the online zone

Internet privacy on the road

3: Online security when using a public computer

Jump to other security pages: 

The 'dirty toilet' problem

Keeping in contact with home by using email from Internet cafes is the lightest way to go. You have no worries about carrying your own computer, and you are free of the drag of finding suitable telecom providers or Wi-Fi signals for a smartphone. Many people put up with these inconveniences because they really don't want to set foot in an Internet cafe. What's wrong with Internet cafes? Aside from the fact that they are getting harder to find in many countries (due to said smartphones displacing them), public internet shops are rather like public toilets. Even worse, they're like public toilets where everything you do is revealed for the world to see...

Bugs are smeared all over the innards of every computer! Wiping the mouse and keyboard with a damp tissue won't clean those bugs off. Previous users, either through a "drive-by download" or a deliberate action, have probably caused worms, viruses, key loggers, Trojan horses or rootkits to become resident in the machine you are happily typing away on. Check here to see what these words mean. There is a real risk that anything you type on a contaminated public computer will be recorded and stolen. All of this can happen without your knowing (or even suspecting) a single thing. You could, of course, use Internet cafes only with "throwaway" email addresses (that means you set up a Yahoo! or Gmail account for the duration of your trip and then forget it when you are finished). You would avoid typing any sensitive information into the public computer except the password from that email account. You wouldn't do anything so brash as enter online banking pass codes or credit card numbers, not ever. Or is there a way to be safe(r) online in a cybercafe?

Bringing your own laptop into a cafe or internet shop and using their Wi-Fi doesn't make you any safer, unless you act beforehand and set up a VPN.

Look here to see some of the spyware I found installed on one cybercafe computer while using an Internet cafe on a recent trip to India.

One huge problem with Internet cafes is that they are often lax at updating the software running on their computers."

You probably won't bother to do such a spyware scan unless you're already a computer enthusiast. Why should you have to? - you only wanted to send a few emails and check your online banking balance. One huge problem with Internet cafes is that they are often lax at updating the software running on their computers. In poorer parts of the world, this might mean you surf and send critical messages on a Windows machine where the most recent security updates were done last year, with an ancient version of Internet Explorer, wide-open to all types of malware exploits of either other patrons of the cafe or external hackers. Windows machines might be poorly updated as the downloadable patches and service packs were too large to manage with the slow Internet connection the cafe has (the new packaging of security updates for Windows 7,8 and 10 means 350MB updates or larger are normal - almost impossible on a telephone dialup line or sluggish DSL connection if you have more than one computer to update).

...popular micro-blogging site Twitter was shut down by a massive botnet attack launched from infected personal computers around the world..."

Some definitions first:

Backdoor As implied, a way into the computer which is not clearly visible to the operator. Many computer worms install a backdoor on the affected computer which allows remote execution of code on the machine. The Gameover ZeuS Trojan (see below) uses a backdoor to install software which logs your keystrokes;

Botnet A collection of security compromised computers (each a "zombie" or "bot") running stealth programs - which could be worms, Trojan horses, or backdoors - under a common command and control infrastructure. In a public Internet shop, the very computer you are using may be one which has been so commandeered. Without observation of the exact Internet traffic it is hard to tell whether a computer has been compromised and is sending information under the control of a "bot herder" but a slow network connection may be one sign.

What do botnets do? Some are multipurpose, sending either shiploads of spam, running "pump-and-dump" share scams or flooding legitimate sites in an attempt to shut them down. Other botnets focus on one function. In August, 2009, the popular micro-blogging site Twitter was shut down (and social networking site Facebook severely crippled) by a massive botnet attack launched from infected personal computers around the world. Botnets can be enormous - millions of computers steered by one operator (the Twitter attack probably needed at least a hundred thousand).

In August 2012 a 26 year-old man from Slovenia went on trial for allegedly managing the Mariposa botnet. The botnet probably involved more than 11 million computers and was successfully shuttered by the FBI at the end of 2012.

