Welcome Guest.   Make a donation to an author on the site December 18, 2014, 03:41:11 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Learn about the DonationCoder.com microdonation system (DonationCredits).
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: Prev 1 [2]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: How safe is it to run portable apps on public computers?  (Read 14051 times)
wraith808
Supporting Member
**
Posts: 6,575



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #25 on: June 14, 2010, 09:03:03 PM »

If the drive is write protected, would I have to worry about any of these infections?

No... but I'm not sure that Firefox portable will run on a write-protected drive.  It saves your profile information and cache there if I'm correct...
Logged

Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #26 on: June 15, 2010, 09:00:46 AM »

How does KeePass insert the encrypted passwords into the other apps? It would be trivial to add a clipboard watcher to a keylogger...

And Dominik would like to see his methods challenged. Note that this is for KeePass 2.x, KeePass 1.x lacks any kind of protection against keyloggers if you rely on AutoType.

Personally, I wouldn't use public computers for anything more than casual browsing these days, unless you know the computers are properly maintained and/or configured (public computers shouldn't be running an account with administrator rights by default), or they have some kind of rollback method. Once you log out, everything you've done disappears.
« Last Edit: June 15, 2010, 09:03:07 AM by Lashiec » Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #27 on: June 15, 2010, 09:12:43 AM »

How does KeePass insert the encrypted passwords into the other apps? It would be trivial to add a clipboard watcher to a keylogger...

And Dominik would like to see his methods challenged. Note that this is for KeePass 2.x, KeePass 1.x lacks any kind of protection against keyloggers if you rely on AutoType.
Thanks for that link - it's a decent system he's implemented, I had been thinking of something similar. While it will fool a bog-standard keylogger, there's still some ways to target it. You could (probably) log the clipboard entries when Ctrl+V is sent to the target app (that way you don't have to be part of the clipboard listener chain, nor poll the clipboard constantly). Or API-level hooks could be thrown into the mix...
Logged

- carpe noctem
mouser
First Author
Administrator
*****
Posts: 33,770



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #28 on: June 15, 2010, 02:57:22 PM »

ghacks has a nice article on this issue today:
http://www.ghacks.net/201...-data-on-them/#more-26616
Logged
Deozaan
Charter Member
***
Posts: 6,532



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #29 on: June 15, 2010, 06:52:12 PM »

So basically what you guys are saying is that I shouldn't be doing my online banking at the Library?

Or for that matter, I shouldn't be doing anything that uses my username and password while on a public computer?

I was actually just wondering about this yesterday. How safe would it be to use PuTTy to ssh into my shell account from a public PC or on a public/open network? A keylogger would be an obvious risk for a public PC, but what about if it's my computer transmitting data over an open network? Any other probable risks?
Logged

Clive
Supporting Member
**
Posts: 107


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #30 on: June 17, 2010, 03:04:17 AM »

Here in Australia most public 'puters are set up with limited rights i.e. not admin so you can't actually launch apps from a usb. Similar in the USA /Europe?
Logged
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #31 on: June 21, 2010, 04:44:35 PM »

Here in Australia most public 'puters are set up with limited rights i.e. not admin so you can't actually launch apps from a usb. Similar in the USA /Europe?

Here you have full admin rights and comuters are protected with Faronics Deep Freeze, so you get a fresh-installed desktop each time, at least on most cybercafé/school networks.
Logged

Kamel
Honorary Member
**
Posts: 138


View Profile Give some DonationCredits to this forum member
« Reply #32 on: June 21, 2010, 04:52:32 PM »

there are even physical monitoring devices that can capture your username and password... and who's to say that if the computer is fine that the network itself isn't vulnerable?

point blank, it's risky to use nearly any public connection or computer, no matter how safe you are. it's like having sex with a hooker, they could be clean, or they could be dirty and you might be ok with a condom, or you might use a condom and manage to get an STD anyway. no matter how you slice it, it's risky business.
Logged

I'm the guy you yell at when your DSL goes down...
superboyac
Charter Member
***
Posts: 5,793


Is your software in my list?

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #33 on: June 21, 2010, 06:00:36 PM »

there are even physical monitoring devices that can capture your username and password... and who's to say that if the computer is fine that the network itself isn't vulnerable?

point blank, it's risky to use nearly any public connection or computer, no matter how safe you are. it's like having sex with a hooker, they could be clean, or they could be dirty and you might be ok with a condom, or you might use a condom and manage to get an STD anyway. no matter how you slice it, it's risky business.
mmm...all good points.  Is it just my dirty mind, or does scancode's avatar look like a punctured condom?
Logged

mouser
First Author
Administrator
*****
Posts: 33,770



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #34 on: June 21, 2010, 06:15:01 PM »

i do think that probably one of the safest ways you can use a public computer is to remote connect to your home/work deskop and work from there, and plan on changing the password when you return home.  that minimizes the risk pretty much.. and means that only if someone sniffs the password you used to log in to your remote computer and uses it to connect to your remote computer are you at risk, which is pretty low risk, especially if you're away for a short time.

now, this immediately suggests that an extremely useful feature for a vpn/remoteconnect tool would be the use of one-time pads, single-use passwords, hardware key ids.  anyone know of any vpn/remote desktop that supports this?

with such a setup, you would remote connect to your desktop, do everything through your encrypted connection to your home/work pc.  you would assume that the local pc is compromised and keylogging everything you type.  but the password they sniff would no longer get them in.  only by keeping a list of single-use-logins with you in your pocket will you be able to log in.
Logged
Nod5
Supporting Member
**
Posts: 749



View Profile Give some DonationCredits to this forum member
« Reply #35 on: June 22, 2010, 11:48:17 AM »

now, this immediately suggests that an extremely useful feature for a vpn/remoteconnect tool would be the use of one-time pads, single-use passwords, hardware key ids.  anyone know of any vpn/remote desktop that supports this?
That would be really useful! But I don't know of one. I also think it is outright weird that big services like gmail doesn't offer something like that already. You could log in with your regular password and generate and print out 10 temporary passwords that each expire after one use (and to make new ones you'd need the regular pw again).

