the online zone

Computer privacy matters to everyone - lock up now!

: Security when using a public computer

Jump to other security pages: 

 Please rate how useful you found the help on this page:

The "Dirty Toilet" Problem

When you go travelling, you'll probably want to keep in contact with home by using email from Internet cafes - that is, unless you decide to take your own notebook computer with you, trust to snail mail, or try to hunt down an elusive fax machine. What's wrong with Internet cafes? While you can't see the crop of bugs on the machine, public internet shops are rather like public toilets. Even worse, they're like public toilets where everything you do is revealed for the world to see...

Bugs are smeared all over the innards of every computer! Wiping the mouse and keyboard with a damp tissue won't clean those bugs off. Previous users, either through a "drive-by download" or a deliberate action, have probably caused worms, viruses, key loggers, Trojan horses or rootkits to become resident in the machine you are happily typing away on. Check here to see what these words mean. There is a real risk that anything you type on a contaminated public computer will be recorded and stolen. All of this can happen without your knowing (or even suspecting) a single thing. You could, of course, use Internet cafes only with "throwaway" email addresses (that means you set up a Yahoo! or Gmail account for the duration of your trip and then forget it when you are finished). You would avoid typing any sensitive information into the public computer except the password from that email account. You wouldn't do anything so brash as enter online banking pass codes or credit card numbers, not ever. Or is there a way to be safe(r) online in a cybercafe?

Bringing your own laptop into a cafe or internet shop and using their wifi doesn't make you any safer, unless you act beforehand and install some software.

Look here to see some of the spyware I found installed on one cybercafe computer while using an Internet cafe on a recent trip to India.

"One huge problem with Internet cafes is that they are often lax at updating the software running on their computers."

You probably won't bother to do such a spyware scan unless you're already a computer enthusiast. Why should you have to? - you only wanted to send a few emails and check your online banking balance. One huge problem with Internet cafes is that they are often lax at updating the software running on their computers. In poorer parts of the world, this might mean you surf and send critical messages on a Windows XP  machine without any security updates, running Internet Explorer 6, wide-open to all types of malware exploits of either other patrons of the cafe or external hackers. Even later versions of Windows' machines might be poorly updated as they either were installed using a blacklisted key, blocking access to the Windows Update site and all critical security updates, or the downloadable patches and service packs are too large to manage with the slow Internet connection the cafe has (some security updates are 100MB, and 20MB updates are normal - almost impossible on a telephone line if you have more than one computer to update).

"...popular micro-blogging site Twitter was shut down by a massive botnet attack launched from infected personal computers around the world..."

Some definitions first:

Backdoor As implied, a way into the computer which is not clearly visible to the operator. Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer which allows remote execution of code on the machine;

Botnet A collection of security compromised computers (each a "zombie" or "bot") running stealth programs - which could be worms, Trojan horses, or backdoors - under a common command and control infrastructure. What do botnets do? Some are multipurpose, sending either shiploads of spam, running "pump-and-dump" share scams or flooding legitimate sites in an attempt to shut them down. Other botnets focus on one function. In August, 2009, the popular micro-blogging site Twitter was shut down (and social networking site Facebook severely crippled) by a massive botnet attack launched from infected personal computers around the world. Botnets can be very large - millions of computers steered by one operator (the Dutch police found a 1.4 million node botnet in 2004, and the Twitter attack probably needed at least a hundred thousand).

You've most likely never heard of Cutwail, Rustock, Donbot or Ozdok, but they were some of the fastest-growing botnets observed in 2009, with upwards of 100,000 infected machines in each. The Mega-D botnet, estimated to number a quarter of a million computers, was successfully closed down at the end of 2009 - one case in a sparse collection of successes that year. The now defunct Mariposa came to light in May 2009, and was recorded as having 12.7 million IP addresses connecting to its command and control centre at that time - it's probably one of the biggest botnets ever discovered. In August 2012 a 26 year-old man from Slovenia went on trial for allegedly managing the Mariposa botnet. The Butterfly botnet (probably more than 11 million computers) was successfully shuttered by the FBI at the end of 2012.

