You are on page 1of 6

Using a hotel computer, one in an internet cafe or airport is a risky business.

Public terminals are fine for general browsing and even (with a few precautions) collecting your email but when it comes to logging in to your bank account or m aking an online purchase they really should be avoided. We all know that but life doesn't always allow us to follow the rules; sometimes we simply have to use a public terminal to conduct a confidential transaction Well I'd dearly like to be able to tell you a way you can use a public terminal with complete safety. I can't. What I can do is show you some ways you can do it with a high degree of security. OK it's not 100% but it's better than no securi ty at all. There are two main areas of risk when using a public terminal. First someone may be using a session logger to record the flow of data between the PC you are usi ng and the websites you visit. Second there may be a keylogger fitted to the PC that allows someone to capture your keystrokes and sometimes your mouse clicks a nd screen session as well. Risk 1: Session Logging It's dead easy for an ill-intentioned internet cafe operator to record your inte rnet traffic. Indeed I once visited a cafe and noticed the clerk at the front de sk was unabashedly scanning traffic from the shop's computers using Ethereal. So believe me, it happens. It's important that you understand when you a visiting a normal website that mos t of the information that flows between the PC you are using and the website you are visiting is visible and readable. It's there for anyone to see. "Anyone" in cludes your ISP or the clerk in the internet cafe. If you are visiting a secure website (i.e. one whose address begins with https r ather than http) your data stream is secure. That's because your data is encrypt ed end to end i.e. PC to server. Yes, it can still be seen but all that can be s een is a lot of gobbledygook. If you use Gmail or Yahoo! webmail this is good news as both of these have secur e website connections. The last time I used Hotmail it wasn't secure and many ot her webmail services aren't secure either. It's easy to tell: go to your webmail site and login. If the URL in the browser address bar starts with https it is s ecure. That means you can read your mail on any public terminal and no one can r ead your mail by intercepting the traffic between the PC you are using and the w ebmail service. If your webmail service uses http rather than https then your email can be inter cepted and read. If your email only includes things like a get-well message to A unt Maud then there is no problem but if it contains your social security number , bank account and other personal details then you should start worrying. Almost all online banking sites and e-commerce sites use https. That's comfortin g as it means no one can read your confidential data flowing between the compute r you are using and the remote server. Sure they can see the data flow but they can't decrypt it. Defensive counter-measures against session logging There are however, a number of ways to convert even a standard http into a secur e encrypted https connection. Using a virtual private network is one way but tha t's an option more readily available to corporate users than individuals. A simp ler solution is to use a secure anonymizing network like the free Tor system.

Although Tor was designed to allow you to surf anonymously it has an attractive side benefit: it creates a secure https connection between your PC and the first Tor server. It's not secure beyond the first Tor server but interception is mos t unlikely once you get beyond the first server. The most likely location for so meone to look at your web traffic is between the PC you are using and the first Tor server. Setting up Tor is simple if you use a product like the free Firefox based XeroBa nk browser (formerly TorPark). Just start up XeroBank and the rest pretty well h appens automatically. XeroBank is also portable so you can safely browse from a public terminal using a copy of XeroBank installed on your USB flash drive. Surfing with XeroBank is noticeably slowed by the long chain of Tor servers thro ugh which your data passes. However a little extra time is a small price to pay for the additional security and anonymity. Besides if you really need speed you can switch back to normal non-secure browsing easily within XeroBank. If you use XeroBank you can safely read your email even for non-secure webmail w ebsites like HotMail. Whether the content of your webmail warrants the effort in volved only you can decide. I should note in parting that SSL (and thus https) is not immune to decryption. In particular so called "man in the middle attacks" have proven effective. Howev er this kind of advanced attack is highly unlikely in an internet cafe. Risk 2: Keyloggers There is no 100% safe way to enter passwords from a public terminal. That's a fa ct. Modern keyloggers can capture not only keyboard strokes but mouse clicks and the Windows Clipboard. They can also take screen shots of what you are doing. Keepi ng your confidential information from the prying eyes of the best of these sinis ter products is extremely difficult, perhaps impossible. So the golden rule is don't ever enter confidential information into a hotel com puter, an internet cafe PC or other public terminal. That's the rule but rules get broken. Sometimes we simply have to use a public t erminal. I have and I bet most of my readers have too. So what can you do to improve your security when entering passwords? Quite a lot actually. Of the many different options available to improve your pa ssword security, one of the most attractive is to enter your passwords using a p assword manager like RoboForm2Go running from your own USB flash drive. It's an option I covered in my May 2007editorial column. When run from a USB flash drive RoboForm2Go provides excellent security. In fact I've not yet found a keylogger that can capture the information it enters into login boxes and web forms from Portable Firefox. Don't take that to mean RoboFor m2Go is 100% safe. It's not; no product is. One particular area of weakness of RoboForm2Go is the master password you must e nter to activate the password manager. If a keylogger captured that and also man aged to copy the encrypted RoboForm master password file from your USB drive the n you are in deep trouble as they would be able to access all your passwords. So protecting that password is critical. Some special issues apply to protecting

