Subscribe to our How to Improve Your Security When Using a Public Terminal
Using a hotel computer, one in an internet cafe or airport is a risky business. Public terminals are fine for general browsing and even (with a few precautions) collecting your email but when it comes to logging in to your bank account or making an online purchase they really should be avoided.
We all know that but life doesn't always allow us to follow the rules; sometimes we simply have to use a public terminal to conduct a confidential transaction
Well I'd dearly like to be able to tell you a way you can use a public terminal with complete safety. I can't. What I can do is show you some ways you can do it with a high degree of security. OK it's not 100% but it's better than no security at all.
There are two main areas of risk when using a public terminal. First someone may be using a session logger to record the flow of data between the PC you are using and the websites you visit. Second there may be a keylogger fitted to the PC that allows someone to capture your keystrokes and sometimes your mouse clicks and screen session as well.
Risk 1: Session Logging
It's dead easy for an ill-intentioned internet cafe operator to record your internet traffic. Indeed I once visited a cafe and noticed the clerk at the front desk was unabashedly scanning traffic from the shop's computers using Ethereal. So believe me, it happens.
It's important that you understand when you a visiting a normal website that most of the information that flows between the PC you are using and the website you are visiting is visible and readable. It's there for anyone to see. "Anyone" includes your ISP or the clerk in the internet cafe.
If you are visiting a secure website (i.e. one whose address begins with https rather than http) your data stream is secure. That's because your data is encrypted end to end i.e. PC to server. Yes, it can still be seen but all that can be seen is a lot of gobbledygook.
If you use Gmail or Yahoo! webmail this is good news as both of these have secure website connections. The last time I used Hotmail it wasn't secure and many other webmail services aren't secure either. It's easy to tell: go to your webmail site and login. If the URL in the browser address bar starts with https it is secure. That means you can read your mail on any public terminal and no one can read your mail by intercepting the traffic between the PC you are using and the webmail service.
If your webmail service uses http rather than https then your email can be intercepted and read. If your email only includes things like a get-well message to Aunt Maud then there is no problem but if it contains your social security number, bank account and other personal details then you should start worrying.
Almost all online banking sites and e-commerce sites use https. That's comforting as it means no one can read your confidential data flowing between the computer you are using and the remote server. Sure they can see the data flow but they can't decrypt it.
Defensive counter-measures against session logging
There are however, a number of ways to convert even a standard http into a secure encrypted https connection. Using a virtual private network is one way but that's an option more readily available to corporate users than individuals. A simpler solution is to use a secure anonymizing network like the free Tor system.
Although Tor was designed to allow you to surf anonymously it has an attractive side benefit: it creates a secure https connection between your PC and the first Tor server. It's not secure beyond the first Tor server but interception is most unlikely once you get beyond the first server. The most likely location for someone to look at your web traffic is between the PC you are using and the first Tor server.
Setting up Tor is simple if you use a product like the free Firefox based XeroBank browser (formerly TorPark). Just start up XeroBank and the rest pretty well happens automatically. XeroBank is also portable so you can safely browse from a public terminal using a copy of XeroBank installed on your USB flash drive.
Surfing with XeroBank is noticeably slowed by the long chain of Tor servers through which your data passes. However a little extra time is a small price to pay for the additional security and anonymity. Besides if you really need speed you can switch back to normal non-secure browsing easily within XeroBank.
If you use XeroBank you can safely read your email even for non-secure webmail websites like HotMail. Whether the content of your webmail warrants the effort involved only you can decide.
I should note in parting that SSL (and thus https) is not immune to decryption. In particular so called "man in the middle attacks" have proven effective. However this kind of advanced attack is highly unlikely in an internet cafe.
Risk 2: Keyloggers
There is no 100% safe way to enter passwords from a public terminal. That's a fact.
Modern keyloggers can capture not only keyboard strokes but mouse clicks and the Windows Clipboard. They can also take screen shots of what you are doing. Keeping your confidential information from the prying eyes of the best of these sinister products is extremely difficult, perhaps impossible.
So the golden rule is don't ever enter confidential information into a hotel computer, an internet cafe PC or other public terminal.
That's the rule but rules get broken. Sometimes we simply have to use a public terminal. I have and I bet most of my readers have too.
So what can you do to improve your security when entering passwords?