Russian criminal gangs are behind a lot of botnet activity. In 2015, Kaspersky reported that one single group of 20 individuals had made a profit of $790 million over the previous three years. In mid-2016 the Necurs botnet, one of the largest ever seen and thought to have been thwarted, was back again distributing ransomware (see below);

Compromised Server Servers are computers which store and serve out web pages. You probably connect with over a dozen different servers during one session in an Internet cafe. Yet servers can be compromised by hackers planting code which will execute and either directly install something or redirect the visitor to a site where the install happens. For instance, when you visit the site with a browser which has some software vulnerability, the planted site code runs and your computer is infected with a trojan or virus. All of the major browsers (Internet Explorer, Firefox, Safari) need regular "patches" or fixes for their discovered vulnerabilities, and some flaws are known about weeks before they are patched. Hackers often work to compromise servers within 24 hours of a browser flaw being made public. Think the code-planting hasn't happened to your trusted website? According to security firm Websense in 2012, sixty of the 100 most popular websites either hosted malicious content or linked to malicious websites at some point during the first six months of that year. The proportion of compromised servers is set to rise rapidly in the years ahead, making this mode of delivery the most common method of picking up an infection. You can run a check on a site you suspect of running malicious content here (this can take some time);

"Drive-by" download Snooping software which installs on the target computer simply by a webpage opening which contains hidden code. The page might not even have been requested by the user - it may have been an unwanted pop-up window from a Russian or Chinese site linked through the main page. Much malicious content is now contained in online advertising, which may load alongside the content you thought you were getting (see Malvertising below). Or it was a page whose hosting server had been compromised (a blog or any site with malicious code hidden in its pages) by an earlier hack attack. The expression comes from "drive-by shooting," where the victim knew nothing of their assassin but was simply in the wrong place at the wrong time;

IOT Botnet A variation on the botnet referred to above. Instead of being assembled from various infected servers and personal computers, this botnet rallies its troops from the Internet Of Things. The IOT is a growing community of light bulbs, fridges, cameras, digital video recorders and lawnmowers (etc, etc) having embedded computers with network-connected operating systems. Often, such computers are quite basic and have limited function (such as switching on the oven before you arrive home), but that doesn't mean they cannot be repurposed by an attacker. IOT devices may not feature very much gateway security, their operating systems may have unpatched vulnerabilities, and - worst of all - access to the consumer interface may be gained through a factory-set user name and password. Once accessed and infected with malware, the tiny computer can bombard a website with its cousins and shut it down with a denial of service attack. This happened in September 2016 to security writer Brian Kreb's website, and in October the same year to Spotify, Twitter, Github, Soundcloud, Etsy and PayPal. In the latter attack the high-profile sites were inaccessible for several hours. What assists the IOT bot herder in keeping the scheme running is that close inspection of the precise connections being made by the embedded computer is much less likely than with a conventional PC or server;

Keylogger/keystroke logger Either software in the computer (possibly from a drive-by  download) or hardware attached to it, which records everything any user types on the machine. The key logger may also periodically capture what's shown on the screen and then email all of these results to a secret address. The software loggers are tricky to detect (especially in an Internet cafe), the hardware ones will require you to dismantle the keyboard or get down on your knees and examine its plug;

Malvertising Unless you specifically block online advertising in your browser, other sites display their content in the page you are viewing. Ostensibly this is to display products to sell to you, but if the server which sends the advertising has itself been compromised you will also receive malvertising. Sometimes the adverts use an inline frame, essentially a "site within a site". Adverts often use animation, which may be running using your browser's Flash player, Silverlight or JavaScript. Should your browser - or one of its plugins hosting the content - have a vulnerability, the malware will install on your system. We are not talking about niche websites here; some of the big name sites have suffered. Malvertising is another good reason to block all online advertising in your browser. Portable browsers can also have ad-blockers installed (Portable Firefox can utilise AdBlock Plus), something best done before leaving on a trip;

Pharming You probably heard of "phishing" - in fact, if you've been using email more than a few months you've almost certainly received emails urging you to log-on to your bank's website and enter vital information. The emails, of course, are fake, and the site you go to is a carefully-crafted replica of the real thing which steals any passwords you enter. "Pharming" exploits don't even need you to click on an email link - the redirect happens within the computer you are using, or - more rarely - by falsifying something called the DNS records in a master computer somewhere. You end up at a site which looks like the one you want but is nothing to do with the bank or email site you thought it was;

Ransomware Until the year 2013 most examples of ransomware could be cleaned within the affected computer. Now, only prevention is able to save you from this especially heartless form of online extortion. Ransomware performs an action that causes you distress, then asks for money to reverse that action. Previous incarnations of ransomware popped up a spoof warning from your country's police force informing you that underage, explicit photos had been detected on your computer and requested a payment (!) to avoid prosecuting you.

