[Dshield] internet cafe's

Stephane Grobety security at admin.fulgan.com
Mon Aug 22 07:39:39 GMT 2005


Well, there is a few things you can do.

First, let's identify the possible threats:

- Local machine monitoring.
- Network sniffing.
- "Big eye monster" sniffing (camera inside the shop, your neighbor
watching what you're typing, etc.)

- For local machine, there is sadly few ways to be sure. You can use
all kind of AV and antispyware systems, but you can never be 100% sure
the machine is actually safe. So, what you can do to protect yourself
against this is to use a live CD (Knoppix, Bart PE, etc.) to load a
known safe OS and work from there. This might not aways be possible,
though: these machines might request a boot password or they can be
setup not to boot from CD. You can always ask the manager about
booting you CD, though. Take not that this will NOT protect you again
hardware monitoring (which is dead easy to do today).
- Network sniffing is actually easy: use encryption for ALL traffic.
Use HMAC authentication on mail server if possible as well. Be sure to
check the machine's SSL CA root to see if there isn't some "strange"
root installed: this could be used in a MIM attack. One good way to
tell is to take note of your mail server's certificate thumbprint
from a known good location beforehand and checking it once you've
connected but before you've entered your pasword.
- "Big eye monster". This one is though: you can be careful but it's
sometime next to impossible to be sure no one is watching you. So your
best bet is not to use a password at all.

In overall, I would say that the best possible strategy is the
following: Use a boot CD and don't use passwords. Use X509
certificates stored on secure USB device if possible: these are pretty
safe and will protect your assets in almost all scenarii. The drivers
can be installed on your boot CD and you can store your personal data
on a USB key. If X509 authentication this is not an option,
investigate the use of one-time password, at least for the web mail
interface: this will offer a good level security as it protect you
against replay attacks. They will not work on MIM attack combined with
a session highjack, though, but this is a pretty low risk as it's much
more complex to implement and require the attacker to know wat you're
going to do in advance.

Good luck,
Stephane


Monday, August 22, 2005, 1:15:09 AM, you wrote:

T> On a trip recently to the boondocks, I stayed in a hotel with no 
T> phones or internet and my cell phone was in dark territory.  There 
T> were  2 internet cafes in town and neither would allow hooking up my 
T> laptop so I was forced to use their windoze machine.  I spent the 
T> first 20 minutes online running free antivirus checkers and spyware 
T> checkers before checking webmail.  Luckily I setup a bogus webmail 
T> account that was getting copies of my mail from my mailserver so I 
T> checked that one.  The next day I changed that webmail password when 
T> I was in a new location with direct access using ssh and vpn.

T> My question is does anyone have an idea of a better/safer way to 
T> handle this type of situation short of a sat phone? I will be going 
T> overseas in a couple of months and my understanding is that direct 
T> 'net access is much more problematic than it is here in north america.

T> TIA

T> Tom



-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list