p1: Security when using a public computer


What are social bookmarks?

Add this site to: Digg Add this site to: Del.icoi.us Add this site to: Reddit Add this site to: Simpy Add this site to: StumbleUpon Add this site to: Furl Add this site to: Yahoo Add this site to: Technorati Add this site to: Blogmarks Add this site to: Newsvine Add this site to: Ma.Gnolia Add this site to: Folkd Add this site to: Spurl Add this site to: Google Add this site to: Blinklist

 

Last updated: October, 2008


Computer privacy matters to everyone - lock up now!



Jump to other security pages: 

The "Dirty Toilet" Problem

When you go travelling, you'll probably want to keep in contact with home by using email from Internet cafés - that is, unless you decide to take your own notebook computer with you, trust to snail mail, or try to hunt down an elusive fax machine. What's wrong with Internet cafés? While you can't see the crop of bugs on the machine, public internet shops are rather like public toilets. Even worse, they're like public toilets where everything you do is revealed for the world to see...



Bugs are smeared all over the innards of every computer! Wiping the mouse and keyboard with a damp tissue won't clean those bugs off. Previous users, either through a "drive-by download" or a deliberate action, have probably caused worms, viruses, key loggers, Trojan horses or rootkits to become resident in the machine you are happily typing away on. Check here to see what these words mean. There is a real risk that anything you type on a contaminated public computer will be recorded and stolen. All of this can happen without your knowing (or even suspecting) a single thing. You could, of course, use Internet cafés only with "throwaway" email addresses (that means you set up a Yahoo! or Gmail account for the duration of your trip and then forget it when you are finished). You would avoid typing any sensitive information into the public computer except the password from that email account. You wouldn't do anything so brash as enter online banking pass codes or credit card numbers, not ever. Or is there a way to be safe(r) online in a cybercafé?

Look here to see some of the spyware I found installed on one computer while using an Internet café on a recent trip to India.


"One huge problem with Internet cafés is that they are often lax at updating the software running on their computers."


You probably won't bother to do such a spyware scan unless you're already a computer enthusiast. Why should you have to? - you only wanted to send a few emails and check your online banking balance. One huge problem with Internet cafés is that they are often lax at updating the software running on their computers. In poorer parts of the world, this might mean you surf and send critical messages on a Windows 98 machine running Internet Explorer 5, wide-open to all types of malware exploits of either other patrons of the café or external hackers. Even Windows XP platform machines might be poorly updated as they either were installed using a blacklisted key, blocking access to the Windows Update site and all critical security updates, or the downloadable patches and service packs are too large to manage with the slow Internet connection the café has (some security updates are 100MB, and 20MB updates are normal - almost impossible on a telephone line if you have more than one computer to update).


"The so-called "Kraken" botnet (2007), an army of over 400,000 bots, has been spotted in at least 50 Fortune 500 companies..."



Some definitions first:

Backdoor As implied, a way into the computer which is not clearly visible to the operator. Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer which allows remote execution of code on the machine;

Botnet A collection of security compromised computers (each a "zombie" or "bot") running stealth programs - which could be worms, Trojan horses, or backdoors - under a common command and control infrastructure. In 2004, the Dutch police found a  botnet with 1.5 million personal computers conscripted to it, while in the same year the Norwegian ISP Telenor disbanded a 10,000-node botnet. It has been estimated that up to one quarter of all personal computers connected to the Internet are part of a botnet. The so-called "Kraken" botnet (2007), an army of over 400,000 bots, has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. The number of bots around the world is thought to be increasing exponentially each year;

Compromised Server Servers are computers which store and serve out web pages. You probably connect with over a dozen different servers during one session in an Internet cafe. Yet servers can be compromised by hackers planting code which will execute and either directly install something or redirect the visitor to a site where the install happens. For instance, when you visit the site with a browser which has some software vulnerability, the planted site code runs and your computer is infected with a trojan or virus. All of the major browsers (Internet Explorer, Firefox, Safari) need regular "patches" or fixes for their discovered vulnerabilities, and some flaws are known about weeks before they are patched. Hackers often work to compromise servers within 24 hours of a browser flaw being made public. Think the code-planting hasn't happened to your trusted website? According to security firm Websense, sixty of the 100 most popular websites either hosted malicious content or linked to malicious websites at some point during the first six months of 2008. The proportion of compromised servers is set to rise rapidly in the years ahead, making this mode of delivery the most common method of picking up an infection;

