111

Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?

Although related, but note that this is a bit different from this question since I am not using my own computer to log in.

Boann
  • 221
  • 1
  • 6
today
  • 1,081
  • 2
  • 7
  • 8
  • 9
    Can you create a virtual machine on their box? – DarkMatter Nov 29 '18 at 16:46
  • 6
    @DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like. – today Nov 29 '18 at 16:50
  • 5
    it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring) – DarkMatter Nov 29 '18 at 17:25
  • 39
    A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy". – reed Nov 29 '18 at 18:17
  • 2
    A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place. – paj28 Nov 29 '18 at 20:32
  • With a password – Jay Nov 29 '18 at 22:35
  • 1
    I just thought about using a password manager, such as lastPass, which is great, as an additional mitigation - keyloggers won't work against it, nor will clipboard scanners, screen recorders... But now the critical password isn't for the service you want to access, it's protecting the password manager instead. A non-cloud-based password manager like keepass however, you can at least remove the USB or disk with the database on - but if you're really paranoid - what's to stop the machine silently making a copy to crack later? – Baldrickk Nov 30 '18 at 09:26
  • 3
    Remember: ***Once you've lost physical control of the device, all bets are off.*** – Marc.2377 Dec 01 '18 at 04:12
  • 2
    @DarkMatter: how do you make sure that keystrokes sent to virtual machine aren't logged? – el.pescado - нет войне Dec 02 '18 at 11:54
  • @el.pescado you can't be sure. It depends on how they are monitoring but I think the smallest attack surface for that scenario would be an OSK in the VM. – DarkMatter Dec 03 '18 at 15:23
  • You could use Edge's application guard (if they have a newer version of Windows 10) which boots up a brand new VM especially for that Edge session, which once closed in theory leaves no traces. Of course, you'd still have the keystrokes and screenshots problem. – CalvT Dec 04 '18 at 17:14

13 Answers13

120

This is an interesting question!

The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.

We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).

Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and even modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).

This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into something really important, however, you may want to stick to devices you control.

Additionally, consider the following, via user TemporalWolf

Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.

Cowthulhu
  • 1,231
  • 1
  • 8
  • 22
  • 5
    "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer. – Qwertie Nov 30 '18 at 05:07
  • 21
    Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer. – forest Nov 30 '18 at 07:25
  • @NotThatGuy I think if you submit an edit request? – Cowthulhu Nov 30 '18 at 15:40
  • 5
    The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password *once already authenticated*. So that's an interesting dilemma. – Chris Cirefice Nov 30 '18 at 17:07
  • This is a good answer. I would add that if the OP is worried he should monitor his account afterward using a device he controls, e.g. when you're on Facebook you can see a list of devices that are logged on, and you can even force them all to logout/reauthenticate. (Not sure if the SAC missile launch control web site has the same feature.) – John Wu Dec 01 '18 at 01:33
  • +1 for one-time-passwords. Prior to the ubiquity of mobile data networks and wifi, I'd always print out a sheet of OTPs for use at internet cafes when traveling abroad. – MooseBoys Dec 01 '18 at 05:36
  • Would this answer be better if it included using an incognito browser window and disabling extensions for the duration of the login session? Incognito as I understand it won’t leave auth token and web data after close. – ThisClark Dec 01 '18 at 13:41
  • 10
    "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice. – Steve Jessop Dec 01 '18 at 22:53
  • @Qwertie's right and checking your account from your own device later (Facebook lists active sessions, ish) is not paranoid – Lightness Races in Orbit Dec 03 '18 at 11:04
  • 2
    @ChrisCirefice: As it happens my bank requires 2FA after having authenticated for _everything_ with the exception of reading account balance. Including, but not limited to changing password. You cannot even open a CS ticket without entering a SMS-TAN (which is funny because assuming you have trouble with that, there's no way of contacting CS?). Need to wire a large sum of money? That's 3 TANs to enter for you. One to bump the transaction limit up, one for the transaction, and one to restore the limit to normal. That's truly the only service running in such a paranoia mode that I know, though. – Damon Dec 04 '18 at 08:36
  • 1
    *"you can probably trust that when you hit "Log Out", it actually logs you out."* If I were trying to attack you while you used my computer, I would make *sure* that the "logout" action didn't work on a particular target web site ... such as Facebook. – Christopher Schultz Dec 05 '18 at 23:13
39

In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).