In response to the original post, I'd definitely try to avoid public computers when accessing work computers or mail servers remotely. Are you sure that a mobile phone with basic internet capacities (like mail) won't be enough? Or a phone tethered to a netbook. (Ok, the OP said he was travelling laptop-free but a tiny netbook add so little weight and bulk that I have a hard time figuring out when it wouldn't be possible to bring.)
Logged
Cyeb
Participant
*
Posts: 50


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #36 on: June 29, 2010, 09:39:23 AM »

you could just use a program that can calculate hashes of the files.

actually that would make a very nice portable app -- a program which when run scans the drive and creates hashes of all files found, and compares to previous set of saved hashes, reporting any differences and new files.  bonus if it also did this on boot records.  goal would be to make it super easy to use with no real options, just run it and wait for it to tell you nothing has changed most of the time.. or report on new files.  on rare malware infection it will report the changing of some files.  (be smart if it flagged changed exe's more dramatically than changed .txt files).

could be extremely useful for portable file use.

in fact, it might very well make sense to run it immediately after inserting a drive to see if any malware wants to try to infect any executables on your usb, kind of like a honeypot.

this would make a great NANY 2011 project for someone..

Oh, I wasn't worried about the hash-checking program intentionally having it's checking functionality disabled - but along the lines of the program getting infected on one machine, and when running on the next spreading the infection. If the infection was with a nasty piece of self-hiding code, the hash-checking would be ineffective without having been explicitly targeted.

I know this is a week-old thread, but aren't you guys missing something?  Just put the hash checker on the read-only part of the drive!  Tell me if my idea is flawed..But I'm pretty sure it's doable.  You just have to preload the hashes into the read-only part of the USB before you go anywhere.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #37 on: July 02, 2010, 12:26:24 AM »

I know this is a week-old thread, but aren't you guys missing something?  Just put the hash checker on the read-only part of the drive!  Tell me if my idea is flawed..But I'm pretty sure it's doable.  You just have to preload the hashes into the read-only part of the USB before you go anywhere.
If you have an USB drive with separate read/only and read/write parts, sure - never came upon one like that myself, though.
Logged

- carpe noctem
steeladept
Supporting Member
**
Posts: 1,058



Fettucini alfredo is macaroni & cheese for adults

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #38 on: July 02, 2010, 09:15:41 AM »

I know this is a week-old thread, but aren't you guys missing something?  Just put the hash checker on the read-only part of the drive!  Tell me if my idea is flawed..But I'm pretty sure it's doable.  You just have to preload the hashes into the read-only part of the USB before you go anywhere.
If you have an USB drive with separate read/only and read/write parts, sure - never came upon one like that myself, though.
That is easy using something like Truecrypt to make your file work as a read-only disc. Don't know if that would really make it work though - requires more thought...
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #39 on: July 02, 2010, 09:42:40 AM »

Good idea, steeladept - mounting a TC volume as read-only would probably do the trick.
Logged

- carpe noctem
Cyeb
Participant
*
Posts: 50


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #40 on: July 06, 2010, 03:12:46 PM »

http://www.hak5.org/w/ind...p/USB_Switchblade#Files_4

^ Read on it.  If you search around, there's an application to hack things onto the read-only part of any u3 drive.

Except the link I provided is for recovering information on an unsuspecting user's hard drive.  Fighting evil with evil?  cheesy
« Last Edit: July 06, 2010, 03:14:59 PM by Cyeb » Logged
steeladept
Supporting Member
**
Posts: 1,058



Fettucini alfredo is macaroni & cheese for adults

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #41 on: July 07, 2010, 02:46:58 PM »

Don't need U3 to use TrueCrypt though.  Moreover, it is encrypted so that MAY prevent this even on U3.

I am no expert here, and am just throwing out ideas.  Beating a properly encrypted and protected Truecrypt volume is difficult though on the best of days, and can be just this side of impossible.
« Last Edit: July 07, 2010, 02:48:31 PM by steeladept » Logged
Paul Keith
Member
**
Posts: 1,982


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #42 on: July 07, 2010, 04:51:38 PM »

I don't understand hash checkers but just hypothetically speaking are portable apps safer than say a cellphone with some encrypted device?

Technically that's like remote PC usage correct or am I mistaken? (assuming it has security apps)
Logged

<reserve space for the day DC can auto-generate your signature from your personal PopUp Wisdom quotes>
oxman
Supporting Member
**
Posts: 8

View Profile Give some DonationCredits to this forum member
« Reply #43 on: August 11, 2010, 01:51:22 PM »

There is absolutely no way to keep your data secure (not stoled) on a USB key pluged into a public computer.
Logged
Pages: Prev 1 [2]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.049s | Server load: 0.01 ]