How safe is it to run portable apps on public computers?

[wraith808]

If the drive is write protected, would I have to worry about any of these infections?

-jdd (June 14, 2010, 06:07 PM)

No... but I'm not sure that Firefox portable will run on a write-protected drive.  It saves your profile information and cache there if I'm correct...

[Lashiec]

How does KeePass insert the encrypted passwords into the other apps? It would be trivial to add a clipboard watcher to a keylogger...

-f0dder (June 14, 2010, 03:39 PM)

And Dominik would like to see his methods challenged. Note that this is for KeePass 2.x, KeePass 1.x lacks any kind of protection against keyloggers if you rely on AutoType.

Personally, I wouldn't use public computers for anything more than casual browsing these days, unless you know the computers are properly maintained and/or configured (public computers shouldn't be running an account with administrator rights by default), or they have some kind of rollback method. Once you log out, everything you've done disappears.

[f0dder]

How does KeePass insert the encrypted passwords into the other apps? It would be trivial to add a clipboard watcher to a keylogger...

-f0dder (June 14, 2010, 03:39 PM)

And Dominik would like to see his methods challenged. Note that this is for KeePass 2.x, KeePass 1.x lacks any kind of protection against keyloggers if you rely on AutoType.

-Lashiec (June 15, 2010, 09:00 AM)

Thanks for that link - it's a decent system he's implemented, I had been thinking of something similar. While it will fool a bog-standard keylogger, there's still some ways to target it. You could (probably) log the clipboard entries when Ctrl+V is sent to the target app (that way you don't have to be part of the clipboard listener chain, nor poll the clipboard constantly). Or API-level hooks could be thrown into the mix...

[mouser]

ghacks has a nice article on this issue today:
http://www.ghacks.ne...-on-them/#more-26616

[Deozaan]

So basically what you guys are saying is that I shouldn't be doing my online banking at the Library?

Or for that matter, I shouldn't be doing anything that uses my username and password while on a public computer?

I was actually just wondering about this yesterday. How safe would it be to use PuTTy to ssh into my shell account from a public PC or on a public/open network? A keylogger would be an obvious risk for a public PC, but what about if it's my computer transmitting data over an open network? Any other probable risks?

[Clive]

Here in Australia most public 'puters are set up with limited rights i.e. not admin so you can't actually launch apps from a usb. Similar in the USA /Europe?

[scancode]

Here in Australia most public 'puters are set up with limited rights i.e. not admin so you can't actually launch apps from a usb. Similar in the USA /Europe?

-Clive (June 17, 2010, 03:04 AM)

Here you have full admin rights and comuters are protected with Faronics Deep Freeze, so you get a fresh-installed desktop each time, at least on most cybercafé/school networks.

[Kamel]

there are even physical monitoring devices that can capture your username and password... and who's to say that if the computer is fine that the network itself isn't vulnerable?

point blank, it's risky to use nearly any public connection or computer, no matter how safe you are. it's like having sex with a hooker, they could be clean, or they could be dirty and you might be ok with a condom, or you might use a condom and manage to get an STD anyway. no matter how you slice it, it's risky business.

[superboyac]

there are even physical monitoring devices that can capture your username and password... and who's to say that if the computer is fine that the network itself isn't vulnerable?

point blank, it's risky to use nearly any public connection or computer, no matter how safe you are. it's like having sex with a hooker, they could be clean, or they could be dirty and you might be ok with a condom, or you might use a condom and manage to get an STD anyway. no matter how you slice it, it's risky business.

-Kamel (June 21, 2010, 04:52 PM)

mmm...all good points.  Is it just my dirty mind, or does scancode's avatar look like a punctured condom?

[mouser]

i do think that probably one of the safest ways you can use a public computer is to remote connect to your home/work deskop and work from there, and plan on changing the password when you return home.  that minimizes the risk pretty much.. and means that only if someone sniffs the password you used to log in to your remote computer and uses it to connect to your remote computer are you at risk, which is pretty low risk, especially if you're away for a short time.

now, this immediately suggests that an extremely useful feature for a vpn/remoteconnect tool would be the use of one-time pads, single-use passwords, hardware key ids.  anyone know of any vpn/remote desktop that supports this?

with such a setup, you would remote connect to your desktop, do everything through your encrypted connection to your home/work pc.  you would assume that the local pc is compromised and keylogging everything you type.  but the password they sniff would no longer get them in.  only by keeping a list of single-use-logins with you in your pocket will you be able to log in.

