How to Improve Your Security When Using a Public Terminal

Using a hotel computer, one in an internet cafe or airport is a risky business. Public terminals are fine for general browsing and even (with a few precautions) collecting your email but when it comes to logging in to your bank account or making an online purchase they really should be avoided.

We all know that but life doesn't always allow us to follow the rules; sometimes we simply have to use a public terminal to conduct a confidential transaction

Well I'd dearly like to be able to tell you a way you can use a public terminal with complete safety. I can't. What I can do is show you some ways you can do it with a high degree of security. OK it's not 100% but it's better than no security at all.

There are two main areas of risk when using a public terminal. First someone may be using a session logger to record the flow of data between the PC you are using and the websites you visit. Second there may be a keylogger fitted to the PC that allows someone to capture your keystrokes and sometimes your mouse clicks and screen session as well.

Risk 1: Session Logging

It's dead easy for an ill-intentioned internet cafe operator to record your internet traffic. Indeed I once visited a cafe and noticed the clerk at the front desk was unabashedly scanning traffic from the shop's computers using Ethereal. So believe me, it happens.

It's important that you understand when you a visiting a normal website that most of the information that flows between the PC you are using and the website you are visiting is visible and readable. It's there for anyone to see. "Anyone" includes your ISP or the clerk in the internet cafe.

If you are visiting a secure website (i.e. one whose address begins with https rather than http) your data stream is secure. That's because your data is encrypted end to end i.e. PC to server. Yes, it can still be seen but all that can be seen is a lot of gobbledygook.

If you use Gmail or Yahoo! webmail this is good news as both of these have secure website connections. The last time I used Hotmail it wasn't secure and many other webmail services aren't secure either. It's easy to tell: go to your webmail site and login. If the URL in the browser address bar starts with https it is secure. That means you can read your mail on any public terminal and no one can read your mail by intercepting the traffic between the PC you are using and the webmail service.

If your webmail service uses http rather than https then your email can be intercepted and read. If your email only includes things like a get-well message to Aunt Maud then there is no problem but if it contains your social security number, bank account and other personal details then you should start worrying.

Almost all online banking sites and e-commerce sites use https. That's comforting as it means no one can read your confidential data flowing between the computer you are using and the remote server. Sure they can see the data flow but they can't decrypt it.

Defensive counter-measures against session logging

There are however, a number of ways to convert even a standard http into a secure encrypted https connection. Using a virtual private network is one way but that's an option more readily available to corporate users than individuals. A simpler solution is to use a secure anonymizing network like the free Tor system.

Although Tor was designed to allow you to surf anonymously it has an attractive side benefit: it creates a secure https connection between your PC and the first Tor server. It's not secure beyond the first Tor server but interception is most unlikely once you get beyond the first server. The most likely location for someone to look at your web traffic is between the PC you are using and the first Tor server.

Setting up Tor is simple if you use a product like the free Firefox based XeroBank browser (formerly TorPark). Just start up XeroBank and the rest pretty well happens automatically. XeroBank is also portable so you can safely browse from a public terminal using a copy of XeroBank installed on your USB flash drive.

Surfing with XeroBank is noticeably slowed by the long chain of Tor servers through which your data passes. However a little extra time is a small price to pay for the additional security and anonymity. Besides if you really need speed you can switch back to normal non-secure browsing easily within XeroBank.

If you use XeroBank you can safely read your email even for non-secure webmail websites like HotMail. Whether the content of your webmail warrants the effort involved only you can decide.

I should note in parting that SSL (and thus https) is not immune to decryption. In particular so called "man in the middle attacks" have proven effective. However this kind of advanced attack is highly unlikely in an internet cafe.

Risk 2: Keyloggers

There is no 100% safe way to enter passwords from a public terminal. That's a fact.

Modern keyloggers can capture not only keyboard strokes but mouse clicks and the Windows Clipboard. They can also take screen shots of what you are doing. Keeping your confidential information from the prying eyes of the best of these sinister products is extremely difficult, perhaps impossible.

So the golden rule is don't ever enter confidential information into a hotel computer, an internet cafe PC or other public terminal.

That's the rule but rules get broken. Sometimes we simply have to use a public terminal. I have and I bet most of my readers have too.

So what can you do to improve your security when entering passwords?

Quite a lot actually. Of the many different options available to improve your password security, one of the most attractive is to enter your passwords using a password manager like RoboForm2Go running from your own USB flash drive. It's an option I covered in my May 2007editorial column.

