
Beware Keyloggers at Hotel Business Centers - lsh123
http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/
======
noonespecial
Assume that all computers that aren't yours are keylogged. When I _must_ enter
a password into an untrusted machine, I use the mouse to help me. My passwords
are long non-words that I know well so I type part of the password, mouse to a
different location, type some more, mouse some more, etc. _(1)_ This should
defeat key loggers and screen picture captures (if the password is starred)
but still wouldn't defeat an out and out video of my session combined with
keylogging. I figure that last scenario is a whole lot more rare.

 _1) My usual technique is to type the last three chars, mouse to the
beginning of the field, type the next to last 3, mouse to the beginning, next
3 repeat till done._

~~~
phlo
While defense in depth is never wrong, please be aware that even moderately
advanced trojans will simply capture the contents of any form fields in most
browsers. Neither your "skipping" technique, nor (partially) using an on-
screen-keyboard will help against that.

Using a second factor for authentication provides some extra security, but a
well-configured trojan might intercept your logout request, display a fake
logout confirmation and store your session data for their botmaster to peruse.

If you need to regularly use untrusted machines (and have access to usb ports
or a cd drive), you could bring a hardened browser with you. That should
defeat most "Man-in-the-Browser" tricks. Or, even better, a live CD or USB
drive. At this point, you should still assume your keyboard and screen to be
compromised, but the OS should be safe enough to cautiously use.

~~~
onnoonno
In this scenario, if I login to my own server, if I control the login on the
remote end, I set it up to support one time passwords. It would be nice if
this would be something that can be set up by default for credentials.

Maybe this should be a feature request to the web-app devs.?

~~~
peterwwillis
2FA with one-time codes is basically a one-time credential.

Use this site to support web apps with 2FA, or request 2FA for unsupported
sites: [http://twofactorauth.org/](http://twofactorauth.org/)

------
ChuckMcM
This is news? For grins and giggles I booted a liveimage of the norton
recovery / scan tool on a hotel business center machine and the thing had
viruses that had been detected and cleared 6 years earlier. Not to mention it
was running XP and that version of XP wasn't patched at all (there was a
service that was blocking windows update, the PC couldn't actually get to the
Microsoft IP addresses) I pointed it out to the management, got yelled at for
booting a different OS, and a surly 'promise' to have their 'IT guy' look at
it.

I've also found machines at VRBO rentals that were compromised. So far I've
not found any that had their wireless routers replaced with MiTM routers but I
expect that isn't too far down the road.

------
thegeomaster
Beware, also, of public WiFis. Even the ones that are not open. Beware,
actually, of connecting to any network where you don't know all of the devices
you can communicate with directly. Ancient attacks such as ARP or DNS spoofing
still work, by and large. It's surprising how few people are actually aware of
them.

------
tribaal
How is that even remotely a surprise?

You should assume any computer you don't own is keylogged, period.

~~~
UweSchmidt
That's good advice.

However, as "Who is surprised!" has become a standard meme in security/privacy
related threads, I want to point out a few things that may be interesting:

\- the actual extend of the threat (numbers?)

\- the extend to which the general public has come to terms with this problem

\- the reactions around the web and proposed solutions ("use this kiosk linux
distro")

\- discussion of similar/related threats (like "also watch for public wifi")

~~~
programmer_dude
Extent:
[https://www.google.co.in/search?q=define%3AExtent](https://www.google.co.in/search?q=define%3AExtent)

Extend:
[https://www.google.co.in/search?q=define%3AExtend](https://www.google.co.in/search?q=define%3AExtend)

They are not the same.