A new form of ransomware is with us now, one variant being known as CryptoWall. It is a hugely successful refit of the earlier CryptoLocker, which was shuttered in 2014. CryptoWall is very sophisticated, directing victims to payment via the TOR network, but the initial infection is acquired in the same fashion as all others, either clicking to open an email attachment or by visiting a site whose server has been compromised. The infection runs silently in the background (maybe for hours) until all of your personal files are encrypted. Clearly, this is primarily aimed at home computer users, but the CryptoWall trojan isn't picky - it will set to work on photos on a memory card, for example. This is what you see after infection - that is, when your files are inaccessible:


The encryption is robust enough that you can wave goodbye to your files (documents, emails, spreadsheets, presentations, photos, videos, sound files - even your backups, if they are connected to the main computer in any way) without the unlock key. The CryptoWall screen has a countdown timer and offers choices of cryptocurrency in which the ransom may be paid (for example in Litecoins), thus making the beneficiaries untraceable. The ransom is 'discounted' if you pay early, so you may shell out between $100 and $500. It is estimated that the ransomeware earned its creators more than $1 million in the first six months of 2014. The FBI has been recommending businesses just to pay the criminals. If you do not pay within the time limit, you have no way back. If you do pay... well, you might get the unlock key, but clearly the criminals involved in this have no reason to provide you with it, as they are anonymous and already have your money. Your payment also helps them further their extortion racket, thus presenting you with a considerable moral dilemma;

Rootkit A snooping and/or control program running at the kernel/user mode level in the computer, invisible to normal "running processes" investigative tools such as Task Manager. Many current spyware scanners are unaware of rootkits;

Screen Capture Effectively a "digital photograph" of what is showing on the monitor at any particular time. These photographs are recorded electronically inside the computer and may be taken each time the screen changes, or upon something like a mouse click or keystroke triggering a new character in a box. This way, even if you are protected from keystroke loggers, a criminal can still steal your password or credit card number. Another (very unlikely, yet still plausible) possible screen capture method would be a real camera somewhere in the cybercafe, aimed at the screen or keyboard;

Trojan horse Sometimes installed through an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection and exploitation of data. Some downloadable games contain Trojan horses, many file-sharing programs are suspect, as are some files shared through peer-to-peer. A Trojan horse can also arrive as an email attachment, masqerade as a "codec update" installer or be downloaded through an Internet link you clicked on;

Virus, worm A virus is a string of code which needs to "infect" a file on the computer before it can replicate itself. The file it infects provide the rest of the code needed for the virus to work, just like a cold virus needs a warm throat to begin its action of replication. A worm is a complete bundle of code and simply takes up residence, often inside the system folder of your machine, assuming an innocent name like "kernel32.exe". Viruses and worms these days are capable of various exploits. Many aim to turn the target computer into a "zombie" which can be remotely controlled by criminal gangs to send more viruses, worms and email spam, or to force legitimate sites to close by bombarding them with spurious requests (DDoS);

Zero-Day exploit A zero-day vulnerability refers to a hole in software that is unknown to the provider of the software. Zero-day exploits have been very common in software such as the Flash player and Acrobat reader, although browsers are also a popular target. Uses of zero day attacks can include dropping malware onto the user's machine or allowing unwanted access to user information. The term zero-day or 0-day refers to the unknown nature of the hole to those outside of the hacker community, specifically, the developers. Once the vulnerability becomes known, a software patch is usually released urgently by the provider. Patching the vulnerablitiy relies on computer users regularly checking for updated software on their machine.