This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.

Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.

Besides what I said above, I also have a 128 GB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.

While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.

As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.

But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.

iBug
  • 1,378
  • 1
  • 9
  • 12
  • That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough. – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Nov 30 '18 at 13:06
  • 9
    Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS. – martinstoeckli Dec 03 '18 at 12:38
  • @martinstoeckli Yep, but that's the opposite of this question. – iBug Dec 03 '18 at 13:59
  • I would suggest still using MBR because not every one has GPT yet, but good idea anyway. – cybernard Dec 03 '18 at 14:54
  • @iBug Good solution, thanks. However, "If you're logging in on your **trusted friend's computer**..." does trusted refer to the friend or the friend's computer? Since I may trust my friend but not his/her computer. – today Dec 03 '18 at 19:54
  • @today that depends on you – iBug Dec 04 '18 at 02:16
  • "for most websites" - I wish that were true, but I'm not sure it is outside of highly trafficked sites. – Michael Mior Dec 04 '18 at 15:14
  • 1
    @MichaelMior Yep that's another "dependency" issue. But as far as I have seen, all websites have logged me out everywhere (terminate all sessions) when I change my password. – iBug Dec 04 '18 at 15:16
  • *"running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine"* ...except for a firmware rootkit. – Dan Henderson Dec 05 '18 at 15:43
24

If you encounter this situation regularly, try the following:

  1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.

  2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.

Edit:

As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.

Potential weaknesses of this method:

This method is vulnerable to the following:

  • Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.
  • Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.
daviewales
  • 343
  • 1
  • 7
  • 3
    For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices – Xen2050 Nov 30 '18 at 11:41
  • @Xen2050 Windows To Go is also a good alternative! – iBug Nov 30 '18 at 13:19
  • Good point @Xen2050 – daviewales Nov 30 '18 at 21:28
  • Under `Hardware based recording`, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords. – Private Dec 01 '18 at 13:02
  • @iBug Is Windows To Go free to download & use by everyone - even if you don't legally own or use any other Windows? – Xen2050 Dec 02 '18 at 02:44
  • @Xen2050 Nope. Windows To Go is only legally available in the Enterprise version, and must legally be created from another running Enterprise Edition of Windows. Workarounds are all over the internet, though. – iBug Dec 02 '18 at 02:52
  • 6
    "*Using the on-screen keyboard defends against hardware based key-loggers*" - unless they include a mouse logger (for click coordinates etc) :-) – Bergi Dec 02 '18 at 13:55
  • You can just do it with MacOS. Hold down option while you boot up, it will list every bootable drive including all USB connected drives. Mac does not distinguish between SATA vs USB vs Lightning drives re: bootability. Been doing that since 2003. – Harper - Reinstate Monica Dec 02 '18 at 21:01
  • 1
    @Bergi Some possible defences against mouse loggers: Move the onscreen keyboard to a random location on the screen before each keypress. Switch to a random keyboard layout. Find an onscreen keyboard that scrambles the location of the keys. – daviewales Dec 02 '18 at 21:16
  • 2
    "Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot." You're bypassing it only if the machine allows you to bypass it. That may be the behavior of standard hardware, but it's still depending on the hardware to not be malicious. – Acccumulation Dec 03 '18 at 23:38
  • @Accumulation True. Can you provide specific examples which can be added to the "Potential weaknesses" section? – daviewales Dec 05 '18 at 04:02
  • @daviewales Even with anti-keylogger/mouselogger, there's still the issue of a real-time screen graphics capture device (or say, over-the-shoulder). At which point you'd need 'sound buttons' that show nothing but play a sound (over an earphone). But then they could also be recording audio... the cycle is endless. – SE Does Not Like Dissent Dec 05 '18 at 16:16
  • 1
    I don't have any examples of anything that I know of actually been implemented, but there's nothing physically impossible about creating a device that reads a USB, emulates internally the software on the USB, then externally performs a MITM attack. That is, the device could have an internal virtual machine running the software on the USB and perform a MITM attack between the virtual machine and the user. – Acccumulation Dec 05 '18 at 21:18
  • On-screen keyboards can be read by shoulder surfing, or by a camera. A high quality zoom lens can see your screen from a distance where its too far away to be seen by eye. – Criggie Dec 05 '18 at 23:24
  • @Criggie This is true. Hence why you should cover the screen with your hand. – daviewales Dec 06 '18 at 21:36
17

Use SQRL

If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.

SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.

EDIT: Because so few sites support SQRL, this is probably not a good answer as of Nov/Dec 2018, but it may be a good answer in the future. I don't think there is a secure way to log into a website on a computer under someone else's control (which may have a key/click-logger installed), which was one of the reasons SQRL was created in the first place. The out-of-band login approach, which does not rely upon the possibly-compromised computer to preserve a secret like a password, whether it be the specific form taken by the SQRL protocol or some competing scheme that uses the same general idea, is an essential component of any good answer.

Monty Harder
  • 476
  • 3
  • 6
  • It's a very interesting method! I was not aware of it at all. Thanks for mentioning it. – today Nov 29 '18 at 21:54
  • 3
    The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today. – caw Nov 30 '18 at 01:28
  • Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't. – Tom Nov 30 '18 at 05:10
  • 19
    https://security.blogoverflow.com/2013/10/debunking-sqrl/ - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself. – vidarlo Nov 30 '18 at 06:41
  • What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone? – knallfrosch Nov 30 '18 at 10:47
  • While SQRL would indeed be a decent solution to this problem (to about the same extent that U2F is) I don't think this answer is very helpful. FIDO isn't widely supported, and thus isn't a viable solution for users in ~99% of cases. – Ajedi32 Nov 30 '18 at 17:16
  • Is this how login with whatsapp on desktop works? – FooBar Dec 01 '18 at 15:02
  • 4
    **A note from a mod:** SQRL has not had the best reputation since it first came out. We have had members inspect the architecture documents when it was first released and found it wanting. But it has been 5 years and we know that the developers have made changes as a result of the critiques, but we cannot find recent reviews. So, *caveat emptor* with SQRL. What is known is that there are more widely used and tested options available. – schroeder Dec 03 '18 at 10:33
  • 1
    To those who say "Gibson is a crank" or that SQRL has a bad reputation, all I can say is that's an _ad_hominem_ attack. Most of the objections I've seen to SQRL are based on misconceptions about how it works, to some extent as a result of the way the SQRL project has unfolded. The basic idea was announced, and within days people who don't like Gibson had made up their minds it was a flawed protocol, despite the fact it hadn't even been formally defined yet. – Monty Harder Dec 03 '18 at 15:56
  • 1
    @vidarlo The comments on that "debunking" do a great job of debunking the debunking. Gibson didn't just string this together by himself. He came up with the basic idea, set up a news group and started discussing it with others, who did their best to shoot holes in it and help improve it. [Disclosure: I'm one of those people. I was one of those insisting key-revocation and -replacement mechanisms be built into the protocol, and suggested the name change when it became obvious people were fixating on the QR code as if it were the whole thing, when in fact it's just one mode of use.] – Monty Harder Dec 03 '18 at 16:04
  • 2
    The reason this is a terrible answer has nothing to do with the merits of SQRL or its developer(s), but because it suggests that the end user has an option to "just use it" if they want. Doesn't work that way. – Beanluc Dec 03 '18 at 18:45
  • @Beanluc That's a chicken-and-egg situation. Unless users indicate a desire for websites to support the protocol, they won't. And people can't use something that isn't supported. Were there a good answer that's widely accepted, I wouldn't even have posted this answer, but the very reason SQRL exists is that it at least attempts to solve this, and some other problems. So the true answer is probably that no good answer is yet widely available, but if websites support SQRL, that could change in the near future. – Monty Harder Dec 03 '18 at 18:48
  • SQLR doesn't solve the problem of the computer faking a "log out". If you click "log out" from the site and the browser intentionally fails to log you out, then the attacker still has control over your account after you walk away. – Christopher Schultz Dec 05 '18 at 23:17
  • @schroeder I'm curious about your sense of SQRL's "reputation" since it hasn't been officially released, yet. It seems that it's quite fully-documented at GRC.com at this point, though. – Christopher Schultz Dec 05 '18 at 23:27
  • @ChristopherSchultz I remember some discussions on the SQRL news group that might apply to your scenario. A web site might choose to require an additional authentication before performing certain "high-value" operations, much the same way that existing security schemes require you to re-enter your password when changing it. A bank might require your SQRL client to digitally sign a string including the date, time, amount of money to be paid, and the name of the payee, before authorizing a credit-card transaction, even though you were already "logged in" by signing a content-free nonce. – Monty Harder Dec 06 '18 at 15:25
  • @MontyHarder Yes, that would absolutely be the way to do things. For example, on Amazon.com, maybe you can shop and put things into a shopping-cart, but when it's time to make a payment (with a stored card number), you have to re-authenticate for that one operation. But most sites just challenge you a single time when you login, and then you are free to do whatever that user is allowed to do without further checks. – Christopher Schultz Dec 06 '18 at 17:47
5