~~~
programmer_dude
Why the downvotes? Do you disagree?

~~~
mturmon
Probably because carping about word choice diverts the conversation, with no
benefit in this case because the meaning was clear. Please stop.

------
peterwwillis
Note that a keylogger is a completely different threat than modern identity-
theft malware.

A keylogger just "logs" keystrokes, either locally or remotely, for later use.
While this is a valid threat, using two-factor authentication basically makes
this a non-issue. On the other hand, malware that targets specific login
fields is usually smart enough to also steal session cookies, or with most
banking trojans, inject requests into your live browser session.

The latter is used to literally transfer money in/out of your account, or make
automatic purchases, _while you browse the web_. There is no protection from
these trojans. If you're infected, you're fucked. The only thing 2FA saves you
from here is repeated attacks once your session expires. (Luckily i've never
personally seen a trojan like this built for Linux, but that's just a matter
of time/market share)

~~~
Someone1234
Great summary of the current state of malware.

I am starting to think that security people should stop using the term
"keylogger" altogether. It is unhelpful, and damn right dangerous.

When people read "keylogger" they often envision malware which sits there and
grabs your keystrokes, so then people assume (see posts elsewhere in this HN
thread even) that using on-screen keyboards or jumping back and forth between
fields saves them.

Classical literal "keyloggers" are now mostly gone. Grabbing a long series of
keystrokes is extremely hard to automatically utilise (which is the goal now).
Instead malware will either inject itself into the TCP/IP stack, HTTP stack,
or directly into the browser (most popular) itself to steal credentials after
the form is submitted but before it is encrypted and sent over the network.

The advantage to the "bad guys" of doing things this way is that they get
contextual information (e.g. form name, form destination URL, as well as
username/password). Once you have login information AND contextual information
you can automate it entirely and ignore a lot of stuff you aren't interested
in (e.g. steal Google accounts, but ignore Hacker News accounts).

Other than spouses spying on one another or a parent spying on their kid, a
"keylogger" is pretty much dead in the classical sense. No organise crime gang
wants a few gigabytes of keystrokes they have to sort through in order to get
to the good stuff.

------
vrikis
I can't wait for Steve Gibon's SQRL [0] to take off... Would hinder keyloggers
useless.

[0] [https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

~~~
DanBC
[http://security.blogoverflow.com/2013/10/debunking-
sqrl/](http://security.blogoverflow.com/2013/10/debunking-sqrl/)

Sqrl looks to have some pretty bad flaws.

~~~
hyyypr
That may be the most convicing bit in this article :
[http://attrition.org/errata/charlatan/steve_gibson/](http://attrition.org/errata/charlatan/steve_gibson/)

------
gedrap
Since people are mentioning their workarounds, I will share mine.

I often have to print something from my email from untrusted computer
(boarding pass, some documents, etc). When it's possible, I save the thing to
print to PDF, upload to S3 and make a memorable short URL using bit.ly.
Whenever possible, works very smoothly :)

~~~
krallin
If you're using gmail / google drive, a good option is to make the google
drive file public and use goo.gl (or bit.ly) to shorten it!

The added benefit is that you can do this from mobile, which may not be
possible with S3!

------
ShabbyDoo
To add to the collection of work-arounds posted here, most hotels seem to have
reasonably modern/common printers. Often, they are connected to the
untrustworthy hotel PC by a USB cable. It seems faster to unplug the printer
from the hotel PC and install drivers on one's own laptop than it is to figure
out how to gain access to the hotel's crappy computer. Hotel printers
connected to hotel computers via ethernet/WiFi also likely have working USB
ports, so one simply could bring his own cable with a "B" plug. I'm sure there
are ways a malicious person could install rogue printer firmware, etc., the
likelihood of such threats existing in the wild is 1/1000th that of the sum
total likelihood of evil existing on hotel PCs.

I suppose the relevance of my entire comment hinges on the presumption that
anyone reading HN only uses hotel PCs for printing stuff. Valid?

------
nynywae
It is very hateful for the hackers to put keylogger on the hotel PCs. However,
there are some real and legal keyloggers and you have to pay for them. I have
used Micro keylogger. Before I bought it, I had compared many keyloggers.
Except for slight differences, many of them work the same way. However, Micro
keylogger is the cheapest as well as the most full-featured. After having
tried the free trial of kinds of keyloggers, I chose Micro keylogger. It is
really a good choice at present. [http://download.cnet.com/Micro-
Keylogger/3000-2162_4-7537529...](http://download.cnet.com/Micro-
Keylogger/3000-2162_4-75375292.html)

------
driverdan
Related story: When I was in high school the library computers had a filtering
firewall that blocked a lot of useful content. If you needed access you'd have
to ask someone with the password to turn it off for your computer. That was
annoying so we installed key loggers to get the password for ourselves. One of
my friends ended up buying a hardware key logger that was even easier than
trying to bypass the install protection software they used. Sometimes we'd
leave the logger on all day just to see what we'd get. There were lots of
email and AIM logins.

------
sschueller
Also beware of hotel wifi's. I have been on some where everyone is on the same
subnet and tons of people have file sharing enabled.

