PDA

View Full Version : Using Internet on public computers



abh!shek
06-29-2008, 03:03 AM
How to make sure they don't have spyware and keyloggers to steal info?

maxorator
06-29-2008, 04:36 AM
Boot them with a Live CD. That's the only fail-proof way.

Otherwise, you may want to carry a portable version of Spybot S&D.

VirtualAce
06-29-2008, 10:46 AM
The owners of the computers do have the right to monitor their systems. That being said I highly doubt they have purposely put keyloggers and spyware on their systems. They probably do have spyware just because lots of people browse the net ignorant of the threats and expose the system to them.

I would not purchase anything or expose any of my passwords on a public system. Most cases you probably would be safe but I feel it's just not wise to do.

abh!shek
06-29-2008, 12:10 PM
I will look into the portable version of spybot. Can it detect keyloggers too? I was going to use pendrive linux but they don't allow & have a BIOS password.

SlyMaelstrom
06-29-2008, 02:06 PM
The answer is generally as simple as not sending personal information over an insecure network. While I understand that's not always a simple option for most people, it's generally the best option if you want to make sure nobody is messing with your data. Even if the owner of the network was a good person, you have to consider that they aren't so technically savvy that they secure their network from malicious users finding a way to sniff all the packets sent through the network from any of the hubs.

To put it bluntly, if you want to pay your bills, do it through the mail. If you want to purchase something, use Paypal. Otherwise, find a way to get yourself on a secure, private network.

foxman
06-29-2008, 03:01 PM
Well, one way to "trick" keylogger is to have for example a text editor open; if you want to enter a sensitive information, you begin by typing some letters, then you switch to the text editor (using the mouse, not something like Alt+Tab, just to be sure), type a couple of "random" letters there, switch back and continue entering your sensitive information, than go back to the text editor, etc. It's long and painful, but if well done it could make finding the "sensitive information" more difficult. Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?), i.e. it doesn't log all the entered keys in the same file.

SlyMaelstrom
06-29-2008, 03:10 PM
Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?)Absolutely. ...and there are most definitely keylogger-esque programs that will monitor mouse input.

Mario F.
06-29-2008, 04:57 PM
It's probably one of those situations for which the solution is not facing the problem.

If there is a security concern and you can't look at the processes list or someone with admin rights can't or refuses to show it to you, they are essentially providing a bad service. And the best option is to not use their service and find someone else who can address your rightful concerns.

CornedBee
06-29-2008, 05:22 PM
Let's not forget hardware keyloggers, which are completely undetectable by software.

maxorator
06-30-2008, 04:10 AM
I think abh1shek meant that how he can be sure the public computer isn't infected with a keylogger by some previous user of that computer. And I guess most keyloggers don't show themselves in the process list (as a DLL perharps). This way we can leave out hardware keyloggers and network monitoring.

Yes, I think that Spybot can detect keyloggers too.

http://forums.spybot.info/showthread.php?t=9406

Salem
06-30-2008, 10:42 AM
Put your own OS on a pen drive or CD
https://help.ubuntu.com/community/LiveCD
http://www.nu2.nu/pebuilder/

Even then, you will still be vulnerable to a hardware keylogger wired into the keyboard itself. Use your own "charmap" with a mangled keyboard layout to type in words using mouse clicks should make life more interesting for any snoop.

CrazyNorman
06-30-2008, 11:06 AM
I'm guessing most keyloggers are looking at the software messages which go along with keyboard events, not the low level keyboard driver. This approach would be simpler to implement and require fewer permissions as far as sneaking itself onto the system. On screen keyboards work by triggering software key events, so every time you click a character, it gets sent as a key event, and is logged as a keypress, although not being from the keyboard.

dwks
07-01-2008, 05:15 PM
Salem was suggesting a bootable OS on a pen drive or a CD. Such an OS would not be vulnerable to software loggers on the existing system, just to hardware loggers. A virtual keyboard as he suggested would make things harder for hardware loggers, which is the only thing you'd have to worry about. (Assuming your own system doesn't get infected, but that would be an issue with any computer system, including your own.)


Well, one way to "trick" keylogger is to have for example a text editor open; if you want to enter a sensitive information, you begin by typing some letters, then you switch to the text editor (using the mouse, not something like Alt+Tab, just to be sure), type a couple of "random" letters there, switch back and continue entering your sensitive information, than go back to the text editor, etc. It's long and painful, but if well done it could make finding the "sensitive information" more difficult. Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?), i.e. it doesn't log all the entered keys in the same file.
My favorite trick: type a password or something with, say, three extra characters in the middle. Select the extra characters with the mouse, and delete them (with right-click -> delete if you want to).