"Drive-by" download Snooping software which installs on the target computer simply by a webpage opening which contains hidden code. The page might not even have been requested by the user - it was probably an unwanted pop-up window. The expression comes from "drive-by shooting," where the victim knew nothing of their assassin but was simply in the wrong place at the wrong time;

Keylogger/keystroke logger Either software in the computer (possibly from a drive-by  download) or hardware attached to it, which records everything any user types on the machine. The key logger may also periodically capture what's shown on the screen and then email all of these results to a secret address. The software loggers are tricky to detect (especially in an Internet café), the hardware ones will require you to dismantle the keyboard or get down on your knees and examine its plug;



Pharming You probably heard of "phishing" - in fact, if you've been using email more than a few months you've almost certainly received emails urging you to log-on to your bank's website and enter vital information. The emails, of course, are fake, and the site you go to is a carefully-crafted replica of the real thing which steals any passwords you enter. "Pharming" exploits don't even need you to click on an email link - the redirect happens within the computer you are using, or - more rarely - by falsifying something called the DNS records in a master computer somewhere. You end up at a site which looks like the one you want but is nothing to do with the bank or email site you thought it was;

Rootkit A snooping and/or control program running at the kernel/user mode level in the computer, invisible to normal "running processes" investigative tools such as Task Manager. Many current spyware scanners are unaware of rootkits;

Screen Capture Effectively a "digital photograph" of what is showing on the monitor at any particular time. These photographs are recorded electronically inside the computer and may be taken each time the screen changes, or upon something like a mouse click or keystroke triggering a new character in a box. This way, even if you are protected from keystroke loggers, a criminal can still steal your password or credit card number. Another (very unlikely, yet still plausible) possible screen capture method would be a real camera somewhere in the cybercafe, aimed at the screen or keyboard;

Trojan horse Sometimes installed through an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection and exploitation of data. Some downloadable games contain Trojan horses, many file-sharing programs (eDonkey, eMule, BitTorrent) are suspect, as are some files shared through P2P. A Trojan horse can also arrive as an email attachment, or be downloaded through an Internet link you clicked on;

Virus, worm A virus is a string of code which needs to "infect" a file on the computer before it can replicate itself. The file it infects provide the rest of the code needed for the virus to work, just like a cold virus needs a warm throat to begin its action of replication. A worm is a complete bundle of code and simply takes up residence, often inside the system folder of your machine, assuming an innocent name like "kernel32.exe". Interestingly, the first worm ever written didn't target Windows, it was sent in 1988 before that operating system appeared. Viruses and worms these days are capable of various exploits. Many aim to turn the target computer into a "zombie" which can be remotely controlled by a criminal to send more viruses, worms, email spam... you name it.

 

Soluble Surfing when you're on the road


If you have a USB flash drive (called variously pen-drive, thumb-drive or USB memory stick), you have a partial solution to the infected-with-spyware Internet café problem. USB flash drives are really cheap these days ($10/ €8 will get you one large enough for carrying your own portable cleaning application, password safe and - if you want - browser and email applications wherever you go). You can download a complete package of portable software from this site, or assemble your own collection. Read on for my recommendations...

