kirkswig
Jun 7, 2004, 12:45 AM
Post #5 of 7
(796 views)
Shortcut
|
Re: [Rocky57] Internet Cafe Data Security...
|
Can't Post | Private Reply
|
I more or less want to echo what everybody else is saying, that if you're using your own laptop and you're careful to not let people peek over your shoulder (remembering that webcams are a dime-a-dozen these days) then you're probably OK. Probably.
I would most urgently recommend that no one ever use a computer at a Cafe for anything important. Even measures like cleaning out caches and closing browser windows aren't sufficient. There is always the possibility that someone could have installed key logging software on the computer (after all, they are publicly accessible) and even steps taken by the administrator to thwart such activity are not at all effective if the computer is running Windows (it's probably true regardless of the operating system being run, but Windows has the most widely-known exploits.)
Another thing to watch out for are key logging hardware devices. A popular one is called KeyGhost. These get plugged into the computer when the keyboard normally gets plugged in, then the keyboard gets plugged into the key logger. Anyone can install these things one day and remove them the next and obtain everything you've typed into the computer, passwords and all. What a disaster if you log into your bank/investment account and somebody grabs the password, I mean, literally, a person could spend all his life amassing his nest egg and lose all of it in a day.
The laptop is probably OK. Other users of the Cafe and bystanders won't pose much of a threat. However, you are putting a great deal of faith in the proprietor of the cafe. In theory, a person with access to the networking hardware between you and your bank could intercept enough of the communication to know which bank you frequent. While it's true that he wouldn't be able to read any of the data exchanged, he could himself log on to the bank and copy enough html and graphics to create a dummy website that looks just like your bank, then, because he has access to the network hardware you're using, he could redirect subsequent accesses by you to your bank to his dummy website. You think you're logging on to your bank as usual, but in reality you're logging on to his web site, i.e., you're effectively giving him your bank password.
To give you an idea of what you're up against, here's my plan for critical network access (banking, investments, email) once I'm in Mexico. I run a variant of Linux called Gentoo which allows me to have near absolute control over what gets installed on my machine. Every time I install or update software, I run a program that will register the changes to files (new files or updated files) in a way that lets me later check and see whether or not any files have been added or have changed without my knowledge (say, as the result of a trojan horse or virus.) Because I'm running Linux it means that I'm not running Internet Explorer as my browser or Outlook Express as my email client, which renders me immune to 99.9% of the malware that is out there, moreover, my browser and email software is configured to never, ever open attachments without my explicit permission.
On top of that, I plan on leasing myself a state-side server at an outfit like serverbeach.com on which will run either Linux or OpenBSD and through which I will conduct my critical web browsing. While a man-in-the-middle may be able to spoof my bank's website, they will not be able to spoof my own server. My connection to this server will be encrypted, just as the connection to the bank is encrypted, however the difference is that anyone can log on to my bank and copy the website to create a spoof whereas only I can log on to my server, i.e., they will have no way of fabricating a compelling spoof. Of course, the service provider hosting my server could perform a similar spoof, but their liability/risk would be much greater, and I would have clear recourse. It isn't clear to me what my recourse would be were the same to happen to me in Mexico.
I'm probably being a little paranoid here, but not by much. Criminals will always find a way to liberate you from your money. It's only a matter of time before exploits like the one I'm guarding against here will become commonplace. It's one thing to have your wallet pickpocketed. It's quite another to give someone access to your entire financial portfolio.
For what it's worth.
To boldly go where no wig has gone before.
|
Forums Index
Search Posts
Who's Online
Log In or Sign Up