your RoboForm2Go password and they are addressed later in the article. Let's f irst look at the question of protecting passwords in general. Defensive counter-measures against keyloggers (a) Use strong passwords Make your passwords (or passphrases) long and semi-random. Passwords like "SncnG nls3Fp" are much better than something like "banana". This is not only because l ong random passwords are more difficult to crack but also because they are more more difficult to unscramble from a keylogger log particularly when used in conc ert with some of the other techniques mentioned below. Remembering long semi random passwords is difficult but there are lots of mnemon ic systems that can help. By way of example the password "SncnGnls3Fp" I Form2Go" transformed by a simple formula where orward in the alphabet (R -> S) while the next n). The same alternating pattern continues for mentioned above is actually "Robo the first letter is shifted one f letter is shifted one back (o -> the rest of the characters.

There a lot of different techniques for creating and remembering strong password s and phrases. You can find some in this Microsoft article. Also worth consultin g is this Wikipedia article on password strength. (c) Use password obfuscation Obfuscation is just a fancy way of saying you can should disguise your password by entering it in more complex way than just typing it in from the keyboard. Obfuscation works because keyloggers just record a long string of the characters you type. At some point the owner of the keylogger has to scan the string to id entify passwords so you want to make this task as hard as possible. These days k eyloggers make identifying passwords easier by labeling the name of the window w here the keystrokes (and mouse click) were made. Even so, obfuscation can still be very effective There are many ways of obfuscating input. Here are a few: (i) Where you have two entry boxes on the screen such as a username and password , alternate entry between the two fields after each character is typed by using using your mouse to move between the entry fields (ii) Rather than just entering the password from the keyboard cut and paste some of the characters that make up your password from another part of the screen. I deally this should be from the same window as the one containing the password fi eld but other windows will work fine too. (iii) Drop and drag and drag some characters rather than enter them from the key board (iv) Enter some character by holding down the Alt key and using the numeric keyp ad. For example the letter "a' can be entered by ALT 123. (v) Use an onscreen keyboard to enter some of the characters. (vi) Enter the last half of your password first followed by the first half. Then drop and drag the second half to the front from inside the password box. (vi) Insert some random characters

For simplicity lets say your password is abcdefg. Rather than enter your password as a simple sequence of letters throw in some ad ditional dummy random characters along these lines: aMNbOcZdPQReSfgTUV Now go back and delete the dummy letters one at a time. Delete some characters u sing backspace, others using the mouse to highlight the letter(s) and the then h itting the Delete key or using the right click context menu and selecting "delet e." Obfuscation works By combining the dummy character trick with the various multiple entry technique s you can confuse pretty well any keylogger. However don't feel you have to use every single obfuscation trick I've mentioned ; that's overkill. Indeed you may not be able to use all these techniques as som e sites and products limit what you can do do. For example RoboForm2GO disables cut and paste as well as drop and drag when you are entering the master passwor d. It also won't allow you to access (get focus in) any window other than the pa ssword box. However you can still enter and delete dummy characters as well as e ntering characters using the Alt (numeric keyboard) trick and combined with a lo ng random password that's good enough. It's enough because any hacker reading a log from a keylogger has to read, ident ify, analyze and re-assemble what's recorded. That's hard work. If you use long random passwords combined with even a few obfuscation techniques then almost cer tainly you've made the job too hard. Possible yes, but too hard, specially when there is easy picking available elsewhere. But you can increase your security further; use an on-screen keyboard. (d) Use an on-screen keyboard (OSK) An on-screen keyboard (OSK) is, as its name implies, a screen version of a norma l keyboard where you "type" characters by clicking with your mouse the appropria te key on the screen. Windows has an OSK built-in that can be accessed from Star t / All Programs / Accessories / Accessibility / On Screen Keyboard or alternati vely from Windows key + U. Now many folks think that using an OSK to enter password data is more secure bec ause a keylogger can't capture the keystrokes. Unfortunately this is only partly true. First some OSKs (including the Windows OSK) simply emulate actual keystrokes and these can be recorded by many keyloggers. Second anyone can see what you are en tering with an OSK by simply taking a screen movie or even a rapid series of scr een shots. Third by recording mouse click coordinates it may be possible to dedu ce the characters entered with an OSK. Finally it may be possible to capture the password from the OSK using a clipboard monitor when you copy the OSK entered p assword into a password form field. That's the bad news. The good news is there are some OSKs that don't emulate key board input. Two of these are free, portable and specifically designed for secur e entry. The first is Neo's SafeKeys; the second is Monitor Only Keyboard (MOK)] . SafeKeys has some nifty features such as the ability to start up in a different screen position and with a different size every time you run it. This effectivel y defeats mouse click loggers. It also allows you to drag and drop the entered p assword into a web form thus bypassing clipboard loggers.

