Wednesday, November 26, 2008
Secure password managers such as RoboForm, PassPack, and ClipperZ may allow us to safely access our password-protected accounts on a public computer. It seems to be generally accepted that they do provide protection. I'm trying out the three products above (all have a free version) but will avoid putting any financial or really important passwords online until I find out more.
These products all work by encrypting your passwords so that no one else can read them, then storing them somewhere. Offline password managers like RoboForm store your encrypted data on your own computer or a flash drive that you can take with you to another computer. PassPack and ClipperZ are online password managers. They save your encrypted passwords (and only the encrypted form) online so you can retrieve them from anywhere you have internet access. They also give you a way to save the information on your own computer for when you don't have a connection.
It sounds quite promising and the products are well-established. I just want to learn a little more to be sure that there aren't any known ways that malware could copy my passwords even if I don't physically type them.
Saturday, November 22, 2008
Using a public computer is risky business and cannot made safe for entering or reading sensitive information including accessing your email account. You must consider the risks and benefits in any situation. The best alternatives in a cybercafe are to use a secure laptop (preferably your own), or to boot the public computer from a live Linux CD or flash drive.
We all know that net cafes are not ideal and that they have security issues. Sometimes, though, there doesn't seem to be a good alternative. Maybe you're traveling and don't have any other way to connect. Maybe you have a home connection but it has been down for several days. Whatever the reason, you may find yourself in a cybercafe.
If you read no further, just remember this one point: never enter or access any personal or confidential information on a public computer.
Personal data that you must not enter or access includes
- Bank information, account numbers, credit card numbers and so on
- Personal identifying data such as date of birth, social security, drivers license, passport, national id, mother's maiden name, or phone number
- Email accounts and passwords
- Any other user names and passwords
This might seem too extreme, especially when you realize it will prevent you from even accessing your email. You must realize, though, that there is nothing you can do to make that public computer completely safe. Anything you type or view could be stored or transmitted to people who would love to add your information to their files. This danger is no longer an occasional problem, but common and serious.
Even if you boot from your own CD or flash drive (see below), anything you type could still be captured by a hardware keystroke logger.
Besides the risk of your personal data being captured, there is also the risk, or inevitability depending on the location, of your flash drive being infected with malware if you insert it into a public computer. Always use a clean computer with an up-to-date virus and malware scanner to clean your flash drive after using it in a cybercafe (or, for that matter, in any computer).
What to do?
Balance the risks and benefits
As in any situation, you should always balance risks and benefits. If you access your email on a public computer, there is a risk that your email account will be compromised. That means someone could gather the addresses of your contacts, email them from your own account, send spam under your name, view sensitive information (financial records, orders, addresses ...), and potentially steal your identity. That's a pretty big risk.
On the other hand, if you access your email account on a public computer in a "reputable" cybercafe and can then change your password soon afterward on a secure computer, the risk would be decreased. My own assessment of that risk-benefit balance for case would be that (a) I would only want to take the risk if it was very urgent to access my email and (b) I would try other alternatives first: SMS messages, phone contact, or whatever I could think of.
Use your own laptop
If it's possible to connect your own laptop at a cybercafe, you will avoid the problem of all the malware that could be on a public computer. Needless to say, you won't want to do this unless your own laptop is well protected with at least a software firewall (like the one built-in to XP and Vista, or an add-on) and an up-to-date antivirus program. (There are portable hardware firewalls available that plug into your USB port. But you can probably do almost as well with free software.)
Use a Linux Live CD
Using a Linux live CD or flash drive, you reboot the public computer from your own copy of Linux designed to run only in memory. The hard drive is not used and does not even need to be present. This means that drive infections are no longer a risk.
It's easy to make such a CD; you just download the file (called an iso image) and burn it to a CD or DVD. See the good article, Why you want a Linux Live CD, for some more information, or just google "Linux Live". Many current Linux installation CDs will work as well. Ubuntu (~ 700 MB) and Slax (~ 200 MB), are two examples. As these are large downloads if you have limited, expensive Internet access, you may want to copy a friend's disc or get someone to send you one (Ubuntu will mail you a free copy).
Don't be scared off by the word "Linux," either. You need no experience with Linux to use these. Just boot the computer from the CD or flash drive, and you'll see a familiar desktop with a web browser (usually Firefox), text editor, and others depending on the exact version.
Limitations of Linux Live
- The computer must be configured to boot from a CD or flash drive. If it is not, a co-operative cybercafe manager may be able to set it up for you (or you could do it yourself if you know how).
- While web browsing is almost always supported, it may be tricky to connect to the cafe's printer. But you could save what you need to a flash drive and print it later.
- Hardware keyloggers could still intercept your typing. These are devices intentionally installed between the keyboard and main computer box; I have no idea how common they are but certainly much less common than malicious software.
If you have no other alternative ... making the computer safer
It's important to stress that you cannot make the public computer safe. You can only reduce some of the risk. Kris Littlejohn lists and explains "10 things you should do to protect yourself on a public computer" including:
- Delete your browsing history
- Don’t save files locally
- Don’t save passwords
- Don’t do online banking
- Don’t enter credit card information
- Delete temporary files
- Clear the pagefile
- Boot from another device
- Pay attention to your surroundings and use common sense
Apart from booting from another device, as I discussed above, none of these measures will stop keyloggers from spying and reporting on everything you type. As long as you don't type anything sensitive, you'll be fine, so these precautions would help in a situation where, for example, you need to print an existing document with sensitive information, since you wouldn't be using the keyboard. And they will help in a situation where there happen to be no keyloggers or other malware intercepting what you type.