Quite a lot actually. Of the many different options available to improve your password security, one of the most attractive is to enter your passwords using a password manager like RoboForm2Go running from your own USB flash drive. It's an option I covered in my May 2007editorial column.
When run from a USB flash drive RoboForm2Go provides excellent security. In fact I've not yet found a keylogger that can capture the information it enters into login boxes and web forms from Portable Firefox. Don't take that to mean RoboForm2Go is 100% safe. It's not; no product is.
One particular area of weakness of RoboForm2Go is the master password you must enter to activate the password manager. If a keylogger captured that and also managed to copy the encrypted RoboForm master password file from your USB drive then you are in deep trouble as they would be able to access all your passwords.
So protecting that password is critical. Some special issues apply to protecting your RoboForm2Go password and they are addressed later in the article. Let's first look at the question of protecting passwords in general.
Defensive counter-measures against keyloggers
(a) Use strong passwords
Make your passwords (or passphrases) long and semi-random. Passwords like "SncnGnls3Fp" are much better than something like "banana". This is not only because long random passwords are more difficult to crack but also because they are more more difficult to unscramble from a keylogger log particularly when used in concert with some of the other techniques mentioned below.
Remembering long semi random passwords is difficult but there are lots of mnemonic systems that can help.
By way of example the password "SncnGnls3Fp" I mentioned above is actually "RoboForm2Go" transformed by a simple formula where the first letter is shifted one forward in the alphabet (R -> S) while the next letter is shifted one back (o -> n). The same alternating pattern continues for the rest of the characters.
There a lot of different techniques for creating and remembering strong passwords and phrases. You can find some in this Microsoft article. Also worth consulting is this Wikipedia article on password strength.
(c) Use password obfuscation
There are many ways of obfuscating input. Here are a few:
(i) Where you have two entry boxes on the screen such as a username and password, alternate entry between the two fields after each character is typed by using using your mouse to move between the entry fields
(vi) Enter the last half of your password first followed by the first half. Then drop and drag the second half to the front from inside the password box.
(vi) Insert some random characters
For simplicity lets say your password is abcdefg.
Rather than enter your password as a simple sequence of letters throw in some additional dummy random characters along these lines: aMNbOcZdPQReSfgTUV
Now go back and delete the dummy letters one at a time. Delete some characters using backspace, others using the mouse to highlight the letter(s) and the then hitting the Delete key or using the right click context menu and selecting "delete."
Obfuscation works
By combining the dummy character trick with the various multiple entry techniques you can confuse pretty well any keylogger.
It's enough because any hacker reading a log from a keylogger has to read, identify, analyze and re-assemble what's recorded. That's hard work. If you use long random passwords combined with even a few obfuscation techniques then almost certainly you've made the job too hard. Possible yes, but too hard, specially when there is easy picking available elsewhere.
But you can increase your security further; use an on-screen keyboard.
An on-screen keyboard (OSK) is, as its name implies, a screen version of a normal keyboard where you "type" characters by clicking with your mouse the appropriate key on the screen. Windows has an OSK built-in that can be accessed from Start / All Programs / Accessories / Accessibility / On Screen Keyboard or alternatively from Windows key + U.
Now many folks think that using an OSK to enter password data is more secure because a keylogger can't capture the keystrokes. Unfortunately this is only partly true.
First some OSKs (including the Windows OSK) simply emulate actual keystrokes and these can be recorded by many keyloggers. Second anyone can see what you are entering with an OSK by simply taking a screen movie or even a rapid series of screen shots. Third by recording mouse click coordinates it may be possible to deduce the characters entered with an OSK. Finally it may be possible to capture the password from the OSK using a clipboard monitor when you copy the OSK entered password into a password form field.
That's the bad news. The good news is there are some OSKs that don't emulate keyboard input. Two of these are free, portable and specifically designed for secure entry. The first is Neo's SafeKeys; the second is Monitor Only Keyboard (MOK)].
SafeKeys has some nifty features such as the ability to start up in a different screen position and with a different size every time you run it. This effectively defeats mouse click loggers. It also allows you to drag and drop the entered password into a web form thus bypassing clipboard loggers.
MOK has its own charms: it disables clipboard logging and has the option of a variable key layout. It doesn't support drag and drop but the copy implementation results in equal security to SafeKeys.