Soluble Surfing when you're on the road

If you have a USB flash drive (called variously pen-drive, thumb-drive or USB memory stick), you have the basis for a solution to the infected-with-spyware Internet cafe problem. USB flash drives are really cheap these days ($10/Euro 8 will get you one large enough for carrying your own portable cleaning application, password safe and - if you want - browser and photo editing applications wherever you go). You can download a complete package of portable software from this site, or assemble your own collection. Read on for my recommendations...

Internet cafe bug cleaner prepackaged

Download this FREE package of programs to use on a USB stick when you travel. It will make surfing and entering passwords a more safe and secure venture. You will save time when it comes to cleaning up your tracks and traces at the end of an Internet session. As you'll probably also want to check and resize your pictures in an Internet cafe, there are tools included for that. There are two versions; the basic one is suitable for people with little technical knowledge.

cafeKlysm is a collection of portable programs with the focus on security while using public computers. The basic version will fit on a 1GB or larger flash drive. cafeKlysm is totally free to use, will not expire, and is free of any advertising or spyware. read more about cafeKlysmThe basic version includes the Firefox browser, KeePass secure password store, SafeKeys onscreen keyboard and CCleaner computer cleanup application, which is all you'll need to enter passwords safely and clean up your tracks after browsing on a cybercafe computer. There is a fast image resizer and image viewer for your digital photos, a program to edit your pictures' EXIF tags (and geo-location tag them using a Google Maps interface). There is also a "safely remove USB drive" feature which facilitates easy ejection of the USB drive even when Windows complains some file is still in use, something you're sure to need at least once on your travels. With one click, you'll immunise your USB drive against common, auto-installing viruses on the host computer, and in another click you can block the host computer capturing pictures of what's being shown onscreen, protecting your logged-in information. A one-button check on your Internet connectivity lets you to test the presence of a connection from a slow or unreliable Internet shop before you hit that send email button.

cafeKlysm basic version




version two of cafeKlysm, showing a closeup of the Internet page

The full version contains all those programs, plus XnView (a powerful photo editor), PhonerLite internet telephony client, KeyScrambler keyboard encrypter, ClamWin portable antivirus, Process Explorer task manager, USB View to troubleshoot any speed problems with your drive, Toucan backup and encryption, a Hosts file editor and TCP View network analyser tool (more convenient to use than Windows' built-in Netstat program). It has been available for free since 2008. Read more about cafeKlysm and download it here.

Internet cafe bug cleaner DIY style

Assemble your own bundle of programs to aid with cybercafe privacy.

You can of course load the portable programs separately yourself, although it takes longer and you'll miss the convenience of cafeKlysm's launcher (so needing many more clicks to start each program), the 57-page (in PDF) help file included with either version, the fast connection checker, screen logger disabler, photo editing software and the "safe eject" feature. If you do want to download the separate programs, here are my recommendations:

Start with a suitable flash drive (USB thumb drive) for the best results.

1. Mozilla Firefox, Portable Edition takes up about 90MB space and can easily be run on an Internet cafe computer instead of Internet Explorer (it does not need an administrator account to run it), giving you many advantages in security. All of your settings will be saved to your USB drive, so you can travel with an extensive stack of bookmarks, for instance. Firefox is a fast, full-featured web browser that's easy to use. It boasts many features including popup blocking, tabbed browsing, integrated search, improved privacy features and anti-phishing. Get the Mozilla Firefox, Portable Edition (it's free) here.

2. KeyScrambler Personal. To give a good measure of protection against key loggers (hardware versions are excepted, as I state above) when you enter name and passwords into sites, download KeyScrambler Personal. This free software (the installer is 1.5MB) is a browser plugin which works with Internet Explorer and Firefox to encrypt data as it passes from the keyboard driver through the operating system to the browser you are using. You don't have to understand how it works, but it does offer reliable protection. Read a review of KeyScrambler here and here. KeyScrambler works with all keyboard layouts and it shields you on all websites: your login credentials, credit card numbers, passwords and search terms. You will need to pay for versions of KeyScrambler which will safeguard password managers and email clients like Thunderbird and Outlook, but the basic version is fine for IE, Firefox, Maxthon and Chrome.