It has been estimated that around one quarter of all personal computers connected to the Internet are part of one botnet or another, and the absolute number is probably rising. In 2011 there was concern that two DIY spyware trojans - Zeus and Spyeye - had joined forces to provide a potentially widely-distributed banking malware botkit (see the control panel used by bot masters here);

Compromised Server Servers are computers which store and serve out web pages. You probably connect with over a dozen different servers during one session in an Internet cafe. Yet servers can be compromised by hackers planting code which will execute and either directly install something or redirect the visitor to a site where the install happens. For instance, when you visit the site with a browser which has some software vulnerability, the planted site code runs and your computer is infected with a trojan or virus. All of the major browsers (Internet Explorer, Firefox, Safari) need regular "patches" or fixes for their discovered vulnerabilities, and some flaws are known about weeks before they are patched. Hackers often work to compromise servers within 24 hours of a browser flaw being made public. Think the code-planting hasn't happened to your trusted website? According to security firm Websense, sixty of the 100 most popular websites either hosted malicious content or linked to malicious websites at some point during the first six months of 2008. The proportion of compromised servers is set to rise rapidly in the years ahead, making this mode of delivery the most common method of picking up an infection;

"Drive-by" download Snooping software which installs on the target computer simply by a webpage opening which contains hidden code. The page might not even have been requested by the user - it may have been an unwanted pop-up window from a Russian or Chinese site linked through the main page. Or it was a page whose hosting server had been compromised (a blog or any site with malicious code hidden in its pages) by an earlier hack attack. The expression comes from "drive-by shooting," where the victim knew nothing of their assassin but was simply in the wrong place at the wrong time;

Keylogger/keystroke logger Either software in the computer (possibly from a drive-by  download) or hardware attached to it, which records everything any user types on the machine. The key logger may also periodically capture what's shown on the screen and then email all of these results to a secret address. The software loggers are tricky to detect (especially in an Internet cafe), the hardware ones will require you to dismantle the keyboard or get down on your knees and examine its plug;

Pharming You probably heard of "phishing" - in fact, if you've been using email more than a few months you've almost certainly received emails urging you to log-on to your bank's website and enter vital information. The emails, of course, are fake, and the site you go to is a carefully-crafted replica of the real thing which steals any passwords you enter. "Pharming" exploits don't even need you to click on an email link - the redirect happens within the computer you are using, or - more rarely - by falsifying something called the DNS records in a master computer somewhere. You end up at a site which looks like the one you want but is nothing to do with the bank or email site you thought it was;

Ransomware Until the year 2013 most examples of ransomware could be cleaned within the affected computer. Now, only prevention is able to save you from this especially heartless form of online extortion. Ransomware performs an action that causes you distress, then asks for money to reverse that action. Previous incarnations of ransomware popped up a spoof warning from your country's police force informing you that underage, explicit photos had been detected on your computer and requested a payment (!) to avoid prosecuting you.

A new form of ransomware is with us now, one variant being known as CryptoLocker. It is so successful it can only spread wider as it is copied and distributed. It is quite sophisticated, but the initial infection is acquired in the same fashion as all others, either clicking to open an email attachment or by visiting a site whose server has been compromised. The infection runs silently in the background (maybe for hours) until all of your personal files are encrypted. Clearly, this is primarily aimed at home computer users, but the CryptoLocker trojan isn't picky - it will set to work on photos on a memory card, for example. This is what you see after infection - that is, when your files are inaccessible:


The encryption is robust enough that you can wave goodbye to your files (documents, emails, spreadsheets, presentations, photos, videos, sound files - even your backups, if they are connected to the main computer in any way) without the unlock key. The CryptoLocker screen has a countdown timer and demands the ransom be paid only in Bitcoins, thus making the beneficiaries untraceable. If you do not pay within the time limit, you have no way back. If you do pay... well, you might get the unlock key, but clearly the criminals involved in this have no reason to provide you with it, as they are anonymous and already have your money. Your payment also helps them further their extortion racket, thus presenting you with a considerable moral dilema.