So on balance, there is little between the products; each is a perfectly viable solution. Unfortunately both are still vulnerable to screen capture. However a screen capture program would have to take very frequent snaps or a continuous movie to successfully capture all your virtual keystrokes. That's possible, though the host PC would take a big performance hit in the process.
But there is a simple way of getting around screen capture programs: enter part of your password with an OSK and the remainder with the real keyboard. Combine the keyboard entry with a little basic obfuscation and you have a pretty secure solution.
Protecting your RoboForm2Go Master Password
There are some special problems involved in protecting your RoboForm master password when using Roboform2Go from a USB flash drive connected to a public terminal.
Before I address these I want to state that I strongly recommend using RoboForm2Go for safely accessing password-protected websites. It's one of the easiest and most valuable steps you can take to improve your mobile security.
With RoboForm2Go, all of your website passwords are safely encrypted on your USB flash drive, and it's virtually impossible for anyone to decrypt the information from the stored files.
Impossible, that is, unless they have your master password. And there's the catch.
To use RoboForm2Go you must at some point, enter your master password. If attackers use a keylogger to capture that password and also copy your RoboForm2Go password files from your USB drive, then they will have complete access to all your passwords. Hardly a pleasant thought.
So protecting your master password is absolutely critical.
In recognition of this problem, Siber Systems, the developer of RoboForm, has implemented some features that make it more difficult for keyloggers to capture your password.
First, they disable copying text from the master password window. Second, they disable drop and drag. Third, the password entry window contains no text, only graphics. Finally, and most importantly, they include in the password window a link to a special screen based keyboard (MOK) that allows you to enter your master password using mouse clicks.
Frankly, the first three of these measures are of limited benefit. They don't stop most keyloggers and, unfortunately, limit the range of obfuscation measures you can use to disguise your master password. You can't, for example, use the highly effective technique of dropping and dragging part of your entered password from the end of the password to the start. Nor can you cut and paste text from within the master password window or type dummy characters elsewhere in the window.
So these RoboForm security measures are really of limited value. So limited that I've been able to capture the RoboForm master password in every keylogger I've tried.
These particular measures may be limited in value but the MOK built into RoboForm2Go is much more useful. It's quite a secure implementation, unlike the inbuilt Windows MOK.
In total contrast to keyboard entered passwords, I'm yet to find a single keylogger that can pick up passwords entered by the RoboForm MOK.
But there's a small catch. While a keylogger may not be able to grab your password, a screen session recorder can. That's because the RoboForm MOK indicates visually each time you click a "key" with your mouse. This makes your MOK password entries plainly visible on a screen movie.
It would have been much smarter for Siber Systems to have indicated a keyboard press with a sound from the PC speaker and have no screen indication at all. That way a screen session recorder would only show the movements of your mouse over the keyboard without showing what "key" you actually clicked.
That's the bad news. The good news is that the hostile use of screen session recorders is rare compared to the use of keyboard keyloggers. In fact, very rare. That's because taking a live screen movie consumes a lot of computer resources. So much that the computer would be really slowed down and the presence of the keylogger made obvious.
Periodic screen snapshots are, however, reasonably common in keylogging programs. That's because they take far fewer resources than a video, yet still reveal a lot. Fortunately, they are most unlikely to capture enough of your MOK input to reveal your master password. Think about it. Even if the logging program took a screen shot every second it would be virtually impossible to get your entire password. But screen recorders take shots much less frequently than once a second - most operate in minutes rather than seconds.
So on balance using the RoboForm2Go MOK is the way to go. It's not perfectly safe just very safe. It is however, way safer than using keyboard input to enter your master password.
But before you enter anything with a MOK do turn around and make sure nobody is watching over your shoulder. Shoulder surfers just love MOK password entry :>)
Gizmo
Delicious
Digg
StumbleUpon
Please rate this article
I just downloaded Neo safekeys, but can someone tell me the basics of how it works? When I type something into it, I do not know how to copy/paste or drag/drop my entered values to where I want to put them. Can someone help?
Doug
In order do drag-drop, this is the process:
The password should now have been transferred over.
There's a note to this in the SafeKeys forum, with a link to an explanation video on YouTube: http://www.youtube.com/watch?v=honY4H1f_z0
Thanks for the great article Gizmo! Two notes:
1) Re: using a non-visual indicator to avoid screen capture is good idea. I'll forward to developers. Screen scrapers are rare though, you are right.
