Comments on: Internet Cafes-How Safe Are They

Question: Internet Cafes-How Safe Are They

rglass — Tue, 05 Dec 2006 10:30:10 -0800

Secure internet access at an internet cafe? I leave for 10 days in Mexico tomorrow and will be using internet cafes daily. I will need to check my bank and credit card accounts every few days. How can I make sure my connection is secure? I have a USB stick and will be using Portable Firefox whenever possible.

By: autojack

autojack — Tue, 05 Dec 2006 10:39:57 -0800

The way that I typically do this is to use SSH to create a secure proxy to my Linux shell server. If you don't have a Unix shell available to you elsewhere, this won't work. If you do, you'll need OpenSSH (installed by default on most Linux and Mac systems, you'll need to download it for Windows).

Use the -D [port] argument to ssh when you connect to your remote shell. From the man page:

"Specifies a local "dynamic" application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file."

So what I do is ssh -D 5050 myserver.org. Log in normally. Then tell my browser, IM clients, whatever else I need to use securely, to use a SOCKS proxy running on localhost, port 5050. Each of their preferences tools has a setting for this. Voila - simple security for everything! Just don't forget to undo that preferences change later, or your clients won't work : )

By: jet_silver

jet_silver — Tue, 05 Dec 2006 10:43:15 -0800

Your connection might be reasonably secure - if you use SSL for your connection - but end-to-end won't be. How do you know what is inside the box at the cafe? What if it simply logs every key you push?

By: tiamat

tiamat — Tue, 05 Dec 2006 10:45:18 -0800

You need to bypass keyloggers to avoid having your passwords captured. The simple way is to type a lot of gibberish into an irrelvant field before and after you type your password and user name, so that the person reviewing the logs can't find them. (Seach box, address bar without hitting enter, etc)

Such as for user USER with password WORD a keylogger would normally see you type like this...

www.banksite.com[enter]USERWORD[enter]

If you just typed the address, mouse to login and type username, mouse to pword and type your password.

On the other hand, you can mouse around and type in irelevant places and make it very much hard to find your login and password.

Such that...

www.banksite.com[enter]lsghldssoybobv;lkfsd;sdkUSERlkdj;fddsfdsl98912WORDoiuerlkewiosdf

Since the VAST majority of keyloggers don't keep track of where you're typing, and rely on examining order of entry to discover your details, changing up the order of entry and adding extra data can avoid most keyloggers. This assues you have a good password, ie, one that looks random. Obviously if your password is a word or phrase it'll still be found after some examination. If this is the case, change it.

There are also peices of software such as Roboform (commercial software, I have a copy, but don't have any other relationship with them) which type for you and therefore avoid keyloggers by not using the keyboard.

Roboform has a thumb drive and U3 drive version, and is a very great way to keep dozens of passwords secure and ecnrypted, although its really overkill unless you have more pwords than you can remember.

By: smackfu

smackfu — Tue, 05 Dec 2006 11:02:14 -0800

There was a big thread on this last year.

By: kdern

kdern — Tue, 05 Dec 2006 11:03:05 -0800

tiamat - that's pretty brilliant. Thanks.

By: cmiller

cmiller — Tue, 05 Dec 2006 11:29:54 -0800

Some things to consider:

Are you worried about something sniffing the network between you and the bank?

Are you worried about software on the computer recording your secrets as you type them?

Are you worried about someone or something electrically capturing keystrokes from the keyboard en route to the computer?

Are you worried about someone waiting until you log-in with your secret and then stealing control of the computer over the network (physically or through software)?

Are you worried about someone or something watching over your shoulder as you type your secret?

There aren't many ways to defeat all of those worries, unless you bring your own trusted computer. You could bring your own trusted OS on a bootable hard drive, carefully inspect the computer and how it behaves, use encrypted data channels on the 'net, and use a one-time-password -- combing all of that will get you close to being safe.

By: tke248

tke248 — Tue, 05 Dec 2006 11:34:42 -0800

I definitely think autojack has the right idea using an ssh tunnel but I would use a bootable os cd like knoppix and not what ever is installed on on the system. This should defeat any software keyloggers as for hardware keyloggers a simple method to defeat them is using an on screen keyboard.

Defeating Hardware Keyloggers

Instructions for setting up an SSH tunnel

By: gfrobe

gfrobe — Tue, 05 Dec 2006 11:50:24 -0800

If keyloggers don't log items items that are cut and pasted, maybe you could put your usernames and passwords in a text file on a USB thumb drive and then just cut and paste as needed?

By: scalefree

scalefree — Tue, 05 Dec 2006 11:59:27 -0800

If you're already using Portable Firefox, consider switching to Torpark, which combines Firefox & The Onion Router into one happy package.

By: odinsdream

odinsdream — Tue, 05 Dec 2006 11:59:30 -0800

You might also be able to avoid hardware keyloggers by changing the keyboard layout to something like Dvorak and typing your passwords in that way.

By: caution live frogs

caution live frogs — Tue, 05 Dec 2006 12:01:22 -0800

Far as SSH tunnels go I got advice from a fellow MeFite a while ago; Bitvise Tunnelier is an amazingly simple (and free) program for setting these up on Windows. As long as you have a Linux box somewhere that will accept SSH connections Tunnelier will do the rest of the things necessary to set up a SOCKS proxy for you, so all that is left is for you to set Firefox to connect through local port 1080 via manual proxy settings. Works for Thunderbird too. As an added bonus many airports, etc. will let you connect for free but won't serve any web pages unless you pay - but SSH tunneling through a nonstandard port can quite often allow you full access for free.

By: weapons-grade pandemonium

weapons-grade pandemonium — Tue, 05 Dec 2006 14:31:18 -0800

Recent FPP on this.

By: Mr. Gunn

Mr. Gunn — Tue, 05 Dec 2006 23:51:49 -0800

Can you not call your bank's automated line from mexico?

By: pikaboy202

pikaboy202 — Wed, 06 Dec 2006 21:32:52 -0800

You might want to check this little gadget out:

http://marketplace.hgtv.com/View_Listing.asp?RegionId=110&SubCategoryId=1&Level=3&Keyword=&Page=&Lid=2153-N6113019