Rootkit A snooping and/or control program running at the kernel/user mode level in the computer, invisible to normal "running processes" investigative tools such as Task Manager. Many current spyware scanners are unaware of rootkits;

Screen Capture Effectively a "digital photograph" of what is showing on the monitor at any particular time. These photographs are recorded electronically inside the computer and may be taken each time the screen changes, or upon something like a mouse click or keystroke triggering a new character in a box. This way, even if you are protected from keystroke loggers, a criminal can still steal your password or credit card number. Another (very unlikely, yet still plausible) possible screen capture method would be a real camera somewhere in the cybercafe, aimed at the screen or keyboard;

Trojan horse Sometimes installed through an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection and exploitation of data. Some downloadable games contain Trojan horses, many file-sharing programs (eDonkey, eMule, BitTorrent) are suspect, as are some files shared through P2P. A Trojan horse can also arrive as an email attachment, or be downloaded through an Internet link you clicked on;

Virus, worm A virus is a string of code which needs to "infect" a file on the computer before it can replicate itself. The file it infects provide the rest of the code needed for the virus to work, just like a cold virus needs a warm throat to begin its action of replication. A worm is a complete bundle of code and simply takes up residence, often inside the system folder of your machine, assuming an innocent name like "kernel32.exe". Interestingly, the first worm ever written didn't target Windows, it was sent in 1988 before that operating system appeared. Viruses and worms these days are capable of various exploits. Many aim to turn the target computer into a "zombie" which can be remotely controlled by a criminal to send more viruses, worms, email spam... you name it.


Soluble Surfing when you're on the road

If you have a USB flash drive (called variously pen-drive, thumb-drive or USB memory stick), you have the basis for a solution to the infected-with-spyware Internet cafe problem. USB flash drives are really cheap these days ($10/Euro 8 will get you one large enough for carrying your own portable cleaning application, password safe and - if you want - browser and photo editing applications wherever you go). You can download a complete package of portable software from this site, or assemble your own collection. Read on for my recommendations...

Internet cafe bug cleaner prepackaged

Download this FREE package of programs to use on a USB stick when you travel. It will make surfing and entering passwords a more safe and secure venture. You will save time when it comes to cleaning up your tracks and traces at the end of an Internet session. As you'll probably also want to check and resize your pictures in an Internet cafe, there are tools included for that. There are two versions; the basic one is suitable for people with little technical knowledge.

read more about cafeKlysm

cafeKlysm is a collection of portable programs with the focus on security while using public computers. The basic version will fit on a 500MB or larger flash drive. cafeKlysm is totally free to use, will not expire, and is free of any advertising or spyware. The basic version includes the Firefox browser, KeePass secure password store, SafeKeys onscreen keyboard and CCleaner computer cleanup application, which is all you'll need to enter passwords safely and clean up your tracks after browsing on a cybercafe computer. There is a fast image resizer and image viewer for your digital photos, a program to edit your pictures' EXIF tags (and geo-location tag them using a Google Maps interface). There is also a "safely remove USB drive" feature which facilitates easy ejection of the USB drive even when Windows complains some file is still in use, something you're sure to need at least once on your travels. With one click, you'll immunise your USB drive against common, auto-installing viruses on the host computer, and in another click you can block the host computer capturing pictures of what's being shown onscreen, protecting your logged-in information. A one-button check on your Internet connectivity lets you to test the presence of a connection from a slow or unreliable Internet shop before you hit that send email button.

cafeKlysm basic version

 version two of cafeKlysm,
 showing a closeup of the Internet page

The full version contains all those programs, plus XnView (a powerful photo editor), PhonerLite internet telephony client, KeyScrambler keyboard encrypter, ClamWin portable antivirus, Process Explorer task manager, USB View to troubleshoot any speed problems with your drive, Toucan backup and encryption, a Hosts file editor and TCP View network analyser tool (more convenient to use than Windows' built-in Netstat program). Available for free since 2008 and regularly updated, the program is now in its second version, with a vastly different user interface and includes many more features. Read more about cafeKlysm and download it here.

Internet cafe
bug cleaner DIY style

Assemble your own bundle of programs to aid with cybercafe privacy.

You can of course load the portable programs separately yourself, although you'll miss the convenience of cafeKlysm's launcher (so needing many more clicks to start each program), the 57-page (in PDF) help file included with either version, the fast connection checker, screen logger disabler, photo editing software and the "safe eject" feature.

If you do want to download the separate programs, here are my recommendations:

1. Mozilla Firefox, Portable Edition takes up a tiny 4.7MB space and can easily be run on an Internet cafe computer instead of Internet Explorer (it does not need an administrator account to run it), giving you many advantages in security. All of your settings will be saved to your USB drive, so you can travel with an extensive stack of bookmarks, for instance. Firefox is a fast, full-featured web browser that's easy to use. It boasts many features including popup blocking, tabbed browsing, integrated search, improved privacy features and anti-phishing. Get the Mozilla Firefox, Portable Edition (it's free) here.