2) Another option is to use the Dual Master Password feature. Take a look at item 7 in our manual: http://www.roboform.com/manual.html#passprotect
Essentially this allows you to provide a shorter version of the Master Password for limited access to RoboForm Data. It's great because it cannot be used to edit any data. Companies use it to provide 'read-only' access to employees but it can also be used when in a public setting like you suggest.
Keep up the good work and feel free to send any questions to s2davis (at) roboform [dot] com.
-Simon Davis
Marketing Manager/Siber Systems.
Hey, how about this? If you're going to carry around a flash drive with your roboform passwords on it, here's something else you can try. Create a simple text file on the flash drive. The file should consist of just a list of all printable characters, upper and lower case alpha's, numbers, special characters, everything that could be a valid password character. When you need to type a password, just open the file, and copy and paste, one letter at a time, using either the mouse or the keyboard. In between characters, jump to the start of the file so that screen capture programs will be unlikely to see what you're copying. Wouldn't this be much easier to use than the Vesik method? You can just type your password directly. All the keylogger will see is left click, right click, left click, left click, over and over again (or alternately, click, ctl-c, ctl-home, click, ctl-v, etc. What do you think?
- Paul
Typo alert. Should be "SncnGnsl3Fp"
Great article, none the less. Thanks, Gizmo.
Thanks, Gizmo!
See you in Seattle some time,
Josh F
The security concern of a keylogger getting your master password is minor. If they get it, they must get all of your password files - not an easy task as Roboform does not use a single-database. They use multiple encrypted files. For the attacker to get all the files from your USB stick is extremely remote. They can have my master password as they don't have my 200+ Roboform files to use it with.
I don't get it - how does roboform, keyscramblers and all the rest of this manual or software-assisted password obfuscation prevent a spyware that captures and saves to a file HTTP POST headers from having all the passwords? (no matter if HTTPS or HTTP)
I am confident that you will change your opinion once you have tried Neo's SafeKeys 2008 (it's a huge improvement over the previous version). It defeats keyloggers, mouseloggers, screenloggers and pretty much everything. Give it a try.
It's one of those utilities you have gotta carry on your pen drive. I recently mentioned it in my blogpost on online security.
[Moderator's comment: Link to Neo's website deleted - rated unsafe by WOT]
[Moderator's comment: Link to Neo's website deleted - rated unsafe by WOT]
Are you referring to a link that was in the 7/22/09 post or the link in the review (which is still active)?
Thanks.
Another method of password obfuscation that has security benefits over those already mentioned here is found at http://www.defendingthekingdom.com/archives/vesik-method-revised.
Kyps.net is a free website that lets you log into websites on public computers without revealing your passwords to the public computer.
Thanks for all the info...this is my number 1 go to site for info...i'm using clipmarks to print out and save what i want for reference. I'm using keyscrambler personal,online armor,eset nod32, and returnil. I'm a semi novice always looking to learn and this site has been invaluable to me...thanks Gizmo. Also use super antispywre and malwarebytes to manually scan.
I have been using keyscrambler since I got hacked by a keylogger. I use it also for my roboform. any opinions on that? Is it a good deterent or not?
I didnt notice you mentioning it. I also use snoopfree privacy.
thanks
Jeff S
According to some informal tests I saw on Wilders Security Forum KeyScrambler provides quite good protection against commercial keyloggers and some keylogger tests.
Snoopfree privacy is outdated, though I guess it should still provide reasonable protection against certain keyloggers.
How did you get infected in the first place?
Personally I believe you should focus on prevention, such as using the programs recommended by the links.
http://www.techsupportalert.com/content/best-internet-safety-check.htm
http://www.techsupportalert.com/best-free-browser-protection-utility.htm
Maybe Jeff is suggesting that a portable KeyScrambler type app would be useful when using public PCs, if such a program exists.
Try HashPass not mentioned in article but has all the features. (not free but very affordable)
For More tips Visit : http://www.rajeshpatel.net
The more programs you use to try to secure your connection,
the more vulnerable you may come. Heres the easy way to do it:
1. You will need to know what is used to connect to the internet (provider)
2. On screen keyboard
3. In services (control panel, admin tools, services)
A. disable any remote connections
B. write down what you have disabled
C. if going through lan to connect ,then disable wireless
or if wireless, disable lan.
