wok-key: dealing with keyloggers on net-cafe computers
Ben Scott
dragonhawk at gmail.com
Tue Aug 25 22:56:20 EDT 2009
On Tue, Aug 25, 2009 at 10:43 PM, Bill McGonigle<bill at bfccomputing.com> wrote:
>> Boot from a CD or USB key?
>
> Does anybody really do this?
I've booted computers that aren't mine from Ubuntu media. Not a
"Internet cafe", per se, but same principle.
> I would have guessed drivers would be hit-or-miss ...
True, but Ubuntu's pretty good these days.
> BIOS fiddling would often be required (I'd keep BIOS
> setup locked if I ran such a cafe).
If you ran such a cafe, you'd also have the user accounts locked
down so malware couldn't run in the first place.
On Tue, Aug 25, 2009 at 10:46 PM, Bill McGonigle<bill at bfccomputing.com> wrote:
>> Better still would be some kind of OTP generator ...
>
> hrm, my phone can't run apps, but it can do SMS messages. Interesting
> option.
There ya go. Start by emailing a password to your server from your
phone. (I'd suggest a different password for this mechanism.) When
the server gets the right password, it sends an OTP to your phone via
SMS (every carrier I know of has an SMTP-to-SMS gateway). Login with
the OTP; don't use your regular password. That way you're also got a
sort-of two-factor authentication; unless someone can receive your SMS
messages *and* knows your trigger password, they can't get a OTP.
>> I've heard tell that some spyware specifically looks for form fields
>> to capture ...
>
> via network stream intercepting or as a browser plugin?
I don't actually know. I had assumed they would look for Windows UI
controls (widgets), which are easily queried with unprivileged API
calls. That would work for things besides browsers, e.g., Quicken.
-- Ben
More information about the gnhlug-discuss
mailing list