Hey there,
Found this great site while researching security and usb flash drives. I'm trying to figure out the best way to protect myself while travelling. I'll need to go to internet cafes and may have to do some banking, and obviously would like to make sure that my communications are secure.
My main questions are:
1) If running a portable version of Firefox, is there any possibility the cookies or other information be saved to a local computer? I found Democrakey last night, which seems to be a solid option since it specifically mentioning banking and internet cafes.
2) Is TrueCrypt all I need to protect the files on my flash drive? From what I understand, there is no firewall option.
3) There's still the issue of keyloggers and the clipboard - will copy/pasting passwords from a document be good enough?
Much thanks - the info on this site is brilliant.
arphaus
Security Qs from a noob
1 - Portable Firefox for sure will leave no traces on host PC.
2 - TrueCrypt will only help you in case of lost or stolen flash drive. No one will be able to read the data without knowing your password.
3 - Copy-Paste operation will be logged by any keylogging tool on host PC. I recommend you to have some kind of portable AV tool on flash to check host PC before revealing any passwords.
2 - TrueCrypt will only help you in case of lost or stolen flash drive. No one will be able to read the data without knowing your password.
3 - Copy-Paste operation will be logged by any keylogging tool on host PC. I recommend you to have some kind of portable AV tool on flash to check host PC before revealing any passwords.
Firefox, and I assume Portable Firefox too, has a feature to "save" passwords.
Would this be good enough?
I dont know, but I "think" from my tests, with the "AutoType" feature in Password Safe, the keylogger I had on my system was actually able to intercept the keystrokes (my password). Clipboards can be monitored, Just wondering how secure the Portable Firefox password saver would be.
Does it "type" the addresses in? Or are they just "there" when you goto a login page?
Firefox is opensource, so maybe someone source-saavy could check this out? :)
I'm sure in time, these malicious apps could be coded to detect apps such as "KLDetector" which is supposed to detect keyloggers (though it wouldn't detect dongles attached to the USB or PS/2 ports, or attached to the keyboard at the cafe...).
I'm beginning to think the best option would be Knoppix or some other "Live" *NIX CD...though that may turn some heads if used at a public cafe, library, etc...:)
Would this be good enough?
I dont know, but I "think" from my tests, with the "AutoType" feature in Password Safe, the keylogger I had on my system was actually able to intercept the keystrokes (my password). Clipboards can be monitored, Just wondering how secure the Portable Firefox password saver would be.
Does it "type" the addresses in? Or are they just "there" when you goto a login page?
Firefox is opensource, so maybe someone source-saavy could check this out? :)
I'm sure in time, these malicious apps could be coded to detect apps such as "KLDetector" which is supposed to detect keyloggers (though it wouldn't detect dongles attached to the USB or PS/2 ports, or attached to the keyboard at the cafe...).
I'm beginning to think the best option would be Knoppix or some other "Live" *NIX CD...though that may turn some heads if used at a public cafe, library, etc...:)
-
FlightGeek
- Posts: 49
- Joined: Wed Aug 30, 2006 6:12 am
"Security" and "Untrusted Computer" are, technically, mutually exclusive.
If you have a laptop, you are better off using public wifi hot spots (make sure your connections are using https).
If the internet cafe will allow it, then your best bet is to boot from your own live CD, which would give you a "clean" environment.
Otherwise:
If spyware can read the screen, then any data you view is at risk. The question is: How savvy is the spyware that you are reasonably likely to encounter.
If key and clipboard logging is your main concern, then the only sure way to protect your account that I am aware of is to use one-time passwords. Unfortunately, most sites don't implement that capability because it is too complicated for most users.
As far as using Firefox, I think using the built-in password manager is your only hope for foiling key and clipboard loggers, and I'm not certain it's good enough since it fills in the entry boxes and a spyware program could just read them out of the entry boxes, but that's not the same as logging keystrokes and clipboard contents.
You should use the master password feature of Firefox to protect your password file in case your USB device gets lost or stolen. A key logger could steal your master password, but it's useless without the password file. Sophisticated spyware could copy your password file, but I'm not aware of any that does (yet).
If you do use untrusted computers then plan on changing any passwords you used on the trip as soon as you get home.
Good luck.
If you have a laptop, you are better off using public wifi hot spots (make sure your connections are using https).
If the internet cafe will allow it, then your best bet is to boot from your own live CD, which would give you a "clean" environment.
Otherwise:
If spyware can read the screen, then any data you view is at risk. The question is: How savvy is the spyware that you are reasonably likely to encounter.
If key and clipboard logging is your main concern, then the only sure way to protect your account that I am aware of is to use one-time passwords. Unfortunately, most sites don't implement that capability because it is too complicated for most users.
As far as using Firefox, I think using the built-in password manager is your only hope for foiling key and clipboard loggers, and I'm not certain it's good enough since it fills in the entry boxes and a spyware program could just read them out of the entry boxes, but that's not the same as logging keystrokes and clipboard contents.
You should use the master password feature of Firefox to protect your password file in case your USB device gets lost or stolen. A key logger could steal your master password, but it's useless without the password file. Sophisticated spyware could copy your password file, but I'm not aware of any that does (yet).
If you do use untrusted computers then plan on changing any passwords you used on the trip as soon as you get home.
Good luck.
Thanks very much for your wise comments & advice. I do have a laptop, and am prepared with a firewall and vpn for hotspot use. I'm also preparing for the strong likelihood that I will have to use an internet cafe at some point. My intention is to take advantage of any hotspots for banking and leave the internet cafes for more basic email needs.
I hadn't considered the Live CD idea - mainly because I don't know how to make one. I also assume if they're not using DHCP that getting online would be an issue. Would I need to create my own Live CD, or could I use something like an Ubuntu live cd? And would accessing a site via https be safe enough?
I was also wondering about clipboards - there's nothing I can do about that, is there?
thanks again - all this feedback is great help
I hadn't considered the Live CD idea - mainly because I don't know how to make one. I also assume if they're not using DHCP that getting online would be an issue. Would I need to create my own Live CD, or could I use something like an Ubuntu live cd? And would accessing a site via https be safe enough?
I was also wondering about clipboards - there's nothing I can do about that, is there?
thanks again - all this feedback is great help
@Arphaus
If you want a personal live disk I heartily recommend the ultimate boot cd
http://www.ultimatebootcd.com/
You can create your own so can use whatever version of windows you wish and it has a few interesting and handy tools built in.
If you just want a plain live windows cd BartPe does the same job
(In fact it's the tool the ubcd uses)
For Linux I've been trying DSL, it should run from almost anything.
As for clipboards, just don't use them for passwords?
EDIT:
Wrong site for windows UBCD
http://www.ubcd4win.com/
If you want a personal live disk I heartily recommend the ultimate boot cd
http://www.ultimatebootcd.com/
You can create your own so can use whatever version of windows you wish and it has a few interesting and handy tools built in.
If you just want a plain live windows cd BartPe does the same job
(In fact it's the tool the ubcd uses)
For Linux I've been trying DSL, it should run from almost anything.
As for clipboards, just don't use them for passwords?
EDIT:
Wrong site for windows UBCD
http://www.ubcd4win.com/