You'll need to be using an administrator account on the computer you are using, as KeyScrambler has to be installed, then a restart performed to load a driver. It is the only application listed here with this requirement - all of the others will work in a limited or guest account.

You are protected by KeyScrambler on all the "input fields" (places you can type) of the page, but don't let that feature make you over-confident. The information you enter has to leave the browser to travel to the target server, and unencrypted communication between your browser and a website is as public as writing your information on a postcard and mailing it the traditional way. Even encrypted communication can be reconstructed if the trojan in the computer uses something to capture the actual packets leaving the system, but that's a risk you'll either have to swallow or inspect with NetStat to eliminate it.

3. KeePass Portable Edition. Typing passwords into an onscreen window if you don't use Key Scrambler (above) runs a risk that password stealing malware will log your keystrokes. A way around this is to copy and paste the passwords from a secure password store. The KeePass program does exactly this in a portable version (about 5MB) which you can add to your security collection on a USB drive, iPod or CD. This way, one master password unlocks the password database and you insert the password either by drag-dropping it or with a single key action, making it harder for key loggers to capture anything (controls for the copy and paste of user name and password are on the application). Completely free, you can download KeePass here. It's so useful you may want to adopt it to remember passwords on your home computer.

4. CCleaner Portable Edition. Have you ever wanted to spend more time in an Internet cafe doing useful things like reading your email messages and less time deleting all the temporary files, cookies and history left over from your surfing? With one click you'll be able to clean your tracks using CCleaner. It's about 15MB to download (be sure to get the portable version) from here.

5. Neo's SafeKeys. An onscreen keyboard which changes its position and dimensions each time you launch it (to fool mouse loggers), and which you type your passwords on before dragging them to a box on your login page. For highest security, SafeKeys functions only with the drag-drop transfer method, and uses two methods to obscure its screen from screen loggers (screen image capture trojans). As it doesn't use the Windows' clipboard, nothing can be captured there. You can also choose to type your password simply by hovering your mouse (not clicking) on the relevant character, and you have the option of scrambling the keyboard layout to a random one. It's vastly more secure than using the Windows onscreen keyboard (which sends messages through the computer sub-system that a key has been pressed each time you click a key with your mouse). Neo's SafeKeys is a small download (1.5MB) here.

Basic hygiene in an Internet cafe

The tips in this section won't protect you from keyloggers or other spies on the computer. They are merely elementary precautions which will prevent the next user in the cybercafe from being able to see the sites you visited, or - worse - log in to your email account.

There are three things you absolutely must do when using a public computer:

  • Stop the browser (Internet Explorer is the most common one)
    recording the history of the sites you visited,

  • Prevent it from saving your passwords and

  • Clean up any traces of your surfing before you leave.

Internet Explorer
For very complete information about privacy settings - including history, auto-complete data, cookies and the cache - in all versions of Internet Explorer, see this page. To delete files in IE 7 and 8 see this page. For IE 9 go here, while for IE 11 go to this page.

It's possible that the administrators of the cybercafe have restricted access to certain functions on the machines - you might get a box denying your attempt to change the "remember passwords" setting, for example. My solution to this is to get up and find another place to do my Internet business. Anywhere which denies you the basic provisions of privacy on the machine shouldn't be trusted or supported.

Installed versions of Mozilla Firefox are no less secure in their "out of the box" setting than Internet Explorer - portable versions you carry on a USB key should save their settings to the USB key file system and so offer more privacy in that respect. Any version of Firefox will ask to save passwords and save your browsing history and cookies unless you set the preferences otherwise. Go to the Tools menu (to see this menu in Firefox, hit the Alt key first or click the three horizontal stripes on the toolbar at the right-hand end) and pick Options from the drop-down list. Click the Privacy tab and untick the "Remember visited pages for the last..." box, or set the days to zero. Also untick "Remember what I enter in forms and the search bar" - this is Firefox's equivalent of Internet Explorer's AutoComplete function - and again, it's useful at home, but risky to have on a public machine. Make sure the "Accept cookies from sites" box is checked (or you won't be able to log in to many forums or online services), but set the Keep cookies until... to "until I close Firefox" on the drop-down menu beside it. Also tick "Always clear my private data when I close Firefox" box. Don't close the Options box yet, we need to deal with the password retention feature. Click the Security tab (Mozilla makes a lawyer-like distinction between privacy and security here) and untick "Remember passwords from sites." Now click the Options box away with "OK" at the bottom.