2. KeyScrambler Personal. To give a good measure of protection against key loggers (hardware versions are excepted, as I state above) when you enter name and passwords into sites, download KeyScrambler Personal. This free software (1MB) is a browser plugin which works with Internet Explorer and Firefox to encrypt data as it passes from the keyboard driver through the operating system to the browser you are using. You don't have to understand how it works, but it does offer reliable protection. Read a review of KeyScrambler here and here. KeyScrambler works with all keyboard layouts and it shields you on all websites: your login credentials, credit card numbers, passwords and search terms. You will need to pay for versions of KeyScrambler which will safeguard other browsers such as Opera, Maxthon or Safari and email clients like Thunderbird and Outlook, but the basic version is fine for IE, Firefox and Flock.


You'll need to be using an administrator account on the computer you are using, as KeyScrambler has to be installed, then a restart performed to load a driver. It is the only application listed here with this requirement - all of the others will work in a limited or guest account.

You are protected by KeyScrambler on all the "input fields" (places you can type) of the page, but don't let that feature make you over-confident. The information you enter has to leave the browser to travel to the target server, and unencrypted communication between your browser and a website is as public as writing your information on a postcard and mailing it the traditional way. Even encrypted communication can be reconstructed if the trojan in the computer uses something to capture the actual packets leaving the system, but that's a risk you'll either have to swallow or inspect with NetStat to eliminate it.

3. KeePass Portable Edition. Typing passwords into an onscreen window if you don't use Key Scrambler (above) runs a risk that password stealing malware will log your keystrokes. A way around this is to copy and paste the passwords from a secure password store. The KeePass program does exactly this in a portable version (about 1MB) which you can add to your security collection on a USB drive, iPod or CD. This way, one master password unlocks the password database and you insert the password either by drag-dropping it or with a single key action, making it harder for key loggers to capture anything (controls for the copy and paste of user name and password are on the application). Completely free, you can download KeePass here. It's so useful you may want to adopt it to remember passwords on your home computer.

4. CCleaner Portable Edition. Have you ever wanted to spend more time in an Internet cafe doing useful things like reading your email messages and less time deleting all the temporary files, cookies and history left over from your surfing? With one click you'll be able to clean your tracks using CCleaner. It's just 800kB to download from here.

5. Neo's SafeKeys. An onscreen keyboard which changes its position and dimensions each time you launch it (to fool mouse loggers), and which you type your passwords on before dragging them to a box on your login page. For highest security, SafeKeys functions only with the drag-drop transfer method, and uses two methods to obscure its screen from screen loggers (screen image capture trojans). As it doesn't use the Windows' clipboard, nothing can be captured there. You can also choose to type your password simply by hovering your mouse (not clicking) on the relevant character, and you have the option of scrambling the keyboard layout to a random one. It's vastly more secure than using the Windows onscreen keyboard (which sends messages through the computer sub-system that a key has been pressed each time you click a key with your mouse). Neo's SafeKeys is a small download (316kB) here.


Basic hygiene in an Internet cafe

The tips in this section won't protect you from keyloggers or other spies on the computer. They are merely elementary precautions which will prevent the next user in the cybercafe from being able to see the sites you visited, or - worse - log in to your email account.

There are three things you absolutely must do when using a public computer:

  • Stop the browser (Internet Explorer is the most common one)
    recording the history of the sites you visited,

  • Prevent it from saving your passwords and

  • Clean up any traces of your surfing before you leave.

Internet Explorer
You need to find Internet Explorer's Tools menu. In version 6 and below this was visible along the top, but if you have a later version of the browser, you'll need to press the ALT key to see the menu at all. Go down to Internet Options and click on the Content tab at the top of the box which opens. The middle of the way down this box will be something called AutoComplete. Click the button labelled "Settings" here. An even smaller box will open; untick every box you see here ("Use AutoComplete for..."). AutoComplete is useful on your home computer to remember passwords and addresses of sites you visited, but on a machine open to everyone it's a big security risk. Click "OK" to dismiss this box and "OK" again to close the Internet Options box.

At the end of your browsing session using Internet Explorer 6, open the familiar Internet Options box again, and this time click on Delete Files or Delete. Internet Explorer 7 makes deleting all of your browsing traces at once very easy: click on the Tools menu and then Delete Browsing History. Close the Internet Options box with "OK" as before (if using IE 6 or below), and the computer should be cleaned of your tracks, which includes browsing history, cookies and something called the cache, which is a local store of files from your Internet activity.

