Here's the only safe way to use public PCs

Here's the only safe way to use public PCs

Summary: As the Secret Service says, business center PCs can be dangerous. The only safe way to use such devices is not to use the installed OS.

SHARE:
TOPICS: Security
28

PCs in business centers probably aren't a first computing option for most business travelers. You might use them if you want to print or if your laptop computer is not available for some reason.

Unfortunately, these computers are often cesspools of criminal spyware, as the Secret Service just warned. The warning and an article about it by Brian Krebs provide some good explanation of the problem, but I believe they don't go far enough in telling you when to avoid such computers and how they might be used safely.

Accessing your personal or business resources on a public PC is the technological equivalent of sharing needles with strangers. Unless you really know what you're doing, they simply can't be trusted.

The main problem, it needs to be said, is not the hardware but the software. Some suggest locking down the PC and the user account guests may use. These are good ideas, but they don't go far enough for me. I can imagine many ways to compromise such a PC, perhaps even to get past resetting it to a default configuration.

The only safe way is to bypass the software installed on the PC by booting off a CD or USB key with an operating system image you control and trust. Obviously the computer needs to be configured to allow you to boot of the removable media.

There are many Linux Live distributions, but of course that's not a practical solution for most of us. The mass-market solution is called Windows To Go, a Windows boot image on a USB drive, usually a hardware-encrypted thumb drive, but there is at least one USB hard disk configuration available. Because Windows boots off the flash drive, the system's hard drive and any malicious software on it are out of the picture. Windows To Go is a feature of Windows volume licenses. Each seat includes a license for a Windows To Go installation; in other words, you're already paying for it.

Windows To Go is only practical in an organization with a sophisticated IT department and a well-managed network, but if the organization can support it, it is an impressively secure solution. When connected through a USB 3 port, the performance is excellent, on-par with the local hard drive, and it's good enough through USB 2. Since it is a managed user image, all communications can be encrypted from the PC all the way to the enterprise network.

Some argue that Windows To Go is practical as a company's complete remote access solution. There's a case to make for this, not least because it saves a lot of money on laptop computers, and especially if the user is happy doing most of their work on a phone or tablet. But Windows To Go is indisputably an excellent backup remote access solution for business travelers. If something goes wrong with their primary mechanism they can always find some other Internet-connected PC, such as in a hotel business center, and boot off Windows To Go.

Why don't you see a lot of Windows To Go now? I suspect the main reason is that it is Windows 8 only, and enterprises haven't been anxious to deploy Windows 8. After Microsoft cleans up that particular mess, expect a lot more Windows To Go in the real world.

hardware.keylogger
A USB hardware keylogger from Amazon.com

But even if you run an operating system booted off removable media, there are still ways to monitor the system using hardware. Nearby is an image of a hardware keylogger of a type which is cheap and readily available. It plugs inline between the keyboard and the computer. Especially when the system unit is concealed under a desk, these devices are very easy to miss.

In fairness to hotels, the cleaning crew in your office building could easily be bribed and trained to install such devices and remove them a week later. So you really should look at the ports on any system you use every now and then, but particularly on public PCs.

There are other types of hardware monitoring, but they tend to require more of an NSA-level of resources and sophistication.

If I didn't have bootable USB key with me I wouldn't use a public PC such as that in a hotel business center unless it was an emergency, and even then I'd give the system a visual inspection. Be very careful.

Disclosure: I've written a paper on Windows To Go for Imation.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • BIOS access

    The ability to boot a business center computer from a USB stick (or even a CD for that matter) will depend on how hard they have the BIOS and boot order menu locked down. I wouldn't expect such access on a kiosk PC.

    The only real solution is to bring your own device...and be careful when you are on their network. If you pass credentials on that network, you must be sure that you have some form of transport layer security in place. You must assume that your traffic is being sniffed.

    While BYOD may have been more of a challenge 10 years ago, most of us now travel with at least a smartphone...if not also a tablet and/or laptop. Many smartphones can also serve as a secure wifi hotspot, keeping you off of their network entirely.

    In the rare event that I use such a PC, it is often just to perform a Google search for a local attraction...but even then, I am much more likely to use my phone than touch what is typically an absolutely filthy keyboard and mouse. ;)
    UsernameAlreadyTaken
    • The catch there

      The catch there is if the BIOS is open, it may be infected.
      Buster Friendly
    • BINGO

      I always carry an Ubuntu Mint thumb drive to boot and use on cafe, bar and train wi-fi - very fast even on USB 2 - no real threat since hackers don't bother with it, you have better odds of being attacked by a Great White Shark. But can't imagine many hotel business facilities or internet cafes would let anybody boot from a thumb drive.
      I2k4
      • And physical keyloggers?

        Would they represent a threat? Perhaps, not, if you use a virtual keyboard with an element of randomness for authentication. Or, alternatively, a password manager.
        Rabid Howler Monkey
  • BIOS access

    The ability to boot a business center computer from a USB stick (or even a CD for that matter) will depend on how hard they have the BIOS and boot order menu locked down. I wouldn't expect such access on a kiosk PC.

