How to increase security of public Internet terminals

Discusses tools and techniques to improve the security of your Internet usage on public terminals.

FeedbackBy Preston Hunt, 07 January 2008

When we were in Costa Rica last month, we used Internet access at cafes and hotels to check our e-mail, surf the web, and do all the other typical essential Internet activities. Unfortunately, public Internet access is rife with problems, including:

• Keystroke loggers and other malware that sniff passwords and other sensitive information.
• Possibility of leaving cookies and other personal information on the computer when you leave.
• Foreign keyboards that make typing difficult.
• Obsolete or outdated software applications (such as Internet Explorer 5).
• Lack of stored bookmarks.
• Spell-check functionality of localized browsers may not be configured for English.

To combat these and similar issues on future trips, I plan on carrying a USB flash disk with me with the [[gg PortableApps]] suite installed.

Using [[gg Firefox Portable]] solves a lot of problems. First, you can store your favorite bookmarks and add-ons on the flash drive. Your history, cookies, and saved passwords will be on your flash drive too and not the computer. Using an add-on like PasswordMaker and On-Screen Keyboard Portable will virtually eliminate the possibility of password sniffers. Other variants exist, such as logging in to web sites (like Gmail) before your trip and storing a persistent cookie that can be used to log in without typing your password at all!

Of course, a one time pad would provide the highest level of security, but would require web site providers to offer the service. Users would also have to carry around their pads with them, decreasing the usability of the system. And each web site would need its own list of passwords, which could be a real chore to manage.

Now, the next problem: With all of this valuable information on the flash drive, loss of the drive would present a serious security risk. This can be mitigated in two ways.

True Crypt is a universal solution that will work on any drive and it provides very strong security. Simply create an encrypted volume on the drive and then put the True Crypt installer on the unencrypted portion. True Crypt even has plausible deniability should you need it. Unfortunately, True Crypt requires administrator privileges to for installation. Most Internet cafes these days are pretty basic operations where this isn't a problem, but nevertheless, it's not a universal solution.

The solution I'm using is Corsair's Flash Padlock. It uses a hardware PIN to protect the drive's information. If you don't enter the PIN, the drive won't mount. True, it's big, boxy, and ugly. But it's a good solution. One caveat to this solution is that the data on the drive is not actually encrypted, which means that a sufficiently motivated attacker could probably recover the data by disassembling the hardware.