Travelers – Check Your Browsers!

Travelers often find themselves using public computers and with public computers come security risks. The focus of such risks usually lies on one major concern: keyloggers.

Passpack offers Disposable Logins (aka One Time Passwords) as protection against keyloggers, which you create before traveling. And there are numerous other tips available (here are a few from Nomad4ever) to ward off potential keyloggers.

Are security risks on public computers limited only to possible keyloggers on your Operating System and/or peripheral hardware?  Can there be a hidden risk on your browser itself?

Sometimes danger can be disguised as a friendly tool directly in the browser.

Another Disguised Threat…

Some add-ons/extensions and plug-ins have the ability to turn from helpful into harmful. Add-ons and plug-ins have revolutionized computing today but like anything else if misused, you may find yourself with something more than keyloggers to worry about.

For example a few of the most popular plug-ins that give great leeway and optimization to browsers are Greasemonkey and IE7Pro.  Both allow users to write client-side script so keep in mind…

When you write the script and you put it on your own computer, there is no need to worry. But who’s to verify that they are not misused or created with the wrong intent, placed on a public computer and made to capture personal data? It’s something to be aware of.

How Do You Look Out For Add-on/Plug-in Misuse?

When you are using any public computer, your best bet is to check which add-ons/extensions or plug-ins have been installed.

Most won’t have that many add-ons or plug-Ins, if any at all since people don’t generally spend so much time at one given computer. If you do notice anything that may pose a possible threat, disable it immediately if possible.

If you need administrative access to do so, which is very likely, ask! And if you see more add-ons than necessary, you’re probably better off just changing computers.

Sometimes you can’t avoid working from a computer that is not your own. Unnecessary risks that places like internet cafes and library computers are avoidable. Don’t fall victim to an unpopularized risk – check your browser!

Advertisements

9 responses to “Travelers – Check Your Browsers!

  1. Hi guys, a couple of comments, if I may.

    Firstly, I think you should have mentioned that the passpack disposable logins do not protect any of the other passwords stored in the user’s account when using a public computer. This is because they are downloaded to the public computer after the user logs into his passpack account. Not explicitly mentioning this may mislead people to believe that the fact that “Passpack offers Disposable Logins as protection against keyloggers” also means that their website-passwords are protected, which is clearly not the case.

    Secondly, I think that some of the advice given in this post is a bit poor. For example, “When you are using any public computer, your best bet is to check which add-ons/extensions or plug-ins have been installed.” – why is that our “best bet”? I can think of many other things one could check in order to avoid certain threats.

    Or “Don’t fall victim to an unpopularized risk – check your browser!” – this again suggests that “checking the browser” will in some way provide an acceptable level of protection (against password theft?) while, in fact, it does not really mean all that much (e.g. hardware keyloggers could be present, or some other software spyware could “steal” whatever sensitive information there is). There is no need that the spyware is somehow classified as a “browser plugin/addon”…

  2. louisevinciguerra

    @anonymous
    Constructive feedback is always welcome…

    You said “I could think of many other things one could check in order to avoid certain threats” – what else would you suggest?

  3. Good tips. Thanks.

  4. While there are many things one could check, (examples: is there a discernible hardware keylogger? Are any “suspicious-looking” processes? Can I use FF instead of IE? Can I download and use a “fresh copy” of FF or can I use the browser from my memory stick?), none of these things really provides an acceptable level of protection against password theft.

    When using a public computer, the user has a temporal trust relationship with it. It means, the user is willing to trust the public computer for the duration of this particular session, but no more. This means that there should be no secrets divulged to the public computer that remain valid for longer than the session. Example: passwords.

    Under these assumptions, the only way to provide an acceptable level of protection against password theft is by not divulging the password to the public computer at all. No amount of “checking” what appears to be going on on the public computer removes this requirement.

    While passpack’s disposable logins seem to achieve this for the pass and packing key (personally, I doubt even this because the packing key must be reconstructed at the client side anyway), it is clear that they do not achieve this for the user’s website-passwords.

  5. louisevinciguerra

    @anonymous
    We seem to be talking at cross purposes – the gist of the post wasn’t about keyloggers (Nomad4ever gave more than enough info on that) and a basic assumption was that you’d be using the browser provided [it’d be kind of weird to write a post on how to detect hidden threats on a clean browser you carry on your personal USB ;-)]

    All kidding aside, checking the processes for anything suspicious lookimg is a great tip.

    As for Passpack Disposable Logins, you are right – they do protect against Keyloggers on your way into your Passpack account, thus protecting your Passpack credentials. Each individual website credential (passwords) is protected against keyloggers by using the travel auto-login button(it doesn’t use the clipboard).

    Where the critical point lies, and this is what spurred us onto writing this post in the first place, is the “open pack” between those two points – this goes beyond keyloggers. It would require a different (more specific) type of attack. That was the intent of the post.

    Thanks for taking part, it’s good to see people taking online security seriously – any other tips/tools/resources you’d like to share?

    @Lao Tzu
    Thanks for the thanks. Glad you found it useful.

  6. “…checking the processes for anything suspicious looking is a great tip.” Hey! – I did not say that as a tip. It was an example of what I think provides just a false sense of security.

    I think that “protection against keyloggers” is not sufficient, because other spyware (spyware that is *not* a keylogger) can still copy the password.

    Imagine some malicious software (spyware) that captures all the traffic that leaves the public computer, just before it gets encrypted (e.g. by SSL – if it gets encrypted at all), and that stores the captured traffic in a hidden file. Every midnight the spyware emails this file to a hacker somewhere.

    This is a very general approach – and it will get hold of all passpack-protected passwords, no matter if the user used disposable logins or not, and no matter if the user used some fancy auto-login button or not. The passwords are in the HTTP requests (traffic) that leave the computer.

    Is it possible to “check” the public computer in order to avoid exposure to this (type of) threat? The answer is “no” – if the spyware is hidden well enough (and we have to assume that it is), then it will not show up, no matter “where” and “how hard” we look.

    My only tip is “do not divulge the password to the public computer.”

    And “Passpack disposable logins do not hide the password from the public computer”. – I still think you should clarify this last point more clearly generally on the passpack website. At least you should more clearly point out the limits of the protection offered by passpack disposable logins.

    Apologies if I seem to be overly critical.

  7. Hello Anonymous. Using Disposable Logins greatly improves a Passpack user’s security but there is no OTP on earth though that can solve internet security on all levels.

    You seem very passionate about the subject, and I’m sure that you have an alternative solution in mind. Would you please tell me what it is?

  8. Well, for example those OTP tokens (e.g. RSA SecureID and the like), for example, do not leak any information that is valid beyond the current session.

    It’s not an alternative solution, of course.

    I am not sure what you mean “on all levels”, but at least they do not leave reusable information on a public computer after the session is finished…

    By the way, why is it that the user’s password can not be a one-way function of his passphrase? And why those disposable logins have exactly the length they have?

    Apologies again if I seem overly critical and inquisitive. Maybe I am too annoying and I should stop here…

  9. Just wanted to say thanks for mentioning and linking to my Keylogger article.

    It definitely pays to be prepared when using public internet cafes, be it with your own browsing installation on a USB drive, OTP for your favorite online applications or just common sense.

    Unfortunately for most people that’s all too much effort. Trouble then strikes later sometimes….

    Anyway – always have a save and great trip!

    ;-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s