When run from a USB flash drive RoboForm2Go provides excellent security. In fact I've not yet found a keylogger that can capture the information it enters into login boxes and web forms from Portable Firefox. Don't take that to mean RoboForm2Go is 100% safe. It's not; no product is.

One particular area of weakness of RoboForm2Go is the master password you must enter to activate the password manager. If a keylogger captured that and also managed to copy the encrypted RoboForm master password file from your USB drive then you are in deep trouble as they would be able to access all your passwords.

So protecting that password is critical. Some special issues apply to protecting your RoboForm2Go password and they are addressed later in the article.  Let's first look at the question of protecting passwords in general.

Defensive counter-measures against keyloggers

(a) Use strong passwords

Make your passwords (or passphrases) long and semi-random. Passwords like "SncnGnsl3Fp" are much better than something like "banana". This is not only because long random passwords are more difficult to crack but also because they are more more difficult to unscramble from a keylogger log particularly when used in concert with some of the other techniques mentioned below.

Remembering long semi random passwords is difficult but there are lots of mnemonic systems that can help.

By way of example the password "SncnGnsl3Fp" I mentioned above is actually "RoboForm2Go" transformed by a simple formula where the first letter is shifted one forward in the alphabet (R -> S) while the next letter is shifted one back (o -> n). The same alternating pattern continues for the rest of the characters.

There a lot of different techniques for creating and remembering strong passwords and phrases. You can find some in this Microsoft article. Also worth consulting is this Wikipedia article on password strength.

(c) Use password obfuscation

Obfuscation is just a fancy way of saying you can should disguise your password by entering it in more complex way than just typing it in from the keyboard.

Obfuscation works because keyloggers just record a long string of the characters you type. At some point the owner of the keylogger has to scan the string to identify passwords so you want to make this task as hard as possible. These days keyloggers make identifying passwords easier by labeling the name of the window where the keystrokes (and mouse click) were made. Even so, obfuscation can still be very effective
There are many ways of obfuscating input. Here are a few:

(i) Where you have two entry boxes on the screen such as a username and password, alternate entry between the two fields after each character is typed by using using your mouse to move between the entry fields

(ii) Rather than just entering the password from the keyboard cut and paste some of the characters that make up your password from another part of the screen. Ideally this should be from the same window as the one containing the password field but other windows will work fine too.

(iii) Drop and drag and drag some characters rather than enter them from the keyboard

(iv) Enter some character by holding down the Alt key and using the numeric keypad. For example the letter "a' can be entered by ALT 123.

(v) Use an onscreen keyboard to enter some of the characters.
(vi) Enter the last half of your password first followed by the first half. Then drop and drag the second half to the front from inside the password box.

(vi) Insert some random characters

For simplicity lets say your password is abcdefg.

Rather than enter your password as a simple sequence of letters throw in some additional dummy random characters along these lines: aMNbOcZdPQReSfgTUV

Now go back and delete the dummy letters one at a time. Delete some characters using backspace, others using the mouse to highlight the letter(s) and the then hitting the Delete key or using the right click context menu and selecting "delete."

Obfuscation works

By combining the dummy character trick with the various multiple entry techniques you can confuse  pretty well any keylogger.

However don't feel you have to use every single obfuscation trick I've mentioned; that's overkill. Indeed you may not be able to use all these techniques as some sites and products limit what you can do do. For example RoboForm2GO disables cut and paste  as well as drop and drag when you are entering the master password. It also won't allow you to access (get focus in) any window other than the password box. However you can still enter and delete dummy characters as well as entering characters using the Alt (numeric keyboard) trick and combined with a long random password that's good enough.
It's enough because any hacker reading a log from a keylogger has to read, identify, analyze and re-assemble what's recorded. That's hard work. If you use long random passwords combined with even a few obfuscation techniques then almost certainly you've made the job too hard. Possible yes, but too hard, specially when there is easy picking available elsewhere.

But you can increase your security further; use an on-screen keyboard.

(d)  Use an on-screen keyboard (OSK)
An on-screen keyboard (OSK) is, as its name implies, a screen version of a normal keyboard where you "type" characters by clicking with your mouse the appropriate key on the screen. Windows has an OSK built-in that can be accessed from Start / All Programs / Accessories / Accessibility / On Screen Keyboard or alternatively from Windows key + U.

Now many folks think that using an OSK to enter password data is more secure because a keylogger can't capture the keystrokes. Unfortunately this is only partly true.

