[Intrusions] Are Internet Cafes safe ?

[Tom King]

Do any of these Internet Cafes display pages that indicate "if anything
bad happens when you are online, go ahead and sue us"? Not that I've
seen.. 
        
So I'd say no, you can't easily use PCs at these places safely. You have
no idea what is running on the PC you are using (keystroke loggers etc.)
as you indicate. You have no idea what is happening on the LAN, either -
sniffers, DNS subverters etc.
        
Token-based authentication (SecurID etc.) can help somewhat because
firstly, an attacker needs to move quickly to use the token number
(assuming they are intercepting this stuff), and second, most token
implementations prevent you logging on twice with the same number -
presumably to help
        
Now, if at the Internet cafe you could plug your own laptop in, things
are slightly better (assuming you trust your own laptop), but who knows
what is happening on the LAN or at the cafe's ISP.
        
Approach with extreme caution!

On Mon, 2005-06-20 at 18:26 -0700, Andrew Daviel wrote:
> Let me rephrase that.
> 
> Is it possible to safely use a PC at an Internet Cafe to login to
> somewhere ? Millions of travellers want to know (or they ought to!)
> 
> (We are tracking an incident where we suspect a trojaned PuTTY SSH
> client, or a keystroke logger, was used to capture passwords in a cafe).
> 
> So the question is, if you aren't allowed to boot your own system off a
> CD or memory stick, or read in long keys off media, how can you use a
> system where you can't trust the keyboard ?
> 
> One-time-pad tokens would work, but only to protect the initial login,
> not the text or any further logins made from the shell account.
> 
> Ideas ? What are other people doing ?
> 
> (I tried to post this on Bugtraq but I guess it was considered off-topic
> and went in the bit bucket. I thought they used to at least send a
> rejection message ... it's probably off-topic here, but I can't think
> of a more appropriate forum offhand)
>