MOK has its own charms: it disables clipboard logging and has the option of a va riable key layout. It doesn't support drag and drop but the copy implementation results in equal security to SafeKeys. So on balance, there is little between the products; each is a perfectly viable solution. Unfortunately both are still vulnerable to screen capture. However a s creen capture program would have to take very frequent snaps or a continuous mov ie to successfully capture all your virtual keystrokes. That's possible, though the host PC would take a big performance hit in the process. But there is a simple way of getting around screen capture programs: enter part of your password with an OSK and the remainder with the real keyboard. Combine t he keyboard entry with a little basic obfuscation and you have a pretty secure s olution. Protecting your RoboForm2Go Master Password There are some special problems involved in protecting your RoboForm master pass word when using Roboform2Go from a USB flash drive connected to a public termina l. Before I address these I want to state that I strongly recommend using RoboForm 2Go for safely accessing password-protected websites. It's one of the easiest an d most valuable steps you can take to improve your mobile security. With RoboForm2Go, all of your website passwords are safely encrypted on your USB flash drive, and it's virtually impossible for anyone to decrypt the informatio n from the stored files. Impossible, that is, unless they have your master password. And there's the catc h. To use RoboForm2Go you must at some point, enter your master password. If attack ers use a keylogger to capture that password and also copy your RoboForm2Go pass word files from your USB drive, then they will have complete access to all your passwords. Hardly a pleasant thought. So protecting your master password is absolutely critical. In recognition of this problem, Siber Systems, the developer of RoboForm, has im plemented some features that make it more difficult for keyloggers to capture yo ur password. First, they disable copying text from the master password window. Second, they d isable drop and drag. Third, the password entry window contains no text, only gr aphics. Finally, and most importantly, they include in the password window a lin k to a special screen based keyboard (MOK) that allows you to enter your master password using mouse clicks. Frankly, the first three of these measures are of limited benefit. They don't st op most keyloggers and, unfortunately, limit the range of obfuscation measures y ou can use to disguise your master password. You can't, for example, use the hig hly effective technique of dropping and dragging part of your entered password f rom the end of the password to the start. Nor can you cut and paste text from wi thin the master password window or type dummy characters elsewhere in the window . So these RoboForm security measures are really of limited value. So limited that I've been able to capture the RoboForm master password in every keylogger I've tried.

These particular measures may be limited in value but the MOK built into RoboFor m2Go is much more useful. It's quite a secure implementation, unlike the inbuilt Windows MOK. In total contrast to keyboard entered passwords, I'm yet to find a single keylog ger that can pick up passwords entered by the RoboForm MOK. But there's a small catch. While a keylogger may not be able to grab your passwo rd, a screen session recorder can. That's because the RoboForm MOK indicates vis ually each time you click a "key" with your mouse. This makes your MOK password entries plainly visible on a screen movie. It would have been much smarter for Siber Systems to have indicated a keyboard p ress with a sound from the PC speaker and have no screen indication at all. That way a screen session recorder would only show the movements of your mouse over the keyboard without showing what "key" you actually clicked. That's the bad news. The good news is that the hostile use of screen session rec orders is rare compared to the use of keyboard keyloggers. In fact, very rare. T hat's because taking a live screen movie consumes a lot of computer resources. S o much that the computer would be really slowed down and the presence of the key logger made obvious. Periodic screen snapshots are, however, reasonably common in keylogging programs . That's because they take far fewer resources than a video, yet still reveal a lot. Fortunately, they are most unlikely to capture enough of your MOK input to reveal your master password. Think about it. Even if the logging program took a screen shot every second it would be virtually impossible to get your entire pas sword. But screen recorders take shots much less frequently than once a second most operate in minutes rather than seconds. So on balance using the RoboForm2Go MOK is the way to go. It's not perfectly saf e just very safe. It is however, way safer than using keyboard input to enter yo ur master password. But before you enter anything with a MOK do turn around and make sure nobody is watching over your shoulder. Shoulder surfers just love MOK password entry :>)