About the only way to detect this would be to save a screenshot of the screen just before you typed your password, so that you could see the position of the textbox you were typing in. Coupled with the position of the mouse as it performed the selection, you could then determine how many characters were deleted.

(Note that it would probably be best if you selected the textbox to type your password in with the tab key rather than with a mouse click, which might give some clue . . . .)

Of course, there may be other ways to figure out what happened, I just can't think of any at the moment.

And anyway, this still isn't very good security. If an attacker knows that "pas4nmsword" is your password with just a few extra characters, then figuring it out would be significantly easier than brute force.

It would probably be best to type a few fake passwords first and delete them with the mouse, and to choose a password that is reasonably hard to spot in a key log. (For example, "somethingthecatdraggedin" would be better than "43Nfkj556Mdfjk4jl". Perhaps.)

But I'm rambling on here about something that is quite useless. If you're concerned about security, get your own operating system. It's about the only way you can be certain about things.

Elysia
07-01-2008, 05:20 PM
Having a password such as 43Nfkj556Mdfjk4jl will also make a possible attacker simply disregard the password as nonsense, since it is unlikely you would have such a password.
Although if it stands out among the rest of the logged information, the hacker might become suspicious.

Mario F.
07-01-2008, 05:55 PM
Hmm... those are typical generated passwords, Elysia. Quiet strong too (http://keepass.info/). Were I the hacker and THAT would definitely be flagged as a potential password.

I use them extensively on areas where I need strong passwords and even know one by heart which is what I use to boot my computer.

Elysia
07-01-2008, 05:58 PM
Yes, I imagine they are generated passwords, but many (if not most) use typical pass-phrases for stuff, so it could be either way - garbage or a real password.
But the safest bet would be to use a fake password. Perhaps a fake generated password.

indigo0086
07-01-2008, 10:05 PM
I was wondering, do they have "mouse loggers" I mean you could type some gibberish with bits of your password laced in it and selectively delete them from a text field to provide the password, aside from the mind-f*** and the time I think that would be difficult to parse, if you use the mouse to place the cursor that is.

maxorator
07-02-2008, 03:47 AM
They can simply log the contents of the input box at the moment it is submitted. That's not very difficult to do and beats all your "mouse" tricks.

dwks
07-02-2008, 10:59 AM
That would beat it, of course. But I don't see how you could do it (admittedly, I don't know much about this sort of thing). If the connection is unsecured, then sure, it could be done -- especially if the site was stupid enough to use GET. But what if it was secured, as sites requiring passwords you care about usually are?

Mario F.
07-02-2008, 11:33 AM
GET or POST wouldn't make much difference, since both can be sniffed. GET imbues the name/value pairs on the URL, whereas POST puts them in the HTTP request body. There are a few other minor differences but not significant for this discussion, having more to do with how broswer makers implement both methods. What is relevant however is that POST is actually as easy to get as GET (no pun intended). Many web developer tools include the ability to read POST data on their browsers (Firefox has a few addons that allow just this, for instance, as does the IE Developer Toolbar, IIRC).

In any case, I suspect any keylogger smart enough to just log the contents of an input during submission (as opposed to logging keystrokes) can only do so by sniffing the HTTP request header an body just prior to be sent. This is its weakness, because...

... if the transmission is encrypted, any name/value pairs are encrypted before being added to the HTTP request. Consequently sniffing the message header or body on the user machine with such type of keylogger, or do it with a packet sniffer while on transit will have the exact same result; both will meet encrypted, and consequently useless, data.

Considering the really interesting data travels encrypted... I would wager a keylogger and mouseloger are still more powerful tools in this case.

CornedBee
07-02-2008, 12:20 PM
Of course, the browser itself could simply be modified to log all data sent and received.

dwks
07-02-2008, 12:57 PM
Or a security hole in the browser could be exploited, which might be more likely. (Or not, given the rather paranoid and modified systems a lot of public internet computers seem to run.)

Something I forgot to mention earlier: if you do my dubious "trick" multiple times, you should probably type the same garbage characters each time. Given "pass3434word", "pass111word", and "passmkhword", it wouldn't be too hard to figure it out.

PING
07-06-2008, 12:53 AM
they don't allow & have a BIOS password.

BIOS passwords can be disabled :) Why do you need a pen drive? Carry a live CD and use that. I use a separate email id which i use to chat or send mails from public computers.