You have now restored some amount of privacy to the the browsing experience, you can begin your Internet surfing. At the end of the session, either close the browser with the X in the top right-hand corner (and click "Yes" to deleting the private data) or keep it open, click the Tools menu again and select Clear Private Data

That's quite a lot of work in addition to writing your messages, isn't it?  You can speed up the steps to privacy (erasing stored passwords, history, cache, etc.) by using a small cleanup program contained in a special security bundle you carry with you on a USB drive. See here.

Windows' clipboard
Often overlooked (by me as well) is the clipboard. Anything you copied and pasted will be there. If you were working in a word-processing document that could be rather a lot of text and pictures. The easiest way to delete the clipboard is simply to copy any non-private text from the computer (highlight the text, then hold down <Control> while pressing the <C> key), which overwrites the clipboard.

Wi-Fi is too risky for secure browsing!

So you heard about the risks of spyware in public internet shops. That made you seek out a nice cafe with Wi-Fi and right now you're using your own laptop or netbook with their free wireless internet connection to check emails while sipping your Frappucino©. They even gave you a password to access the hotspot, so it must be safe, right? Wrong... anyone else using the same network has access to the traffic passing in and out of your computer, because they almost certainly are using the same password. Cybercafes which issue individual user passwords for Wi-Fi are still not safe. This means that unencrypted email messages (many email providers encrypt only the login session and then deal with other transactions in plain view to all) are open for anyone to read. Additionally, by using a 'man-in-the-middle' spoofing ploy, malicious users may be able to capture your entire browsing session and read even your passwords sent over an encrypted connection. Don't use bare public Wi-Fi for online banking, and try and send and receive your email with mail providers which maintain an encrypted browser connection for the entire session, not only for login. More information.

Whenever you use Wi-Fi for routine things like email, you'll feel much safer by forcing the connection to an encrypted session. Hotspot Shield is free (although the free version forces you to opt out of installing a useless toolbar plus an irritating video pops up whenever you use the program) and creates a secure "tunnel" to their server from your computer, making the Wi-Fi you use much more robust against snoopers. This method of secure connection is known as a Virtual Private Network or VPN. You can configure your own VPN using a service such as PureVPN (requires a monthly fee, but there are free alternatives) if you are knowledgeable, and avoid the HotSpot Shield advertising. There is more about doing that on previous pages of this site.

Pro-active security to avoid calamity

Pick secure passwords and enter them  safely

The information here provides you with a layer of shielding against common methods of capturing your password and other critical information when you use a shared computer in an Internet cafe.

The design of keyloggers evolves daily, and many have become very sophisticated, able to shut down most antivirus programs and hide themselves from the user level of computer operation. The largest proportion of them, though, will be quick knock-offs of an existing piece of tried software downloaded by an amateur from a hacking forum. Knowing this, you can protect yourself against 99% of keyloggers for your email correspondence, and work to close the gap on that 1% if you need to type in something more critical such as a credit card number.

Copy-paste methods (from a text file you carry on a floppy or USB drive) give you no protection at all and are a total waste of time. When you copy to the clipboard in Windows, an "event notification" is sent to the operating system that the clipboard's content has changed. The simplest keylogger will monitor this, and easily capture your password. Likewise, using Windows' built-in onscreen keyboard is a mythical safeguard: another event notification goes out each time you click on a key, the same as when you type on the physical keyboard.

I recommend using KeePass to store your passwords. You either drag-drop or paste the password into your box (with a selected "hotkey" combination)  without creating an event notification, which makes it much more secure against keyloggers. For highest security, drag-drop offers fewer routes for capture of your password. The password store itself is encrypted and cannot be read from the storage medium until you unlock it with a master password. That's perhaps its only weakness - make sure that master password is hard to guess (see below), and type it into the box securely (Neo's SafeKeys is good for this - see the previous section).