Internet café bug cleaner prepackaged

Download this package of programs to use on a USB stick when you travel. It will make surfing and entering passwords a more safe and secure venture. You will also save time when it comes to cleaning up your tracks and traces at the end of an Internet session. There are two versions; the basic one is suitable for people with little technical knowledge.
 

read more about cafeKlysm


cafeKlysm is a collection of portable programs with the focus on security while using public computers. The basic version will fit on a 256MB or larger flash drive. cafeKlysm is totally free to use and free of any advertising or spyware. The basic version includes the Firefox browser, KeePass secure password store, an onscreen keyboard and CCleaner computer cleanup application, which is all you'll need to enter passwords safely and clean up your tracks after browsing on a cybercafé computer. There is a "safely remove the USB drive" feature which allows easy removal of the USB drive even when Windows complains some file is still in use, something you're sure to need at least once on your travels.

cafeKlysm basic version
the basic version of cafeKlysm


The full version contains all those programs, plus Mozilla Thunderbird, Pidgin instant messaging client, KeyScrambler keyboard encrypter, ClamWin portable antivirus, a Hosts file editor and a network analyser tool which is rather more convenient to use than the built-in Netstat program. Read more about cafeKlysm and download it here.




Internet café
bug cleaner DIY style

Assemble your own bundle of programs to aid with cybercafe privacy.

You can of course load the portable programs separately yourself, although you'll miss the convenience of cafeKlysm's launcher (so needing many more clicks to start each program), the 16 page (in PDF) help file included with either version and the "safe eject" feature.

If you do want to download the separate programs, here are my recommendations:

1. Mozilla Firefox, Portable Edition takes up a tiny 4.7MB space and can easily be run on an Internet café computer instead of Internet Explorer (it does not need an administrator account to run it), giving you many advantages in security. All of your settings will be saved to your USB drive, so you can travel with an extensive stack of bookmarks, for instance. Firefox is a fast, full-featured web browser that's easy to use. It boasts many features including popup blocking, tabbed browsing, integrated search, improved privacy features and anti-phishing. Get the Mozilla Firefox, Portable Edition (it's free) here.

2. Mozilla Thunderbird, Portable Edition. You can access your email by Firefox through Yahoo/Gmail/Hotmail/your local email service's web interface, or you can go one stage further and use a proper email client. This way, all passwords are stored on your USB key - there's nothing you have to type into a text box on the screen. This is good, because it means key loggers can't steal your passwords. Mozilla Thunderbird is a safe and fast email client that's free, and as simple to use as MS Outlook Express. It has an excellent feature set including quick message search, customizable views, support for IMAP/POP email, RSS support and more. Plus, the portable version leaves no personal information behind on the machine you run it on, so you can take your email and address book with you wherever you go. Get the portable version of Thunderbird (6.7MB) here.

3. KeyScrambler Personal. To give at least some safety against key loggers (hardware versions are excepted, as I state above) when you enter name and passwords into sites, download KeyScrambler Personal. This free software (1MB) is a browser plugin which works with Internet Explorer, Firefox and WinVista to encrypt data as it passes from the keyboard driver through the operating system to the browser you are using. You don't have to understand how it works, but it does offer protection. KeyScrambler works with all keyboard layouts and it shields you on all websites: your login credentials, credit card numbers, passwords and search terms. You will need to pay for versions of KeyScrambler which will safeguard other browsers such as Opera, Maxthon or Safari and email clients like Thunderbird and Outlook. You'll need to be using an administrator account on the computer you are using, as KeyScrambler has to be installed. It is the only application listed here with this requirement - all of the others will work in a limited or guest account.

You are protected by KeyScrambler on all the "input fields" (places you can type) of the page, but don't let that feature make you over-confident. The information you enter has to leave the browser to travel to the target server, and unencrypted communication between your browser and a website is as public as writing your information on a postcard and mailing it the traditional way. Even encrypted communication can be reconstructed if the trojan in the computer uses something to capture the actual packets leaving the system, but that's a risk you'll either have to swallow or inspect with NetStat to eliminate it.

4. KeePass Portable Edition. Typing passwords into an onscreen window if you don't use Key Scrambler (above) runs a risk that password stealing malware will log your keystrokes. A way around this is to copy and paste the passwords from a secure password store. The KeePass program does exactly this in a portable version (about 1MB) which you can add to your security collection on a USB drive, iPod or CD. This way, one master password unlocks the password database and you insert the password with a single key action, making it harder for key loggers to capture anything (controls for the copy and paste of user name and password are on the application). Completely free, you can download KeePass here. It's so useful you may want to adopt it to remember passwords on your home computer.

