[Intrusions] Are Internet Cafes safe ?
Andrew Daviel
andrew at andrew.triumf.ca
Tue Jun 28 07:44:14 GMT 2005
On Sun, 26 Jun 2005, Hillery wrote:
> Andrew (& Mike)
> Because of trojans, rootkits, key-logging soiftware, and cute gadgets
> like Key ghost by a group in New Zealand .. (see
> http://www.keyghost.com/securekb.htm ) that can be added to a system
> externally or internally to the keyboard -- you cannot know the state of
> a publically accessible system. Period.
everyone seems to pretty much agree on this ...
>
> Checking news, slashdot, movies times -- sure. ssh to your own system
> from your own laptop -- a known tunnel -- Maybe -- remember ettercap
> (among others) can force sshv2 to v1 and do a capture of the IKE key
> exchange and read a session.
thanks for this - found
http://osx.freshmeat.net/projects/ettercap/
http://www.itworld.com/nl/lnx_sec/04302002/pf_index.html
> The only potential system that might mitigate some of the
> trackers/loggers is MiGo: http://www.pwhtgroup.com/
I had a quick look at the homepage. I can't see that it helps much; you
would clearly be using the keyboard (with possible hardware capture
devices) and it's not clear to me from their flash demo that you are not
using Windows system calls, although . It would seem better, if the cafe
allows it, to boot a standalone CD. Then you only have to worry about the
hardware. SSH2 would seem resistant to MITM and can be used to encrypt
random Web browsing if you have an HTTP proxy (e.g. Squid) at the far
end.
> So, if it's not your own box, you can't know.
Ah, but can you trust your own box ?
I was burned a couple of years ago by the suckit rootkit, since which
time I've tried to use SSH public keys rather than passwords - stolen
credentials will only work from certain places, and as it happens, the
passphrase dialog is invisible to that particular password logger.
Seems to me that things are not black-and-white - cafe:bad, your box:good
- but rather there's a continuum of risk, with the box you just
personally booted from trusted media at one end and the corner cafe in
Bulgaria at the other end. In between, a professionally run cafe which
regularly sweeps and re-images PCs is probably safer than Joe Average's
desktop PC which he uses for casual surfing and music downloads.
BTW, there's an SSH client applet that may address the "need SSH but
can't install anything" problem. No help with keystroke loggers though...
http://www.appgate.com/products/80_MindTerm/index.php
Hmmm .. a soft keyboard to enter passwords would defeat a keyboard logger
(but not a kernel-based one). So maybe if you can boot a CD with a
preloaded private key and then use the soft keyboard for the passphrase,
and use end-to-end encryption, just possibly you'd be safe from amateur
eavesdroppers (though not from someone with enough resources to capture
the entire I/O traffic (keyboard, mouse, video, CD) in hardware...)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list