Saturday, March 21, 2009

Preparing to go: Internet Café Security

Protection of one's private data when using an internet café is important! Beware of keyloggers!

A keylogger records keystrokes which is an obvious security threat to sensitive information like your banking password. Some keyloggers can be very hard to detect as they don't appear as a process and aren’t detected by anti-virus software. Keyloggers work by recording every single keystroke that is entered via keyboard, so a person with access to the keylogger can see those keystrokes including any passwords that were typed. Obviously you don’t want this to happen because it could result in the draining of your bank account.

Keyloggers come in both hardware and software types. A software keylogger can be installed in different ways such as via an infected email message or when installing software, especially software downloaded from the internet.

Hardware keyloggers require physical access to the computer and come in both USB or PS2 versions. The picture above shows a PS2 version which is inserted between the computer and the cable connecting the keyboard to the computer.

To bypass a potential keylogger, use the built-in on-screen keyboard utility to enter a password or other sensitive data. To bring up the on-screen keyboard, hold the Windows Key + U which will bring up the utility manager, then select on-Screen keyboard, then start. It can also be started by going start –> run and typing osk.exe.

Once the keyboard is up, it is just a matter of selecting the password box where you want the password to appear, and entering the password via the on-screen keyboard. This defeats the keylogger because you are entering the password with your mouse instead of the keyboard, so there are no keystrokes for the keylogger to record.

As a security measure many public computers will not have access to the run command and if the Windows+U shortcut is also blocked you won’t be able to run the on-screen keyboard. If this is the case you can manually scramble the password. This is probably the simplest method and will always work. This is how it works:

Type say the first 3 characters of the password ... then click on another window or the desktop and type a few random keystrokes ... then go back to the login window and finish typing the password. That’s all you need to do. This method works because a keylogger records ALL keystrokes, no matter what window is currently selected. For example if your password is “bosco”, you could type “bos”, then go to another window and type “111″, then back to password box to finish the password with “co”. The password box will see the correct password “bosco” but the keylogger will see all keystrokes “bos111co”, so that your true password has been scrambled.

(Without wanting to get too paranoid, some keyloggers also log mouse-clicks. If you want to be VERY, VERY safe, you could register to the FREE one-time password service offered by kyps.net. KYPS enables you to log into your accounts without disclosing your password to that computer. KYPS is very easy to use and does not require you to run any software - all you have to do is to obtain a list of one-time codes from the KYPS server, print these codes, and keep the printout safely in your wallet (alternatively you could save your codes on your mobile phone or PDA). You can then log into your account using your one-time codes instead of your password.)