First some OSKs (including the Windows OSK) simply emulate actual keystrokes and these can be recorded by many keyloggers. Second anyone can see what you are entering with an OSK by simply taking a screen movie or even a rapid series of screen shots. Third by recording mouse click coordinates it may be possible to deduce the characters entered with an OSK. Finally it may be possible to capture the password from the OSK using a clipboard monitor when you copy the OSK entered password into a password form field.

That's the bad news. The good news is there are some OSKs that don't emulate keyboard input. Two of these are free, portable and specifically designed for secure entry. The first is Neo's SafeKeys; the second is Monitor Only Keyboard (MOK)].

SafeKeys has some nifty features such as the ability to start up in a different screen position and with a different size every time you run it. This effectively defeats mouse click loggers. It also allows you to drag and drop the entered password into a web form thus bypassing clipboard loggers.

MOK has its own charms: it disables clipboard logging and has the option of a variable key layout. It doesn't support drag and drop but the copy implementation results in equal security to SafeKeys.

So on balance, there is little between the products; each is a perfectly viable solution. Unfortunately both are still vulnerable to screen capture. However a screen capture program would have to take very frequent snaps or a continuous movie to successfully capture all your virtual keystrokes. That's possible, though the host PC would take a big performance hit in the process.

But there is a simple way of getting around screen capture programs: enter part of your password with an OSK and the remainder with the real keyboard. Combine the keyboard entry with a little basic obfuscation and you have a pretty secure solution.

Protecting your RoboForm2Go Master Password

There are some special problems involved in protecting your RoboForm master password when using Roboform2Go from a USB flash drive connected to a public terminal.

Before I address these I want to state that I  strongly recommend using RoboForm2Go for safely accessing password-protected websites. It's one of the easiest and most valuable steps you can take to improve your mobile security.

With RoboForm2Go, all of your website passwords are safely encrypted on your USB flash drive, and it's virtually impossible for anyone to decrypt the information from the stored files.

Impossible, that is, unless they have your master password. And there's the catch.

To use RoboForm2Go you must at some point, enter your master password. If attackers use a keylogger to capture that password and also copy your RoboForm2Go password files from your USB drive, then they will have complete access to all your passwords. Hardly a pleasant thought.

So protecting your master password is absolutely critical.

In recognition of this problem, Siber Systems, the developer of RoboForm, has implemented some features that make it more difficult for keyloggers to capture your password.

First, they disable copying text from the master password window. Second, they disable drop and drag. Third, the password entry window contains no text, only graphics. Finally, and most importantly, they include in the password window a link to a special screen based keyboard (MOK) that allows you to enter your master password using mouse clicks.

Frankly, the first three of these measures are of limited benefit. They don't stop most keyloggers and, unfortunately, limit the range of obfuscation measures you can use to disguise your master password. You can't, for example, use the highly effective technique of dropping and dragging part of your entered password from the end of the password to the start. Nor can you cut and paste text from within the master password window or type dummy characters elsewhere in the window.

So these RoboForm security measures are really of limited value. So limited that I've been able to capture the RoboForm master password in every keylogger I've tried.

These particular measures may be limited in value but the MOK built into RoboForm2Go is much more useful. It's quite a secure implementation, unlike the inbuilt Windows MOK.

In total contrast to keyboard entered passwords, I'm yet to find a single keylogger that can pick up passwords entered by the RoboForm MOK.

But there's a small catch. While a keylogger may not be able to grab your password, a screen session recorder can. That's because the RoboForm MOK indicates visually each time you click a "key" with your mouse. This makes your MOK password entries plainly visible on a screen movie.

It would have been much smarter for Siber Systems to have indicated a keyboard press with a sound from the PC speaker and have no screen indication at all. That way a screen session recorder would only show the movements of your mouse over the keyboard without showing what "key" you actually clicked.

That's the bad news. The good news is that the hostile use of screen session recorders is rare compared to the use of keyboard keyloggers. In fact, very rare. That's because taking a live screen movie consumes a lot of computer resources. So much that the computer would be really slowed down and the presence of the keylogger made obvious.

Periodic screen snapshots are, however, reasonably common in keylogging programs. That's because they take far fewer resources than a video, yet still reveal a lot. Fortunately, they are most unlikely to capture enough of your MOK input to reveal your master password. Think about it. Even if the logging program took a screen shot every second it would be virtually impossible to get your entire password. But screen recorders take shots much less frequently than once a second - most operate in minutes rather than seconds.

So on balance using the RoboForm2Go MOK is the way to go. It's not perfectly safe just very safe. It is however, way safer than using keyboard input to enter your master password.

But before you enter anything with a MOK do turn around and make sure nobody is watching over your shoulder. Shoulder surfers just love MOK password entry :>)