It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...

  1. Open text editor of choice.
  2. Type out the full alphabet in both upper and lower case.
  3. type out the full range of numbers and symbols that are available.
  4. Copy and paste letter by letter to enter your password on the web form.
  5. As an added layer of obfuscation, don't grab the letters in the same order as the final password

I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.

Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.

Rozwel
  • 183
  • 2
  • 19
    Surely an off-the-shelf screen recorder would counter this? – Draconis Nov 29 '18 at 20:20
  • Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well. – today Nov 29 '18 at 20:40
  • 3
    @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless... – Rozwel Nov 29 '18 at 20:44
  • 7
    A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger. – Nathan Goings Nov 29 '18 at 21:39
  • Interestingly, simply typing out the password would have been safer in my machine. I don't have a keylogger, but I have a clipboard manager that, for my convenience, keeps history of every copy done. – JoL Nov 29 '18 at 21:40
  • 1
    @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial. – JoL Nov 29 '18 at 21:43
  • CEH is kind of a joke among infosec professionals. If it's recommended by your CEH instructor, that's just a reason to be skeptical. Either way, any half-decent keylogger will not be fooled by this. – forest Nov 30 '18 at 07:22
  • You could combine this with booting from an ubuntu live stick (I used to carry one in my jacket pocket, maybe i should get back into the habit). Then you only have to worry about hardware keyloggers and those are fooled by this well enough, especially if you also obscure the length of the password by copy pasting around a bit after you are done. Or am I missing some angle of attack here? (Not an infosec professional). Edit: For the remaining angles of attack, see daviewales answer below. – Sumyrda - remember Monica Nov 30 '18 at 10:32
  • This would protect against keyloggers only. If I was the one owning the computer I would install JS extensions in every browsers that would record and extract all form fields including password. Easy and effective. – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Nov 30 '18 at 13:09
  • I think keypass has an option to do something like this - to be used when the standard method of inputting the password doesn't work properly. – Baldrickk Dec 03 '18 at 17:08
5

There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.

Dessa Simpson
  • 295
  • 3
  • 14
  • This may be limited to their own server where they can set up the security as they want. But how this can be used when logging into website of Company X if they still support only authentication using plain user name and password? – miroxlav Dec 04 '18 at 02:29
  • @miroxlav It can't. But as I said, at least one major company supports it. – Dessa Simpson Dec 04 '18 at 02:34
4

The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.

If you have probable cause or general paranoia then do not perform unsafe actions.

Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.

What is the threat model anyways?

  • Do you not trust the person?
  • Do you not trust the computer?
  • Are you trying to prevent their access from the particular website which you are logging in to?
  • Are you trying to prevent the discovery of your password because you reuse it for a hundred other services such as personal banking?
  • Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future?
  • Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.
MonkeyZeus
  • 507
  • 3
  • 10
4

If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.

There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.

Mitigation of Hardware based vulnerabilities

  • Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.
  • Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.
  • Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.
  • Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.
  • Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.

Software methods of decreasing the risk

  • Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.
  • Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.

The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.

Will Dereham
  • 141
  • 3
2

You don't specify whether you need to login via someone's computer because you:

  1. Need their OS/software, e.g. you are setting up / fixing someone's computer and you need to fetch some data from your private server.
  2. Need their hardware (e.g. you are allowed network access based on their MAC address or other factors that exist only on the machine you want to use.
  3. Need their network (e.g. you need to be inside their LAN, but with your own device)
  4. Don't need their network or device at all, it is just convenient for you to use their computer.

The optimal way of addressing these concerns is, in the reverse order:

Case 4. Bring your laptop/phone/tablet and use 3G/4G connection to access the internet. Done.

Case 3. Bring your laptop, properly secure it (antivirus, firewall, etc), plug it into their network. Done.

Case 2. Inspect their hardware for any hardware loggers, boot your own OS (some kind of live distribution). If you missed the hardware logger, you have the problem.

Case 1. Also helps with Case 2.

  • a) Require Administrator/root access.

  • b) Enable firewall, set it to paranoidly strict mode, allow only connections to your target server.

  • c) Change your access password via your 3G/4G phone to something temporary,

  • d) Access the server, use 2FA

  • e) delete the traces (cookies, any temporary files that could hide credentials, unique IDs,tc)

  • f) Change password back via your 3G/4G phone

  • g) Set the firewall back to normal.

Now firewall may be compromised as well by a rootkit, so for more paranoid, or in case you don't get Admin/root access:

  • a) Build your custom router using Raspberry Pi or similar device, add additional ethernet port using Ethernet2USB adapter. (of course, really security conscious pro would have Linux on their laptop anyway, so just add Ethernet2USB port and proceed without Raspberry.

  • b) Plug their computer into your Raspberry, get the MAC address, clone it to the other (outbound) side.

  • c) Set up strict routing and firewall on the Linux, allow only access to your server, and route one NIC to another.

  • d) Set up MITM sniffing and install your certificate to your server on their machine. Your certificate is MITM certificate, the fake one you generated!

  • e) Proceed as in previously described in 1c) and on.

  • f) Log any bloody byte that traverses your mini router so you can confront them if they try something nasty.

The reasoning behind this suggestion is that the host computer probably does not have the full suite of tools to attack your account. Keylogger will log the keys to your temporary password, but will be unable to forward the data to the bad guy sitting in the other room. If it does and tries to hack your server, you will have any hack attempt logged in plaintext, any you can either confront them or undo the damage (they changed the plaintext, but you have logged the change!). Note hat only your server will be available to their computer in the critical time, so either their computer tries hacking solo, or nothing will happen.

I would appreciate feedback on that route, if I perhaps missed something.

xmp125a
  • 397
  • 2
  • 4
1

In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.

Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.

Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
0

If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.

If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
-1

Although there are a number of good and awesome answers, i believe this radical "answer" is missing out:

If you are concerned about security, you probably use a password manager as well. I always generate a random and very difficult password. On other computers I probably don't have the software nor the file where my passwords are stored in (I use keepass). I do have this file stored in a cloud solution but on logging in it also requires a separate file which I only have locally on my trusted devices.

So you might understand what hassle I have to go through before I am actually logged in on the other untrusted device. Which actually prevents me from doing so in the first place.

So if I am forced to login: "I don't know my password".

CularBytes
  • 117
  • 5
-2

When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.

That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.

  • 1
    How would a sandboxed process or an encrypted home directory defeat keylogging? – forest Nov 30 '18 at 07:23
  • I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't. –  Nov 30 '18 at 07:25
  • If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help. – forest Nov 30 '18 at 07:27
  • I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc. –  Nov 30 '18 at 07:36
  • Unfortunately, sandboxing does not isolate the X11 protocol. – forest Nov 30 '18 at 07:38
  • Interestingly though encrypted home folders can have effects on ssh keys - which I only recently discovered. –  Nov 30 '18 at 07:41
  • 1
    There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks. – David Conrad Dec 01 '18 at 17:16