More securely, you can install encryption for the entire keyboard-to-browser path with KeyScrambler, although this needs you to have an administrator account and restart the computer you are working on (which may be tricky). An onscreen keyboard which is much safer than the Windows one is available here.

You will need to carry these little programs with you, ideally on a USB flash drive. You will want to ensure that the USB drive itself hasn't become infected, however, and this can be a problem. The antivirus scanner on a public computer may have been compromised by trojans or viruses. You could carry a portable version of an antivirus program on your USB drive and use that in combination with the installed versions you find in Internet cafes. ClamWin AV is free and works well in its portable incarnation.

Don't be the weakest link in the chain yourself: use a password which is strong. A 'strong' password is something like 4#ro98K:Dfg while a weak password would be monkey123. Try out your current password using this password strength checker (it doesn't record what you type) which summarises what is good or bad about your current password. To read some more detailed hints on picking a better password, Bruce Schneier's page has excellent advice. The strong password you settle on should also be different for every different site, making the use of some type of password manager obligatory.

Ensure that your browser shows secure communication has been established - usually there is a small lock icon visible somewhere (on Firefox 4 you'll need to click the shaded portion of the address to see it) and the browser's address will begin https://... - before you enter information such as a credit card number.

you must see that your browser has made a secure connection

Hunting down the infections yourself

Advice which follows is included for users with some familiarity with computers. If you are an absolute beginner on computer and Internet matters, and still find it amusing that you have to shut down a computer by clicking on a button which says "Start," it's probably going to be too technical and involved for you.

Checking your connections
The Netstat command will reveal connections your machine is making to and from the outside world. Password-capture trojans will usually connect to their controlling operator on a different port and IP address than your browser does, so you may be able to see suspicious activity if the trojan is active when you check. Run Netstat from a command window: first get to the Run box by holding the <Windows> key and then pressing  <R> on the keyboard (you can also do this from Start --> Run). Type  cmd in the box and click "OK". Enter the following command in the small window which appears:

netstat -a -b -n

Using Windows 2000 or below, leave out the -b switch as this is not supported in these operating systems.

A lot of lines will probably scroll by quite quickly, giving current connections in and out of your machine. Look at one of those figures from my machine:

That first group of numbers before the colon is the IP address of the connection, the second number (highlighted in red in my example here) is the port on the computer. Here is the sample window from my own computer:

Your Netstat output may have a shorter list of connections or a much longer one. In lines saying 'ESTABLISHED,' look at the remote address port to identify what has connected to the remote site. In lines saying 'LISTENING,' concentrate on the local address port to identify what is listening there. Check with a list of known trojans and the ports they use. If a port on your Netstat output is there, it's a reason to be very suspicious, but you should note that some legitimate applications may use those ports as well. Any TIME_WAIT entries can be ignored, as can those connecting to a *:* Foreign Address. If you want to hunt further, using Netstat in conjunction with a small application called Process Explorer (a free, 1.6MB download) gives you the power to identify the process initiating each network connection. For example, I'm interested in the UDP connection on the bottom line - normally the UDP will match the port number of an existing TCP connection (the one above matches the first TCP connection listed). With Process Explorer, I see that the PID 1204 is associated with Windows' Background Intelligent Transfer Service. This is an entirely normal service running on the computer to deliver Windows' updates.

The parent application name will be next to many entries - on my output the application is my web browser, SeaMonkey. There are multiple entries for it because browsers fetch the different parts of a webpage with multiple requests. However, because the application exists on the computer as a familiar application doesn't necessarily imply that the connection is a safe one; many stealth applications connect through programs such as Internet Explorer. However, you will certainly have an unmistakable alarm call if spylog~1.exe or something similar is connecting to the Internet. Note that is the address of the computer you are working on - many entries for this IP address are perfectly normal. In my example, all of my HTTP connections pass through this port as it connects with my Webwasher advertising blocker.

The two top addresses are "," an address which actually includes each and every network interface. Both are being used by the system for Listening. This is communication at the MAC Address level between the computer and my router, and is quite normal. Should there have been anything going out on this address (to any port), it would have a pointer to questionable activity, and I would have wanted to check the PID to find what was behind the process.

