Securing a Public Computer Session

Giganews Newsgroups
Subject: Securing a Public Computer Session
Posted by:  chox…@yahoo.com
Date: 16 Dec 2006

I've read glowing comments on products such as the U3 USB drive
encryption but in the end a password must be typed on a keyboard to
encrypt the data.  A simple way of capturing this password is to use a
key logger.  A more sophisticated method is to modify the keyboard to
capture the keystrokes before they even hit the PC.  With the password
and USB drive the data is fully compromised.  What if the USB drive was
augmented with a security token technology going to the extreme of
providing an USB data entry interface in which a PIN could be entered?
Further what if the PIN hashed with a cert on the USB drive was only a
time sensitive key which could be used to access the real password from
a web-based authentication service.  At this point the real password
would unlock the data and an app designed to look for new USB drives
could poll the drive until it was unlocked and copy the contents to a
local drive or forward them wherever.  Even if a user would tolerate
entering a PIN every time they accessed the device the data being read
from the device could be intercepted when being read by an application.

Does anyone know of a way to get around these public computer security
issues?

One approach might be to use a portal protected by a security token but
once a valid connection has been made to the portal an app could use
this connection to obtain other data, further, screenshots of any
viewed data could be stored on the local computer or forwarded
elsewhere.

Another approach is to reboot the computer and use a USB drive or
CD/DVD ROM to boot the computer using a variant of LINUX.  At this
point you are facing the problem of configuring the network parms so
you can get to the Internet but everything you type could be logged on
the keyboard.  Further the BIOS may be locked and ROM/USB boots might
be prevented.  At that point you'll have to crack the case and remove
the battery used to maintain the BIOS settings.  Booting from a USB
drive or ROM isn't something you want to do on a public computer but
cracking the case is over the top.

All this really makes it seem impossible to securely access data such
as one's bank account, sensitive corporate data, etc. from a USB
drive or portal on a public computer.  Anyone have a way to work around
these issues?

Replies