5. CCleaner Portable Edition. Have you ever wanted to spend more time in an Internet cafe doing useful things like reading your email messages and less time deleting all the temporary files, cookies and history left over from your surfing? With one click you'll be able to clean your tracks using CCleaner. It's just 800kB to download from here.

6. Neo's SafeKeys. An onscreen keyboard which changes its position and dimensions each time you launch it (to fool mouse loggers), and which you type your passwords on before dragging them to a box on your login page. It's vastly more secure than using the Windows in-built keyboard. A very small download (40kB) here.

 


Basic hygiene in an Internet café

The tips in this section won't protect you from keyloggers or other spies on the computer. They are merely elementary precautions which will prevent the next user in the cybercafé from being able to see the sites you visited, or - worse - log in to your email account.

There are three things you absolutely must do when using a public computer:

  • Stop the browser (Internet Explorer is the most common one)
    recording the history of the sites you visited,

  • Prevent it from saving your passwords and

  • Clean up any traces of your surfing before you leave.


Internet Explorer
You need to find Internet Explorer's Tools menu. In version 6 and below this was visible along the top, but if you have a later version of the browser, you'll need to press the ALT key to see the menu at all. Go down to Internet Options and click on the Content tab at the top of the box which opens. The middle of the way down this box will be something called AutoComplete. Click the button labelled "Settings" here. An even smaller box will open; untick every box you see here ("Use AutoComplete for..."). AutoComplete is useful on your home computer to remember passwords and addresses of sites you visited, but on a machine open to everyone it's a big security risk. Click "OK" to dismiss this box and "OK" again to close the Internet Options box.

At the end of your browsing session using Internet Explorer 6, open the familiar Internet Options box again, and this time click on Delete Files or Delete. Internet Explorer 7 makes deleting all of your browsing traces at once very easy: click on the Tools menu and then Delete Browsing History. Close the Internet Options box with "OK" as before (if using IE 6 or below), and the computer should be cleaned of your tracks, which includes browsing history, cookies and something called the cache, which is a local store of files from your Internet activity.

For very complete information about deleting files - including history, auto-complete data, cookies and the cache - from all versions of Internet Explorer (including the AOL Web Browser), see this page.

It's possible that the administrators of the cybercafé have restricted access to certain functions on the machines - you might get a box denying your attempt to change the "remember passwords" setting, for example. My solution to this is to get up and find another place to do my Internet business. Anywhere which denies you the basic provisions of privacy on the machine shouldn't be trusted or supported.

Firefox
Installed versions of Mozilla Firefox are no less secure in their "out of the box" setting than Internet Explorer - portable versions you carry on a USB key should save their settings to the USB key file system and so offer more privacy in that respect. Firefox will ask to save passwords and save your browsing history and cookies unless you set the preferences otherwise. Go to the Tools menu, and pick Options from the drop-down list. Click the Privacy tab and untick the "Remember visited pages for the last..." box, or set the days to zero. Also untick "Remember what I enter in forms and the search bar" - this is Firefox's equivalent of Internet Explorer's AutoComplete function - and again, it's useful at home, but risky to have on a public machine. Make sure the "Accept cookies from sites" box is checked (or you won't be able to log in to many forums or online services), but set the Keep cookies until... to "until I close Firefox" on the drop-down menu beside it. Also tick "Always clear my private data when I close Firefox" box. Don't close the Options box yet, we need to deal with the password retention feature. Click the Security tab (Mozilla makes a lawyer-like distinction between privacy and security here) and untick "Remember passwords from sites." Now click the Options box away with "OK" at the bottom.

You have now restored some amount of privacy to the the browsing experience, you can begin your Internet surfing. At the end of the session, either close the browser with the X in the top right-hand corner (and click "Yes" to deleting the private data) or keep it open, click the Tools menu again and select Clear Private Data


That's quite a lot of work in addition to writing your messages, isn't it?  You can speed up the steps to privacy (erasing stored passwords, history, cache, etc.) by using a small cleanup program contained in a special security bundle you carry with you on a USB drive. See here.