~~~
bluedino
Even with client isolation, if you're on wireless, everyone is on the same
'subnet'.

~~~
kogir
That doesn't have to be true. Many good systems support VLANs and subnets
(OpenVPN style) per client, though you'll rarely encounter networks like this.

------
c16
I'd also like to chip in here and say keep an eye out for loan laptops. My HDD
broke down and I received a loan laptop while they fix my one.

While installing Go, I found Prey Anti-Theft on my HDD. Nice little bit of
camera snapping, location and such. Was never told about it, which also
annoyed me.

In short, if it's not your machine, assume it's compromised. LiveUSB's FTW.

------
EGreg
If you're worried about keyloggers, you should also be concerned with other
types of spoofing, even on machines you control (by software you do not).

If you're building a website, you can help mitigate keyloggers with One Time
Password support, eg login via cellphone app (which doesn't have to have a
signal but can store a million random codes a la the RSA dongle) unless that's
somehow patented - is it?

But fake auth forms are equally egregious. For this, you simply need the user
to enter (or receive) a relatively unique (1 in 10,000) phrase or icon that
they remember when signing up. Then show this phrase when one of your input
fields in your domain security context (iframe or popup) is focused. There is
no way for other websites to grab that phrase or icon, and therefore the user
is trained to check that YOUR field on YOUR domain is the one receiving
keyboard focus.

I once wrotr a letter to Steve Jobs saying the iOS should also have something
similar - that the system dialogs where you enter your admin username and
password to authorize something should show you a familiar phrase or icon
which userland apps can't screenshot, similar to how they protect copyrighted
video. But he never replied or implemented it.

After all, Vista did it by darkening the screen... Any app can do that!

------
jpetersonmn
In response to the hardware keylogger comments. Aren't those fairly expensive?
I can't imagine they would be used very often except in targeted attacks
against specific computers.

~~~
marcosdumay
There are devices that sell for less than $50 and could be programmed for,
when plugged in a computer take controll of it and log whatever you want.

Specialized keyloggers ought to be cheaper.

------
DanBC
OP makes no mention of hardware keyloggers. These are cheap and easy to use -
requiring a few seconds access to install and a few more to retrieve.

Keyloq make a range of products.

------
thejosh
Well.... duh.

Any computers that allow access to the public are going to be keylogged, if
not with software then with physical keyloggers.

Same as LAN Centers use to be all keylogged as well.

~~~
nitrogen
Why should that be a given? Why can't people just stop being jerks?

~~~
mpyne
> Why can't people just stop being jerks?

While that's a noble question, you might as well ask why can't the universe
simply not advance to its entropic heat death... or why cars and homes are
still sold with locks on the doors.

------
taksintik
Not just business centers. Pretty much any public access point/terminal.
Especially when traveling abroad.

------
dbpokorny
This is what happens when you don't have real competition in the operating
system market. Shameful.

~~~
CanSpice
I could easily install a keylogger on any non-Windows machine in about five
seconds. Hint: keyboards and USB are pretty much OS-agnostic.

------
yuhong
Windows has a Guest account that automatically resets the profile when logging
off, erasing any software keyloggers etc. Likewise you can look at processes
using Task Manager or Process Explorer.

~~~
DanBC
That does nothing against hardware keyloggers.

Exploring process names is sub-optimal on modern OSes.

~~~
yuhong
I know that these does nothing against hardware ones.

