How to make sure they don't have spyware and keyloggers to steal info?
Using Internet on public computers
How to make sure they don't have spyware and keyloggers to steal info?
Boot them with a Live CD. That's the only fail-proof way.
Otherwise, you may want to carry a portable version of Spybot S&D.
The owners of the computers do have the right to monitor their systems. That being said I highly doubt they have purposely put keyloggers and spyware on their systems. They probably do have spyware just because lots of people browse the net ignorant of the threats and expose the system to them.
I would not purchase anything or expose any of my passwords on a public system. Most cases you probably would be safe but I feel it's just not wise to do.
I will look into the portable version of spybot. Can it detect keyloggers too? I was going to use pendrive linux but they don't allow & have a BIOS password.
The answer is generally as simple as not sending personal information over an insecure network. While I understand that's not always a simple option for most people, it's generally the best option if you want to make sure nobody is messing with your data. Even if the owner of the network was a good person, you have to consider that they aren't so technically savvy that they secure their network from malicious users finding a way to sniff all the packets sent through the network from any of the hubs.
To put it bluntly, if you want to pay your bills, do it through the mail. If you want to purchase something, use Paypal. Otherwise, find a way to get yourself on a secure, private network.
Sent from my iPad®
Well, one way to "trick" keylogger is to have for example a text editor open; if you want to enter a sensitive information, you begin by typing some letters, then you switch to the text editor (using the mouse, not something like Alt+Tab, just to be sure), type a couple of "random" letters there, switch back and continue entering your sensitive information, than go back to the text editor, etc. It's long and painful, but if well done it could make finding the "sensitive information" more difficult. Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?), i.e. it doesn't log all the entered keys in the same file.
I hate real numbers.
Absolutely. ...and there are most definitely keylogger-esque programs that will monitor mouse input.Originally Posted by foxman
Sent from my iPad®
It's probably one of those situations for which the solution is not facing the problem.
If there is a security concern and you can't look at the processes list or someone with admin rights can't or refuses to show it to you, they are essentially providing a bad service. And the best option is to not use their service and find someone else who can address your rightful concerns.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
Let's not forget hardware keyloggers, which are completely undetectable by software.
All the buzzt!
CornedBee
"There is not now, nor has there ever been, nor will there ever be, any programming language in which it is the least bit difficult to write bad code."
- Flon's Law
I think abh1shek meant that how he can be sure the public computer isn't infected with a keylogger by some previous user of that computer. And I guess most keyloggers don't show themselves in the process list (as a DLL perharps). This way we can leave out hardware keyloggers and network monitoring.
Yes, I think that Spybot can detect keyloggers too.
http://forums.spybot.info/showthread.php?t=9406
Last edited by maxorator; 06-30-2008 at 04:13 AM.
Put your own OS on a pen drive or CD
https://help.ubuntu.com/community/LiveCD
http://www.nu2.nu/pebuilder/
Even then, you will still be vulnerable to a hardware keylogger wired into the keyboard itself. Use your own "charmap" with a mangled keyboard layout to type in words using mouse clicks should make life more interesting for any snoop.
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
If at first you don't succeed, try writing your phone number on the exam paper.
I'm guessing most keyloggers are looking at the software messages which go along with keyboard events, not the low level keyboard driver. This approach would be simpler to implement and require fewer permissions as far as sneaking itself onto the system. On screen keyboards work by triggering software key events, so every time you click a character, it gets sent as a key event, and is logged as a keypress, although not being from the keyboard.
Programming Your Mom. http://www.dandongs.com/
Salem was suggesting a bootable OS on a pen drive or a CD. Such an OS would not be vulnerable to software loggers on the existing system, just to hardware loggers. A virtual keyboard as he suggested would make things harder for hardware loggers, which is the only thing you'd have to worry about. (Assuming your own system doesn't get infected, but that would be an issue with any computer system, including your own.)
My favorite trick: type a password or something with, say, three extra characters in the middle. Select the extra characters with the mouse, and delete them (with right-click -> delete if you want to).Well, one way to "trick" keylogger is to have for example a text editor open; if you want to enter a sensitive information, you begin by typing some letters, then you switch to the text editor (using the mouse, not something like Alt+Tab, just to be sure), type a couple of "random" letters there, switch back and continue entering your sensitive information, than go back to the text editor, etc. It's long and painful, but if well done it could make finding the "sensitive information" more difficult. Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?), i.e. it doesn't log all the entered keys in the same file.
About the only way to detect this would be to save a screenshot of the screen just before you typed your password, so that you could see the position of the textbox you were typing in. Coupled with the position of the mouse as it performed the selection, you could then determine how many characters were deleted.
(Note that it would probably be best if you selected the textbox to type your password in with the tab key rather than with a mouse click, which might give some clue . . . .)
Of course, there may be other ways to figure out what happened, I just can't think of any at the moment.
And anyway, this still isn't very good security. If an attacker knows that "pas4nmsword" is your password with just a few extra characters, then figuring it out would be significantly easier than brute force.
It would probably be best to type a few fake passwords first and delete them with the mouse, and to choose a password that is reasonably hard to spot in a key log. (For example, "somethingthecatdraggedin" would be better than "43Nfkj556Mdfjk4jl". Perhaps.)
But I'm rambling on here about something that is quite useless. If you're concerned about security, get your own operating system. It's about the only way you can be certain about things.
dwk
Seek and ye shall find. quaere et invenies.
"Simplicity does not precede complexity, but follows it." -- Alan Perlis
"Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
"The only real mistake is the one from which we learn nothing." -- John Powell
Other boards: DaniWeb, TPS
Unofficial Wiki FAQ: cpwiki.sf.net
My website: http://dwks.theprogrammingsite.com/
Projects: codeform, xuni, atlantis, nort, etc.
Having a password such as 43Nfkj556Mdfjk4jl will also make a possible attacker simply disregard the password as nonsense, since it is unlikely you would have such a password.
Although if it stands out among the rest of the logged information, the hacker might become suspicious.
Hmm... those are typical generated passwords, Elysia. Quiet strong too. Were I the hacker and THAT would definitely be flagged as a potential password.
I use them extensively on areas where I need strong passwords and even know one by heart which is what I use to boot my computer.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
