - yes telnetted - to their university desktop) to *all* the machines they had access too. Amusingly enough the hacker had access to the Big Iron machine (an IBM sp2) and didn't know what it was so he went for more desktops. It was an amusing meeting - after two hours of listening to a guy drone on about ssh keys, telnet, encrypted and unencrypted connections, keyloggers on public terminals, etc he asked any questions. First one: "What's SSH?" (note this included the chemists, physicists, biologist, and a few more "..ists" that had no real reason to know, we were all were giggling at this point).

Unfortunately some of the researchers were not very good at watching what systems they ran on. I know of at least once where someone was having trouble running on our stuff and I (being root) logged into their account and debugged their software. Found out later the reason they freaked when I told them what was wrong was that they were in the "sensitive unclassified" category. They had no idea root could do that and figured we normally ran a tighter ship security wise than the official systems did (which in some ways was true, in others not and they found out the latter the hard way).

*note - anonymous because even though it has been a number of years still not sure what I am allowed to talk about. So feel free to write me off :)

Re:Phone?

[DaedalusHKX]

Yes, they ARE a fairly honest scam, they want your money and provide VERY little in exchange. Hell, a Pentium II with less than a gig of ram and 20 gigs of hard disk storage would run a forum and database well enough to collect ALL of someone's graduating classmates and even to provide them with fairly decent IM and Email capacities.

However, given that they SELL most of this info (I'm fairly sure they do, judging some rumors that I've seen propagate to other databases.) By the same token, they're a lovely way to spread misinformation about yourself and find out who sells what to whom by watching how the lies propagate :) Its easily worth the one time payment of 30 bucks for a month or so. :)

Re:I don't type

[ne0n]

If the keypad numbers on your bank's "visual keypad" are randomly arranged in the grid with every page load, that narrows the attack vector somewhat.

Changing password list.

[caluml]

Write a script, that, when run, will set your user password to the top one of a list, and delete that one from the top.
Keep a copy of the list with you, SSH in (or whatever), and run the script immediately.
Assuming no-one tries to log in from the time you enter your password in the Internet cafe to when you run the script, and change it, it's a perfectly safe method.

Re:I don't type

[JavaRob]

If the keypad numbers on your bank's "visual keypad" are randomly arranged in the grid with every page load, that narrows the attack vector somewhat.

Yup, I have an account at a bank that does this.

Anybody tried a Blackdog?

[hAckz0r]

It seems to me that a Blackdog http://www.projectblackdog.com/ [projectblackdog.com] might help get around at least some of this problem given the right setup. Think about this scenario; You walk up to the public terminal and plug in the Blackdog into the USB port and it boots up a X-Terminal session on the host, and from there you use ssh and port forwarding to proxy your web traffic to a trusted host at home/work through its ssh VPN. The authentication is done via a secret key stored on the Blackdog and unlocked via something like s/key or a keyring stored on the blackdog, and subsequent passwords could be either injected into the session by the Blackdog processor environment, or stored in a Firefox browser running from the dongle itself. Keystrokes might be visible but if the Blackdog can supply the authentication where needed then the crooks can't reconstruct enough of the session to do or learn anything. Sure they might log a bunch of mouse movements and a few key strokes but they would not even know what application those keystrokes were going to much less what sites you visited.

Re:I don't type

[delt0r]

Some banks here (Austria) provide a one time password list. You have to just that, take a list with you and cross out each one as you have used it.

My bank in NZ has a different policy. You are not permitted to use a public terminal with giving up liability protection.

But secure IM... please

Don't use an open source browser!

[demallien2]

On a public system, you cannot know that the Firefox you are running does not have some unique modification. Such an approach is way easier than trying to use a keylogger. These days I am very suspicious of public systems that ONLY provide Firefox/other open source browsers. It's probably one of the rare situations where I prefer to use IE. That said, if you use anything other than a throwaway password from a public terminal, you are extremely foolish.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I don't type

[Dan541]

I think this
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside [paypal.com]

is an ideal solution to keyloggers.

~Dan

Easy (secure) solution

[Anonymous Coward]

My USB dongle has a copy of PuTTY and a private key that is separate from my usual. The key is password protected, but not with my login password. In .ssh/authorized_keys on my home machine is the public key for the dongle private key.

Someone with a keylogger will grab the password to my USB key, but they won't get the key itself. This is true two-factor authentication, and easy to do.

Re:Phone?

[nahdude812]

It's a good point. Even the most thoroughly inspected terminal, if it's in a public location, may still capture your details.

For the most die-hard paranoid, one-time passwords are the only real security you can offer against capture (such that even if they're captured, they're useless), presuming you have a way to look up the one-time password without exposing subsequent passwords (ie, you can't just have them written all on the same sheet of paper, or the pinhole camera could capture the next ones).

Even RSA SecureID is vulnerable if its information is captured by a system able to exploit it in real time, unless the RSA system only permits one successful login per account per minute (the interval it takes the SecureID to refresh its numbers). If the information is precaptured (such as by a camera before you've typed the digits), they could beat you to the authentication. The public terminal could be written to capture your authentication credentials, changed your entered credentials to false ones (to make you think you'd typed it wrong), and perform the real authentication in the background to gain access.

So it comes down to: there's theoretically no way to completely secure yourself when using a public terminal or when using even a trusted terminal in a public space if you are hyper paranoid.

Re:I don't type

[Tycho]

Or perhaps:
http://www.mydomain.com/robots.txt [mydomain.com]

More info here:
http://en.wikipedia.org/wiki/Robots_Exclusion_Standard [wikipedia.org]

Re:Phone?

[torqer]

The last time I messed around with a keystroke logging software, probably 3 or 4 years ago, not only did it log keystrokes but mouse button presses and window changes. So if your password was in the sentence "I know I left my keys somewhere in my house" And tried your method it would record information like:

I know I my keys [Mouse1] [Firefox, Hotmail.com] somewhere [mouse1] [Word, Document1] in the house

So there is no benefit from that method of defense. FWIW, it was an off the shelf program, nothing elaborate or difficult to find.

Re:Phone?

[ttldkns]

When i go on holiday i take exactly that precaution. You often cant spend time checking the machine for physical keyloggers because they can be under desks and the ports can be hard to see or reach.

You have to assume you're going to be keylogged and design a system that is resilient to it.

I hide SSH keys (encrypted with passwords) around the internet on various web servers. Then i only need to download (and run) portaPUTTY and vnc viewer before i can see a desktop with a web browser with all my passwords set up and all the sites i want to go to as bookmarks tunnelled through a secure SSH connection. With VNC set on low colour the latency isn't too bad and accessing and writing email doesn't need high graphics anyway. Then before logging off i simply delete that key's reference from the .authorized_keys file. I then make a note on paper (!) to remind me which keys i've used.

With this method there is no way an attacker at any single internet cafe could access anything i dont want them to. Its not totally fool proof but its paranoid enough for me.

Re:Phone?

[IndieKid]

I work for a contractor who does work for the Ministry of Defence and some of our buildings require SC/DV clearance. Taking a phone in any of those would be a disciplinary offence, and may even get the person fired.

The risk to my company of losing it's List-X status (and hence 40% of our work) if there's a breach is too high to be flexible in this regard.