    The only real solution is to bring your own device...and be careful when you are on their network. If you pass credentials on that network, you must be sure that you have some form of transport layer security in place. You must assume that your traffic is being sniffed.

    While BYOD may have been more of a challenge 10 years ago, most of us now travel with at least a smartphone...if not also a tablet and/or laptop. Many smartphones can also serve as a secure wifi hotspot, keeping you off of their network entirely.

    In the rare event that I use such a PC, it is often just to perform a Google search for a local attraction...but even then, I am much more likely to use my phone than touch what is typically an absolutely filthy keyboard and mouse. ;)
    UsernameAlreadyTaken
    • Double post - please delete

      Apparently, when you attempt to submit a post and ZDNet responds with an error message and keeps you on their "edit post" view, that may not mean that they did not accept your post.

      When AJAX goes wild.
      UsernameAlreadyTaken
      • Can't Post From Chrome

        It freezes on Loading, for the last while. I get so sick of trouble shooting sometimes.
        I've resorted to using Pale Moon, an excellent FF replacement. As Avant can be for IE.
        So if a double post comes from me, it's that I've just finally abandoned the 1st attempts thro' Chrome.
        PreachJohn
  • Best option:

    Don't use shared Internet access. Period.

    A hotel or business center could just as easily install a network packet filter that tracks where you go on unencrypted websites, and those types of websites can easily be used as a basis for identity theft.

    If you're a business traveller and you rely on wireless access out in the open, you should at least monitor your credit rating on a regular basis.
    Joe_Raby
    • VPN

      Properly configured, a VPN does take care of that problem.
      larry@...
      • Not really

        Unless you are a corporate user that uses your corporate network for Internet access inside of the VPN, your DNS queries are still going through the local ISP. And if you don't run your VPN yourself, you don't have a clue what the service is doing with your packets on their system.
        Joe_Raby
        • "your DNS queries are still going through the local ISP"

          that's not how a _properly configured_ VPN works. corporate or not

          also, you don't have a clue what any service provider is doing with your packets, including your ISP or employer. in light of which, the only safe way is do not use internet. period.
          vpupkin
    • For That Matter

      A packet capture device can be installed ANYWHERE on the Internet. If you have a PC, do a traceroute command on your destination and see all of the "hops" between you and any website. If you are dealing with private stuff, like for business, you really should be using VPN as Larry suggests. It encrypts the whole tunnel. A lot more sites, even Yahoo, are using https instead of http so you are a lot safer.
      hforman@...
      • https is only helpful if ...

        While it is true that https is helpful, it's only a small step if protecting you. If the site stores session data in cookies, and there's no 'secure' flag set on those cookies while you're communicating with the site, you might as well be accessing the site over http. Anyone on the same WiFi network will be able to easily impersonate you on the same https page.

        Secondary to this is the use of HSTS. If there's no HSTS in place, you're still susceptible to MiTM all day long. Education, training, and awareness are what people need most.
        Yamon
  • 2-Factor mitigates some of the risks

    Your active transaction is visible to the exploit, but your credentials are (absent some fairly extreme m-i-t-m actions) protected from being reused to initiate future sessions.
    djmiller@...
  • You can roll your own portable OS

    Some years back, I experimented with different ways to carry a full OS with apps on a USB. There was one method I fiddled with that's essentially a more universal version of Windows To Go: install a live version of a light Linux version to a USB drive; create a persistent casper-rw file that mounts like a drive; and then install the Linux version of VirtualBox. At this point, you'll have a USB that boots into Linux and allows you to mount a VM. My most usable result used Bodhi Linux for the boot host and an nLited version of XP. At the time, casper-rw partitions were limited to 4 GB, requiring a very efficiently configured XP VM, but the end result worked rather well.

    But that was years ago, and required lots of trial and error. A quick looksee on Pendrivelinux.com, though, shows that this sort of thing has apparently become a bit easier. And it looks as though you can resize the casper-rw partition to larger than 4 Gb now.
    JustCallMeBC
  • Then Again, Larry

    Some people just don't care. If it is convenient they do it. Especially if it is NOT their own personal data at stake.
    hforman@...
  • If ZDNet Were Really Concerned About Protecting Our Security...

    They wouldn't have the box to save my information checked by default when I log in
    MichP
  • You can lock it down

    It's easy to lock down a Windows PC as that's a key element of enterprise deployments. The problem is you don't really know who is maintaining them if they know what they're doing. It might be some guy that decided to startup a service business and just drops in some consumer PC they bought at Best Buy with active front ports and no BIOS password.
    Buster Friendly
  • Live Linux "not a practical solution"??????

    Why are Live Linux Distros "not a practical solution"? If Windows To Go is a full Windows 8 enviroment (as stated on Microsoft's website), won't a hidden device that auto installs software, cause the same security concerns on the Windows To Go device? Wouldn't a Linux Distro be more secure as there would be less of a chance that such a hidden device distribute Windows only software?
    CPPCrispy
    • Edit button is needed.

      "Wouldn't a Linux Distro be more secure as there would be less of a chance that such a hidden device distribute Windows only software?"

      Should Say:

      Wouldn't a Linux Distro be more secure as there would be less of a chance that such a hidden device distribute software for both Windows and Linux?
      CPPCrispy