Windows' clipboard
Often overlooked (by me as well) is the clipboard. Anything you copied and pasted will be there. If you were working in a word-processing document that could be rather a lot of text and pictures. The easiest way to delete the clipboard is simply to copy any non-private text from the computer (highlight the text, then hold down <Control> while pressing the <C> key), which overwrites the clipboard.


Enter your passwords safely

The information here provides you with a layer of shielding against common methods of capturing your password and other critical information when you use a shared computer in an Internet café.

The design of keyloggers evolves daily, and many have become very sophisticated, able to shut down most antivirus programs and hide themselves from the user level of computer operation. The largest proportion of them, though, will be quick knock-offs of an existing piece of tried software downloaded by an amateur from a hacking forum. Knowing this, you can protect yourself against 99% of keyloggers for your email correspondence, and work to close the gap on that 1% if you need to type in something more critical such as a credit card number.

Copy-paste methods (from a text file you carry on a floppy or USB drive) give you no protection at all and are a total waste of time. When you copy to the clipboard in Windows, an "event notification" is sent to the operating system that the clipboard's content has changed. The simplest keylogger will monitor this, and easily capture your password. Likewise, using Windows' built-in onscreen keyboard is a mythical safeguard: another event notification goes out each time you click on a key, the same as when you type on the physical keyboard.

I recommend using KeePass to store your passwords. You paste the password into a box (with a selected "hotkey" combination)  without creating an event notification, so it's much more secure against keyloggers. The password store itself is encrypted and cannot be read from the storage medium until you unlock it with a master password. That's perhaps it's only weakness - make sure that master password is hard to guess (see below), and type it into the box securely (Neo's SafeKeys is good for this - see the previous section).

More securely, you can install encryption for the entire keyboard-to-browser path with KeyScrambler, although this needs you to have an administrator account and restart the computer you are working on (which may be tricky). An onscreen keyboard which is much safer than the Windows one is available here.

You will need to carry these little programs with you, ideally on a USB flash drive. You will want to ensure that the USB drive itself hasn't become infected, however, and this can be a problem. The antivirus scanner on a public computer may have been compromised by trojans or viruses. You could carry a portable version of an antivirus program on your USB drive and use that in combination with the installed versions you find in Internet cafés. ClamWin AV is free and works well in its portable incarnation.

Don't be the weakest link in the chain yourself: use a password which is strong. A 'strong' password is something like 4#ro98K:Dfg while a weak password would be tiger. Try out your current password using this password strength checker from Microsoft (it doesn't record what you type) and then read some useful hints on picking a better password.

Ensure that your browser shows secure communication has been established (usually there is a small lock icon visible somewhere and the browser's address will begin https://...) before you enter information such as a credit card number.


you must see that your browser has made a secure connection



Hunting down the infections yourself

Advice which follows is included for users with some familiarity with computers. If you are an absolute beginner on computer and Internet matters, and still find it amusing that you have to shut down a computer by clicking on a button which says "Start," it's probably going to be too technical and involved for you.

Checking your connections
The Netstat command will reveal connections your machine is making to and from the outside world. Password-capture trojans will usually connect to their controlling operator on a different port and IP address than your browser does, so you may be able to see suspicious activity if the trojan is active when you check. Run Netstat from a command window: first get to the Run box by holding the <Windows> key and then pressing  <R> on the keyboard (you can also do this from Start --> Run). Type  cmd in the box and click "OK". Enter the following command in the small window which appears:

netstat -a -b -n

Using Windows 2000 or below, leave out the -b switch as this is not supported in these operating systems.