For very complete information about deleting files - including history, auto-complete data, cookies and the cache - from all versions of Internet Explorer (including the AOL Web Browser), see this page.

It's possible that the administrators of the cybercafe have restricted access to certain functions on the machines - you might get a box denying your attempt to change the "remember passwords" setting, for example. My solution to this is to get up and find another place to do my Internet business. Anywhere which denies you the basic provisions of privacy on the machine shouldn't be trusted or supported.

Installed versions of Mozilla Firefox are no less secure in their "out of the box" setting than Internet Explorer - portable versions you carry on a USB key should save their settings to the USB key file system and so offer more privacy in that respect. Firefox will ask to save passwords and save your browsing history and cookies unless you set the preferences otherwise. Go to the Tools menu (to see this menu in Firefox 4, hit the Alt key first), and pick Options from the drop-down list. Click the Privacy tab and untick the "Remember visited pages for the last..." box, or set the days to zero. Also untick "Remember what I enter in forms and the search bar" - this is Firefox's equivalent of Internet Explorer's AutoComplete function - and again, it's useful at home, but risky to have on a public machine. Make sure the "Accept cookies from sites" box is checked (or you won't be able to log in to many forums or online services), but set the Keep cookies until... to "until I close Firefox" on the drop-down menu beside it. Also tick "Always clear my private data when I close Firefox" box. Don't close the Options box yet, we need to deal with the password retention feature. Click the Security tab (Mozilla makes a lawyer-like distinction between privacy and security here) and untick "Remember passwords from sites." Now click the Options box away with "OK" at the bottom.

You have now restored some amount of privacy to the the browsing experience, you can begin your Internet surfing. At the end of the session, either close the browser with the X in the top right-hand corner (and click "Yes" to deleting the private data) or keep it open, click the Tools menu again and select Clear Private Data

That's quite a lot of work in addition to writing your messages, isn't it?  You can speed up the steps to privacy (erasing stored passwords, history, cache, etc.) by using a small cleanup program contained in a special security bundle you carry with you on a USB drive. See here.

Windows' clipboard
Often overlooked (by me as well) is the clipboard. Anything you copied and pasted will be there. If you were working in a word-processing document that could be rather a lot of text and pictures. The easiest way to delete the clipboard is simply to copy any non-private text from the computer (highlight the text, then hold down <Control> while pressing the <C> key), which overwrites the clipboard.


Wifi is too risky for secure browsing!

So you heard about the risks of spyware in public internet shops. That made you seek out a nice cafe with wifi and right now you're using your own laptop or netbook with their free wireless internet connection to check emails while sipping your Frappucino©. They even gave you a password to access the hotspot, so it must be safe, right? Wrong... anyone else using the same network has access to the traffic passing in and out of your computer, because they almost certainly are using the same password. Cybercafes which issue individual user passwords for wifi are almost non-existent. This means that unencrypted email messages (most email providers encrypt only the login session and then deal with other transactions in plain view to all) are open for anyone to read. Additionally, by using a 'man-in-the-middle' spoofing ploy, malicious users may be able to capture your entire browsing session and read even your passwords sent over an encrypted connection. Don't use Wifi for online banking, and try and send and receive your email with GoogleMail, which maintains an encrypted browser connection for the entire session, not only for login. More information.

Whenever you use wifi for routine things like email, you'll feel much safer by forcing the connection to an encrypted session. Hotspot Shield is free (although the free version forces you to opt out of installing a useless toolbar plus an irritating video pops up whenever you use the program) and creates a secure "tunnel" to the HSS server from your computer, making the wifi you use much more robust against snoopers.

Pro-active security to avoid calamity

Pick secure passwords and enter them  safely

The information here provides you with a layer of shielding against common methods of capturing your password and other critical information when you use a shared computer in an Internet cafe.

The design of keyloggers evolves daily, and many have become very sophisticated, able to shut down most antivirus programs and hide themselves from the user level of computer operation. The largest proportion of them, though, will be quick knock-offs of an existing piece of tried software downloaded by an amateur from a hacking forum. Knowing this, you can protect yourself against 99% of keyloggers for your email correspondence, and work to close the gap on that 1% if you need to type in something more critical such as a credit card number.

Copy-paste methods (from a text file you carry on a floppy or USB drive) give you no protection at all and are a total waste of time. When you copy to the clipboard in Windows, an "event notification" is sent to the operating system that the clipboard's content has changed. The simplest keylogger will monitor this, and easily capture your password. Likewise, using Windows' built-in onscreen keyboard is a mythical safeguard: another event notification goes out each time you click on a key, the same as when you type on the physical keyboard.

I recommend using KeePass to store your passwords. You either drag-drop or paste the password into your box (with a selected "hotkey" combination)  without creating an event notification, which makes it much more secure against keyloggers. For highest security, drag-drop offers fewer routes for capture of your password. The password store itself is encrypted and cannot be read from the storage medium until you unlock it with a master password. That's perhaps its only weakness - make sure that master password is hard to guess (see below), and type it into the box securely (Neo's SafeKeys is good for this - see the previous section).

More securely, you can install encryption for the entire keyboard-to-browser path with KeyScrambler, although this needs you to have an administrator account and restart the computer you are working on (which may be tricky). An onscreen keyboard which is much safer than the Windows one is available here.

You will need to carry these little programs with you, ideally on a USB flash drive. You will want to ensure that the USB drive itself hasn't become infected, however, and this can be a problem. The antivirus scanner on a public computer may have been compromised by trojans or viruses. You could carry a portable version of an antivirus program on your USB drive and use that in combination with the installed versions you find in Internet cafes. ClamWin AV is free and works well in its portable incarnation.

Don't be the weakest link in the chain yourself: use a password which is strong. A 'strong' password is something like 4#ro98K:Dfg while a weak password would be tiger. Try out your current password using this password strength checker from Microsoft (it doesn't record what you type) and then read some useful hints on picking a better password.

Ensure that your browser shows secure communication has been established - usually there is a small lock icon visible somewhere (on Firefox 4 you'll need to click the shaded portion of the address to see it) and the browser's address will begin https://... - before you enter information such as a credit card number.

you must see that your browser has made a secure connection

Hunting down the infections yourself

Advice which follows is included for users with some familiarity with computers. If you are an absolute beginner on computer and Internet matters, and still find it amusing that you have to shut down a computer by clicking on a button which says "Start," it's probably going to be too technical and involved for you.

Checking your connections
The Netstat command will reveal connections your machine is making to and from the outside world. Password-capture trojans will usually connect to their controlling operator on a different port and IP address than your browser does, so you may be able to see suspicious activity if the trojan is active when you check. Run Netstat from a command window: first get to the Run box by holding the <Windows> key and then pressing  <R> on the keyboard (you can also do this from Start --> Run). Type  cmd in the box and click "OK". Enter the following command in the small window which appears:

netstat -a -b -n

Using Windows 2000 or below, leave out the -b switch as this is not supported in these operating systems.

A lot of lines will probably scroll by quite quickly, giving current connections in and out of your machine. Look at one of those figures from my machine:

That first group of numbers before the colon is the IP address of the connection, the second number (highlighted in red in my example here) is the port on the computer. Here is the sample window from my own computer:

Your Netstat output may have a shorter list of connections or a much longer one. In lines saying 'ESTABLISHED,' look at the remote address port to identify what has connected to the remote site. In lines saying 'LISTENING,' concentrate on the local address port to identify what is listening there. Check with a list of known trojans and the ports they use. If a port on your Netstat output is there, it's a reason to be very suspicious, but you should note that some legitimate applications may use those ports as well. Any TIME_WAIT entries can be ignored, as can those connecting to a *:* Foreign Address. If you want to hunt further, using Netstat in conjunction with a small application called Process Explorer (a free, 1.6MB download) gives you the power to identify the process initiating each network connection. For example, I'm interested in the UDP connection on the bottom line - normally the UDP will match the port number of an existing TCP connection (the one above matches the first TCP connection listed). With Process Explorer, I see that the PID 1204 is associated with Windows' Background Intelligent Transfer Service. This is an entirely normal service running on the computer to deliver Windows' updates.

The parent application name will be next to many entries - on my output the application is my web browser, SeaMonkey. There are multiple entries for it because browsers fetch the different parts of a webpage with multiple requests. However, because the application exists on the computer as a familiar application doesn't necessarily imply that the connection is a safe one; many stealth applications connect through programs such as Internet Explorer. However, you will certainly have an unmistakable alarm call if spylog~1.exe or something similar is connecting to the Internet. Note that is the address of the computer you are working on - many entries for this IP address are perfectly normal. In my example, all of my HTTP connections pass through this port as it connects with my Webwasher advertising blocker.

The two top addresses are "," an address which actually includes each and every network interface. Both are being used by the system for Listening. This is communication at the MAC Address level between the computer and my router, and is quite normal. Should there have been anything going out on this address (to any port), it would have a pointer to questionable activity, and I would have wanted to check the PID to find what was behind the process.

Introducing your HOST
The computer's HOSTS file has recently been used to redirect unsuspecting users to sites which may capture your password. Many banking sites have been so affected; modifying the Hosts file may have been done automatically by a script on an infected site someone visited or (more rarely) by the cybercafe operator themselves. Open your "Run" box again as above (Start>Run) and enter the following (best to copy-paste):

a) for Windows XP/Vista/Windows 7* -

b) for Windows 2000 -

c) for Windows 98 -

...then click "OK". These commands all assume Windows is installed in the normal location, and should open the Hosts file in Notepad. If you get a "file not found" message, you'll have to navigate to the Hosts file manually - try the locations as above, following the words NOTEPAD.EXE, or put the word Hosts in a search box and search the computer. Open the Hosts file in Notepad or a similar text editor. Note that the Hosts file has no extension - this is normal. Check the entries there - it will be either empty or have only a few. If anything resembling your own bank's address is included there, be very suspicious indeed. *Special instructions apply to Windows 7 and Vista. Here, you'll need to run Notepad as an administrator (right-click its menu icon and choose "Run As Administrator") before navigating to the file.

Other options for security

While it won't protect you from hardware key loggers, using a Linux "virtual machine" computer - which runs right inside the existing one - creates a high security cordon around your personal data when using an Internet cafe computer. The disadvantages of doing this are that you'll need to wait while the virtual machine loads and initialises (perhaps a few minutes on a slow computer), and the possible problems in configuring Internet access for the VM. It's not a project for beginners, but if you want to try it, look at this page, which has excellent guidance for using the "Damn Small Linux" virtual machine.

Taking your own computer means you probably inherit headaches about theft and malfunction while you are on the road, but modern netbooks are as compact as a guidebook and offer the chance to compose and read messages while you are sitting somewhere more congenial than a busy cybercafe. Overlooking the ocean, sipping a sunset beer, for example. I have written more about netbooks in the travel FAQs section of this site.

Using an online password store or manager has advantages and disadvantages. LastPass Password Manager overcomes one significant disadvantage by carrying a cache in its portable version (called 'Pocket' - a free 700kB download for either Windows, Mac or Linux). The cache is protected by 256-bit AES encryption and carries your most recently synchronised password list. You need to create a (free) LassPass account first, and it's here you specify your master password. The sliding colour bar under your password box indicates its integrity to guessing and dictionary attacks - go for at least a tinge of green on the scale,  and a mix of letters and numbers in the password itself. The very significant advantage of LastPass is that it will carry all your passwords (banking, credit cards, email, forum sign-ons), it will fill in not only password boxes but more complex forms, and it updates any passwords which you add or change immediately on the server when you are online. It is cross-browser compatible as well. While it is in transit across the Web and into the host computer, your information remains protected by strong, 256-bit AES encryption. The information stored on LastPass's servers is totally under trust (they do try to assure us here that nothing will be done with your passwords), and this may not be enough for some people. Nor is there any guarantee that this small-scale operation will be around when you need it.

An online service called Keep Your Password Secret (KYPS) ran for a few years, offering to perform email login on your behalf with single-use codes you entered. The site now shows a "service discontinued" message. The concept was a good one, but its demise underlines the risk you take depending upon an external service such as this. You simply can't guarantee that it's going to be accessible when you want to login to read your email and not blocked in your part of the world, or that its server hasn't been compromised, or that the cybercafe computer you access it from hasn't been the victim of a pharming exploit. KYPS declined to disclose details of the software and privacy protection on the site when I queried them in 2008, and I am automatically more suspicious of closed-source operations.

The pages following are concentrated more on beefing up security on your home computer, but it's not unrelated to the issues facing Internet cafe users, as many of the threats are common to both environments.


Go to the next Online Zone - page 2

Send this page to a friend

Creative Commons License

Do you have any suggestions about these tips? Use the online feedback to help me improve them.

Jump to another zone: