Avoiding Keyloggers On Public Terminals
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
In today’s age of all too frequently justified paranoia there’s an issue that is coming up more and more often. There are a lot more publicly accessible computers these days. They’re in Internet Cafe’s and all I’ve even seen one in a hospital lobby that allowed people to surf the web and use web based email.
The problem with such machines is how can you know for sure that they’re not compromised and loaded with a keylogger. A keylogger is a program that keeps a record of every key typed and either saves it or transmits it to the person who set it up. That keystroke log allows whoever has it to know everything typed in emails and in web forms. Most especially it includes any passwords you type.
The question is “how do you avoid the keylogger”?
Recently there was a discussion about this on Slashdot. Various approaches were mentioned, including the use of a sort of reverse proxy thing called kyps.net to create one-time-pad temporary codes that you can enter on a public terminal and then the kyps.net will re-construct the password and complete the login.
kyps.net says that it does not record or otherwise save any passwords given to it but from a security standpoint, even if they’re 100% honest, such a system is still subject to a man-in-the-middle attack that can snoop the information anyway.
In the end, the best security practice is to remember that you have zero knowledge of how secure or trustworthy a public computer is. You’re best option is to not type anything into a public computer that you wouldn’t publish in the newspaper. Assume that it may have a keylogger and NEVER log in to banking or other services. Even your web mail.
If you MUST log into something on a public computer then make absolutely certain to change the password the second you have access to your own computer.
The best way to go is to carry a laptop with a Wi-Fi card and connect by way of one of the ever growing number of hotspots. Then at least you know that the machine you’re using is secure. As long as you are only entering passwords on https connections and any important emails you send are encrypted then you’re as safe as you’re probably going to be without some really extensive (and expensive) security solutions.
Technorati Tags: security, keylogger, malware, public+terminal, public+computer, laptop, wi-fi+password
If you enjoyed this post, make sure you subscribe to my RSS feed!
This is good information to get out there. I maintain the computers at my local library on occasional, and I have had to remove keyloggers from them on multiple occasions.
One very simple, and very effective method of outsmarting a keylogger is this:
For this example we will assume your password is “secretword”, when you are at the field where you type your password type “mysecrethideword” then use the mouse to select the characters that shouldn’t be there, right click on them, and click delete. You will have to do this by counting the spaces, because the letters will be hidden behind *’s. What this does, is cause the keylogger to log “mysecrethideword” as the typed keys, when you really entered something else. That is a pretty basically implementation, but it should be enough to understand the idea of how the method works. There are very few keyloggers that log mouse movements or clicks.
Jeff’s last blog post..No Title
The method you suggest was among the proposed means of defeating keyloggers in the Slashdot thread on the subject. Basically, it depends on your threat model.
If you assume attackers with enough resources and determination then you’re better off using your own machine that you never allow out of your control and connecting by Wi-Fi.
If it’s casual keylogers that are trying to steal your online bank password or myspace account, then the mouse method would work.