D. turn off simple file sharing. also client for microsoft.
E. also passwords should be 8 or more characters long
using caps, lower case, symbols (above number keys).
F. If you followed my suggestions on the passwords,then
bruteforce, scripting (dictionary), and other programs will not work. examples: bruteforce will report something like 30 years or so to break, scripting will not work only on on 6 characters or less but not with symbols, and other programs will not beable to break it either, now FBI and ect.... have programs that can probably.
The security of your pc should always be kept up whether or not your at apublic internet connectrion or even your own! always always use 8 character passwords or more mixed.
A good list.
Most of this should be done on your PC all the time.
Most on this list cannot be performed if you are using a Public computer, such as one in a Library.
Thanks for the tips... Liz
If you trust Clipperz , an open-source website that stores encrypted passwords with local encryption and decryption, you can login to many (but not all) sites without typing your password, by clicking links that automatically log you on to other sites. You can access clipperz from an insecure terminal by using a one-time password randomly generated while logged in at a trusted terminal. Keep a list of one-time passwords (say on a mobile phone or USB stick) for later use and delete once you've used them. Even if key logging or screen capture software is running the one-time password will not work again. If you lose the random passwords you can still log in from a secure terminal and delete all active one-time keys and generate a new set. But again - you need to trust clipperz.
Something useful one of the webmail providers I use has just come up with: one-time passwords, specifically for use in internet cafés and the like.
www.fastmail.fm is the webmail provider. They have various levels of service, from free on up -- I admit I now use one of the paid subscriptions, but the free accounts are perfectly usable -- but they have now introduced an option that will generate a printable page of one-time passwords that no amount of cleverness on the part of a keylogger can make use of.
More details here:
http://blog.fastmail.fm/2008/07/21/one-time-and-sms-passwords/
Sounds like a brilliant idea.
I have a Yahoo web-based e-mail account. The only time it shows https:// is when I am on the login page. Once I have logged in, the address returns to http://. If I understand what you said in your article, that means anyone can intecept and read my email, yet you also said that Yahoo is secure. How can it be both ways?
Susan
If you use XeroBank's browser, you have to pay for it. You can get Portable Firefox, http://portableapps.com/apps/internet/firefox_portable , Portable Tor, http://portabletor.sourceforge.net/ and the Torbutton extension for Firefox, https://addons.mozilla.org/en-US/firefox/addon/2275 .
Now all you would need to do is extract Portable Firefox and install the Torbutton extension. And then extract and run Portable Tor to connect to the Tor network.
Completely free and exactly what XeroBank's browser does. Use Firefox to connect to Tor and the Torbutton let's you enable and disable Tor.
Not true - you don't have to pay to use XeroBank browser. You only pay if you use the XeroBank subscription service. Using the customized Firefox browser is free if you use the basic connection, or you can connect to JAP or Tor.
FYI. Trend Micro Internet Security flags the XeroBank Browser link (http://xerobank.com) as Credibility: Dangerous. I did not make an effort to determine why - just added it to the Appproved Sites list. (Yea, I know... Lazy on my part, especially since this is an article on security. But, give me a break, Gizmo referenced it.)
Where does Anchor Free's Hotspot Shield fit into this? It's free and claims to set up a Virtual Private Network:
http://www.anchorfree.com/downloads/hotspot-shield/
great stuff!
thebluejay
Very important information
Thanks a Million Gizmo
Norbert
And if you do have to enter your passwords in a public terminal, change them as soon as you get home.
was wondering how you can use any of the first methods mentioned if when u enter a character u only see a star (*). doesn't that eliminate copy and paste, back space, entering random character then getting rid of them, entering last half first and vice versa? Bob
A '*' is only shown on the screen. The actual keystroke is still what it is -- an 'a' is an 'a' and a keylogger has it.
Years ago I was surprised to learn that of a remote desktop type of program, showed the actual characters typed, whereas the person doing the typing only saw the '*'! Person typing had no idea the password was completely viewable.
Excellent article. Thanks
Jim
Thanks for so much enlightenment! Some I already knew but most - I was clueless about.
Jerry
Impressive...Most Impressive
Robert
Thanks Gizmo. It's really a very valuable article. Thanks a lot.
-Arun prasad R
Great Alert!
10x
Just the vaccination I was needing -- Thanks Gizmo!
Bob
Post new comment