[Nod5]

now, this immediately suggests that an extremely useful feature for a vpn/remoteconnect tool would be the use of one-time pads, single-use passwords, hardware key ids.  anyone know of any vpn/remote desktop that supports this?

-mouser (June 21, 2010, 06:15 PM)

That would be really useful! But I don't know of one. I also think it is outright weird that big services like gmail doesn't offer something like that already. You could log in with your regular password and generate and print out 10 temporary passwords that each expire after one use (and to make new ones you'd need the regular pw again).

In response to the original post, I'd definitely try to avoid public computers when accessing work computers or mail servers remotely. Are you sure that a mobile phone with basic internet capacities (like mail) won't be enough? Or a phone tethered to a netbook. (Ok, the OP said he was travelling laptop-free but a tiny netbook add so little weight and bulk that I have a hard time figuring out when it wouldn't be possible to bring.)

[Cyeb]

you could just use a program that can calculate hashes of the files.

actually that would make a very nice portable app -- a program which when run scans the drive and creates hashes of all files found, and compares to previous set of saved hashes, reporting any differences and new files.  bonus if it also did this on boot records.  goal would be to make it super easy to use with no real options, just run it and wait for it to tell you nothing has changed most of the time.. or report on new files.  on rare malware infection it will report the changing of some files.  (be smart if it flagged changed exe's more dramatically than changed .txt files).

could be extremely useful for portable file use.

in fact, it might very well make sense to run it immediately after inserting a drive to see if any malware wants to try to infect any executables on your usb, kind of like a honeypot.

this would make a great NANY 2011 project for someone..

-mouser (June 14, 2010, 05:12 PM)

Oh, I wasn't worried about the hash-checking program intentionally having it's checking functionality disabled - but along the lines of the program getting infected on one machine, and when running on the next spreading the infection. If the infection was with a nasty piece of self-hiding code, the hash-checking would be ineffective without having been explicitly targeted.

-f0dder (June 14, 2010, 05:54 PM)

I know this is a week-old thread, but aren't you guys missing something?  Just put the hash checker on the read-only part of the drive!  Tell me if my idea is flawed..But I'm pretty sure it's doable.  You just have to preload the hashes into the read-only part of the USB before you go anywhere.

[f0dder]

I know this is a week-old thread, but aren't you guys missing something?  Just put the hash checker on the read-only part of the drive!  Tell me if my idea is flawed..But I'm pretty sure it's doable.  You just have to preload the hashes into the read-only part of the USB before you go anywhere.

-Cyeb (June 29, 2010, 09:39 AM)

If you have an USB drive with separate read/only and read/write parts, sure - never came upon one like that myself, though.

[steeladept]

I know this is a week-old thread, but aren't you guys missing something?  Just put the hash checker on the read-only part of the drive!  Tell me if my idea is flawed..But I'm pretty sure it's doable.  You just have to preload the hashes into the read-only part of the USB before you go anywhere.

-Cyeb (June 29, 2010, 09:39 AM)

If you have an USB drive with separate read/only and read/write parts, sure - never came upon one like that myself, though.

-f0dder (July 02, 2010, 12:26 AM)

That is easy using something like Truecrypt to make your file work as a read-only disc. Don't know if that would really make it work though - requires more thought...

[f0dder]

Good idea, steeladept - mounting a TC volume as read-only would probably do the trick.

[Cyeb]

http://www.hak5.org/..._Switchblade#Files_4

^ Read on it.  If you search around, there's an application to hack things onto the read-only part of any u3 drive.

Except the link I provided is for recovering information on an unsuspecting user's hard drive.  Fighting evil with evil? 

[steeladept]

Don't need U3 to use TrueCrypt though.  Moreover, it is encrypted so that MAY prevent this even on U3.

I am no expert here, and am just throwing out ideas.  Beating a properly encrypted and protected Truecrypt volume is difficult though on the best of days, and can be just this side of impossible.

[Paul Keith]

I don't understand hash checkers but just hypothetically speaking are portable apps safer than say a cellphone with some encrypted device?

Technically that's like remote PC usage correct or am I mistaken? (assuming it has security apps)

[oxman]

There is absolutely no way to keep your data secure (not stoled) on a USB key pluged into a public computer.