Introducing your HOST
The computer's Hosts file has recently been used to redirect unsuspecting users to sites which may capture your password. Many banking sites have been so affected; modifying the Hosts file may have been done automatically by a script on an infected site someone visited or (more rarely) by the cybercafe operator themselves. Open your "Run" box again as above (Start>Run) and enter the following (best to copy-paste):

a) for Windows XP/Vista/Windows 7, 8 and 10* -

b) for Windows 2000 -

c) for Windows 98 -

...then click "OK". These commands all assume Windows is installed in the normal location, and should open the Hosts file in Notepad. If you get a "file not found" message, you'll have to navigate to the Hosts file manually - try the locations as above, following the words NOTEPAD.EXE, or put the word Hosts in a search box and search the computer. Open the Hosts file in Notepad or a similar text editor. Note that the Hosts file has no extension - this is normal. Check the entries there - it will be either empty or have only a few. If anything resembling your own bank's address is included there, be very suspicious indeed.

*Special instructions apply to Windows 7 and above. Here, you'll need to run Notepad as an administrator (right-click its menu icon and choose "Run As Administrator") before navigating to the file.

Other options for security

While it won't protect you from hardware key loggers, using a Linux "virtual machine" computer - which runs right inside the existing one - creates a high security cordon around your personal data when using an Internet cafe computer. The disadvantages of doing this are that you'll need to wait while the virtual machine loads and initialises (perhaps a few minutes on a slow computer), and the possible problems in configuring Internet access for the VM. It's not a project for beginners, but if you want to try it, look at this page, which has excellent guidance for using the "Damn Small Linux" virtual machine.

Taking your own computer means you probably inherit headaches about theft and malfunction while you are on the road, but modern ultraportables are as compact as a guidebook and offer the chance to compose and read messages while you are sitting somewhere more congenial than a busy cybercafe. Overlooking the ocean, sipping a sunset beer, for example. I have written more about taking your own computer and connecting to the Internet with it on the the first page of this section of this site.

Using an online password store or manager has advantages and disadvantages. LastPass Password Manager overcomes one significant disadvantage by carrying a cache in its portable version (called 'Pocket' - a free 700kB download for either Windows, Mac or Linux). The cache is protected by 256-bit AES encryption and carries your most recently synchronised password list. You need to create a (free) LassPass account first, and it's here you specify your master password. The sliding colour bar under your password box indicates its integrity to guessing and dictionary attacks - go for at least a tinge of green on the scale,  and a mix of letters and numbers in the password itself. The very significant advantage of LastPass is that it will carry all your passwords (banking, credit cards, email, forum sign-ons), it will fill in not only password boxes but more complex forms, and it updates any passwords which you add or change immediately on the server when you are online. It is cross-browser compatible as well. While it is in transit across the Web and into the host computer, your information remains protected by strong, 256-bit AES encryption. The information stored on LastPass's servers is totally under trust (they do try to assure us here that nothing will be done with your passwords, although databases have been accessed by criminals before now and the LastPass addon itself suffered breaches in 2016 and 2017), and this may not be enough for some people. Nor is there any guarantee that this small-scale operation will be around when you need it.

An online service called Keep Your Password Secret (KYPS) ran for a few years, offering to perform email login on your behalf with single-use codes you entered from any public computer. The site has now vanished, and its demise underlines the risk you take depending upon a small, privately-run service such as this. Your password and logon access is something you should keep control of yourself as far as possible; you simply can't guarantee that a third-party online service is not going to be blocked in your part of the world and be accessible when you want to login to read your email. Likewise, you have no way of knowing whether its server has been compromised, or that the cybercafe computer you access it from hasn't been the victim of a pharming exploit. KYPS declined to disclose details of the software and privacy protection on the site when I queried the operator in 2008, and I am automatically more suspicious of closed-source operations.

The page following is concentrated on beefing up security on your Windows 10 computer by disabling some of the snooping and 'telemetry' components Microsoft has baked in to the system.

Go to the next Online Zone - page 4 | Go to the previous Online Zone - page 2

Send this page to a friend

Creative Commons License

Do you have any suggestions about these tips? Use the online feedback to help me improve them.

Jump to another zone: