Secure Connection from Insecure Computer

I am going to be traveling out of the country to a pretty questionable area and I would like to be able to access my online banking while I am away. If I were taking my own computer, this wouldn't be an issue, but that is not an option. All I will have access to is a "Internet Cafe", presumably with Windows computers. I am assuming that I will have no ability to install any software on the computer, but I am assuming I would probably be able to run software off of a USB drive.

I know that the main options (although feel free to suggest others) are SSH Tunneling and VPNs. Unfortunately, I do not have access to configuring my home router, thus making SSH and VPNs very difficult to set up.

So far I have found teamviewer, which has a VPN component, but it is unclear whether this allows all network traffic to be routed through the connection without admin rights.

Another option would be to install firefox on the USB drive and use proxyfoxy, but again, I run into the issue of not being able to configure the home router.

TLDR: I'm looking for a VPN or SSH Tunneling application that can run from a USB drive (no setup) that does not require dyndns on the backend.

EDIT: I am aware of the keylogging issues, but in reality I would probably use a virtual keyboard. I am more interested in creating a secure connection to avoid packet sniffing and such.

viking

Posted 2011-07-28T20:28:16.930

Reputation: 524

so you are ok with keyboard / mouse sniffing but not ok with paket sniffing? :) from an insecure computer no secure connection is possible. eos. and no, a "virtual keyboard" does not help either. do you want to run a "virtual monitor" as well? maybe they take 25fps snapshots of what you see, including the "virtual keyboard". – akira – 2011-07-29T15:02:01.203

Answers

The problem I see is that you are not going to be able to install anything like VPN software on these Internet Cafe computers, and even if you did, they could have keyloggers installed, leaving you very exposed.

Frankly, I would in no way access my bank from any of them, and I would abandon your current plans.

As a note: At least with TeamViewer, you could run the Quick Support version, which does not require installation, but you still could fall prey to the keylogging aspect.

In other words, you can make the connection in the middle secure, but not both ends of the connection.

KCotreau

Posted 2011-07-28T20:28:16.930

Reputation: 24 985

I am well aware of the keylogging issues. For purposes of my question I am only interested in the secure network side of things. If it came down to it, I would not have a problem using a virtual keyboard. – viking – 2011-07-28T20:37:26.860

@viking I go back to how can you install anything that would make you secure? The computer will surely be locked down to prevent installs. And I do not see how a virtual keyboard will protect you? The computer itself could know every keystroke. It does not need to be on a physical keyboard. – KCotreau – 2011-07-28T20:39:39.083

I will accept your point about keyloggers, but I don't see how this precludes the possibility of securely accessing my bank account. What about remote accessing my home computer using teamviewer and using that computer's saved login information to access the bank. – viking – 2011-07-28T21:05:39.737

2Every bit of information you send to your home computer goes through the local, possibly insecure, computer. EVERY bit of information you use to logon, even if remotely, could easily be intercepted. How does it get from you remotely to the home computer? Through the insecure computer. You simply cannot do that securely. – KCotreau – 2011-07-28T21:27:53.253

I'm well aware that "EVERY" bit of information can be intercepted, but that doesn't mean there isn't a way to do this. If the bank login information is saved on the remote computer, how would that be intercepted by the insecure computer? As for logging into the remote computer, I don't see why a certificate couldn't be saved to the USB drive and used to authenticate. I'm looking for creative solutions, not to be told it cannot be done. – viking – 2011-07-28T21:38:03.150

1The chances are not high, but are real. Good luck. – KCotreau – 2011-07-28T21:50:00.037

1If the bank login information is saved on the remote computer, how would that be intercepted by the insecure computer? - Because the insecure OS that you enter your credentials on is the electronic equivalent of somebody looking over your shoulder and writing down which keys you press. If what you are suggesting is true, then there would be no problems with malware in the "real world", which obviously isn't the case. If you really want to do this, then I suggest 1) that you create a seperate bank account that you will only access from insecure locations, and keep a minimum amount... – Joe Internet – 2011-07-28T22:14:34.553

2...of money in it. Keep refilling this account from another method (PayPal, secure account) that you only access from a secure location that you trust. And 2) that you find a good security-focused live-cd/usb that you can boot a pc from, even in an internet cafe. I would go with a cd if possible, to prevent anything from writing to the medium. Ideally, the OS would run from RAM. This is about as secure as you'll get, and even this is not 100% foolproof. – Joe Internet – 2011-07-28T22:20:05.783

You are right that it can be done, but @KCotreau is right that's it's probably not worth the risk. If your bank has some kind of one-time-passcode authenticator, though, that's probably best. – Shinrai – 2011-07-28T22:58:27.547

@viking: Whoever has physical access (i.e. the owner), can bypass most kinds of security, given enough time and...creativity. For the "creative solutions" you propose yourself, not even that is necessary. Interception? Keyloggers. Certificates on USB? Files which can be copied. Your best options are one-time passwords (which every bank should use) and/or Joe's suggestion of bringing your own OS and using a separate account; it'll be "good enough" against passive monitoring. – user1686 – 2011-07-28T23:08:56.193

@Joe Internet Thanks, your response has been the most helpful so far. – viking – 2011-07-29T00:41:51.710

1@grawity I am well aware that physical access to the computer gives complete control. I am not as concerned about the owner or employees recording the information as much as the computer simply being poorly managed (and thus probably running malware). – viking – 2011-07-29T00:41:57.170

I'd pay the extra money and find people you can trust, like an international chain. – surfasb – 2011-07-29T03:23:24.397

Unless you use one time passwords (which are difficult to setup) or smartcard-like devices, everything you can do on that insecure computer can be recorded and replayed. E.g. they can record the user name you use to log-on to your remote machine and copy your certificate. Sometimes even by viewing the information displayed on your online banking page, they can use some social engineering-based tricks to access your account while you're away.

A better way is to bring a Linux Live CD with you and boot from that. Then connect via a secured link to a trusted computer.

If you don't control your home router, you can easily open a free server on Amazon EC2. You can either use that machine as a VPN server or use it as your trusted host directly.

billc.cn

Posted 2011-07-28T20:28:16.930

Reputation: 6 821

+1 for Linux Live CD, although they still could have a hardware keylogger. I guess that's pretty unlikely though. – houbysoft – 2011-07-29T01:44:45.790

Idea #1 - Get a new home router that does allow you to configure SSH (they are pretty cheap)

Concern about that idea -- Many internet cafe's limit the ports that can be used for outgoing connections... You might be limited to port 80 traffic only which would make ANY sort of SSH very difficult to use.

Idea #2 - Setup OpenVPN (or another VPN tool) on your home computer and use your router to forward the VPN port to that machine... Takes more configuration than using a built-in proxy service on your router, but it's free ;)

Idea #3 - Team Viewer on a USB drive is probably the easiest/best option listed so far... Use that along with KeePass and you will probably be okay. Again though depedns on how locked down the computers are, and how locked down their internet connection is.

Idea #4 - If you can't get anything else... You could just call your bank :)

As for the keylogger issue, I'd use KeePass... You can use a portable version and if you use the hotkey assignment for typing passwords instead of the copy/paste you can set an option for Two-channel auto-type obfuscation

Good luck!

Travis

Posted 2011-07-28T20:28:16.930

Reputation: 31

Regarding your comment -- "you might be limited to port 80 traffic" -- that's not really a problem for SSH; just run it on a different port. I do this often to bypass exactly this type of restriction and it works just fine. – houbysoft – 2011-07-29T01:43:44.793

This isn't that bad of an idea. – surfasb – 2011-07-29T03:24:36.297

If you are able to boot from USB or CD, the Lightweight Portable Security (LPS) Linux distribution by the US Department of Defense will provide a secure environment:

LPS-Public turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer.

LPS is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session.

A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction. For example, boot LPS immediately before performing any online banking transactions.

DistroWatch have a review here:

The idea seems to be that most publicly-used operating systems are easy to compromise and so it would be a good idea if people could use a computer without the risk of exposing their credentials and private data to malware, key loggers and such.

_{(Thanks to The Linux Action Show for mentioning this.)}

sblair

Posted 2011-07-28T20:28:16.930

Reputation: 12 231

1Now that I think about it, I don't see how this could block hardware keyloggers. But, it's partly your bank's responsibility to make this attack awkward, e.g., by only asking for certain characters from your password or pin number, or by asking for them in a random order. – sblair – 2011-07-28T22:31:12.527