A lot of lines will probably scroll by quite quickly, giving current connections in and out of your machine. Look at one of those figures from my machine:
192.168.123.142:139

That first group of numbers before the colon is the IP address of the connection, the second number (highlighted in red in my example here) is the port on the computer. Here is the sample window from my own computer:

Your Netstat output may have a shorter list of connections or a much longer one. In lines saying 'ESTABLISHED,' look at the remote address port to identify what has connected to the remote site. In lines saying 'LISTENING,' concentrate on the local address port to identify what is listening there. Check with a list of known trojans and the ports they use. If a port on your Netstat output is there, it's a reason to be very suspicious, but you should note that some legitimate applications may use those ports as well. Any TIME_WAIT entries can be ignored, as can those connecting to a *:* Foreign Address. If you want to hunt further, using Netstat in conjunction with a small application called Process Explorer (a free, 1.6MB download) gives you the power to identify the process initiating each network connection. For example, I'm interested in the UDP connection on the bottom line - normally the UDP will match the port number of an existing TCP connection (the one above matches the first TCP connection listed). With Process Explorer, I see that the PID 1204 is associated with Windows' Background Intelligent Transfer Service. This is an entirely normal service running on the computer to deliver Windows' updates.

The parent application name will be next to many entries - on my output the application is my web browser, SeaMonkey. There are multiple entries for it because browsers fetch the different parts of a webpage with multiple requests. However, because the application exists on the computer as a familiar application doesn't necessarily imply that the connection is a safe one; many stealth applications connect through programs such as Internet Explorer. However, you will certainly have an unmistakable alarm call if spylog~1.exe or something similar is connecting to the Internet. Note that 127.0.0.1 is the address of the computer you are working on - many entries for this IP address are perfectly normal. In my example, all of my HTTP connections pass through this port as it connects with my Webwasher advertising blocker.

The two top addresses are "0.0.0.0," an address which actually includes each and every network interface. Both are being used by the system for Listening. This is communication at the MAC Address level between the computer and my router, and is quite normal. Should there have been anything going out on this address (to any port), it would have a pointer to questionable activity, and I would have wanted to check the PID to find what was behind the process.

Introducing your HOST
The computer's HOSTS file has recently been used to redirect unsuspecting users to sites which may capture your password. Many banking sites have been so affected; modifying the Hosts file may have been done automatically by a script on an infected site someone visited or (more rarely) by the cybercafé operator themselves. Open your "Run" box again as above (Start>Run) and enter the following (best to copy-paste):

a) for Windows XP -
C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS

b) for Windows 2000 -
C:\WINNT\NOTEPAD.EXE C:\WINNT\SYSTEM32\DRIVERS\etc\HOSTS 

c) for Windows 98 -
C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\HOSTS

...then click "OK". These commands all assume Windows is installed in the normal location, and should open the Hosts file in Notepad. If you get a "file not found" message, you'll have to navigate to the Hosts file manually - try the locations as above, following the words NOTEPAD.EXE, or put the word Hosts in a search box and search the computer. Open the Hosts file in Notepad or a similar text editor. Note that the Hosts file has no extension - this is normal. Check the entries there - it will be either empty or have only a few. If anything resembling your own bank's address is included there, be very suspicious indeed.


Other options for security

While it won't protect you from hardware key loggers, using a Linux "virtual machine" computer which runs right inside the existing one is the ultimate security step when using an Internet café  computer. The disadvantages of doing this are that you'll need to wait while the virtual machine loads and initialises (perhaps a few minutes on a slow computer), and the possible problems in configuring Internet access for the VM. It's not a project for beginners, but if you want to try it, look at this page, which has excellent guidance for using the "Damn Small Linux" virtual machine.

A new service offers logins to common email sites by taking another approach. You enter a single-use code from a list you carry with you, generated before your travels, and the server at Keep Your Password Secret (KYPS) performs the login on your behalf, encrypting cookies sent back (so that any spyware on the computer you are using cannot reconstruct your password from the cookie) and working as a proxy between your computer and the site. The concept is a good one, but you'll need to have faith that the KYPS site itself isn't copying what you type, that it's going to be accessible when you want to login to read your email, that its server hasn't been compromised and that the cybercafe computer you access it from hasn't been the victim of a pharming exploit. The service is a private project and entirely free.

The pages following are concentrated more on beefing up security on your home computer, but it's not unrelated to the issues facing Internet café users, as many of the threats are common to both environments.

 

Go to the next Online Zone - page 2

Send this page to a friend

Creative Commons License


Do you have any suggestions about these tips? Use the online feedback to help me improve them.

Jump to: