1

I'm interested in finding out what is the best method to enter sensitive information somewhere given an insecure computer.

Granted, I know that if the computer has a keylogger or some other malware that captures input, there are much more important things that I should worry about (for example what I am searching up on google, don't want those pesky hackers to know that I'm looking up cute dog photos).

But what if I am logging in on a school computer that has something like LanSchool so that instructors may monitor our computer activity? What if I am visiting an Internet/cyber café?

I have heard that on-screen keyboards (such as the one given by lastpass) will bypass keyloggers. But I'm paranoid, an attacker might use my cursor position every time I click to deduce what key I press.

Given that I have a keylogger, what are effective ways I can use to input sensitive information on say, a web form or a client app?

(Note: please avoid answering "do not use that computer" because I already know that if I want to avoid compromising my information, I should not use a compromised computer)

Improve this question
3
  • 2
    drag and drop letters from the webpage into a form input to avoid kb-like activity. might make sense to inject an alphabet into the page using right-click>inspect>(right-click highlighted tag in left pane)>Edit as html.
    – dandavis
    Commented Jan 30, 2017 at 6:02
  • 2
    bootable linux on a thumb drive
    – CaffeineAddiction
    Commented Jan 30, 2017 at 6:51
  • 1
    @dandavis Seems a bit tedious and I have a 31 char password. Excellent idea though!
    – user115449
    Commented Jan 30, 2017 at 15:37

1 Answer 1

Reset to default
3

To simply put, there isn't any "one true secure method".

Why, you might ask? Because computing has always been about trust, whether implicit or explicit.

Regardless if it was the 1960's or today, you trust the machine in question to act like you expect. This can prove quite an issue, because potentially, you could be dealing with a software or hardware based keylogger, to a whole virtualized OS, which would have access to all the memory contents at any give time.

There's no way a user could traverse a massive list every time they sat down at a computer. Somethings are simply impossible, such as verifying firmware on one of the many chips placed into the computing device.

The key part to understand is how much trust do I require? For some corporations and government agencies, this could be down to the firmware level, and expense isn't an issue. To a home user this could be software based keyloggers, and malware. To a researcher, it could prove to be "none" as they only expect to see a correct output from a simulation.

The sophistication of the attack vector(s) in question are important, which is good to see you mentioned a school environment.

It's common to see "monitoring tools" in school computer labs for whatever reason the IT staff, librarian, principal, and/or school board sees fit. You can search the internet for common software, but most do include a software keylogger, hooks to the Windows API to retrieve all gui window titles, and take periodic screenshots.

An on-screen keyboard is sufficient to guard against a spying librarian, as I remember back from my high school days. I even remember writing a program in Autoit to change the title of all active windows I had open to fool the monitoring software (that was from my mischievous days). The software my school used is linked below.

A software keylogger and typical "off the shelf" monitoring software isn't going to log where you click on a screen, it's too much effort. Keepass with it's entry obfuscation can even deter spying users that deploy software keyloggers.

Web Links:

http://keepass.info/

http://www.netsupportschool.com/

Improve this answer
2
  • Since keepass is a local password manager (if I read correctly, heh), how would I get access to the stored password without putting the master password or the USB that contains it at risk?
    – user115449
    Commented Jan 30, 2017 at 15:40
  • @xTrollxDudex Someone would have to employ a targeted attack to copy your password database. Propose that they did have the password you used to decrypt the keepass database. The only way they can have the actual passwords is if they had the database as well. School monitoring software doesn't include copying files remotely. Simply changing the password every use would prove to be even more secure.
    – dark_st3alth
    Commented Jan 31, 2017 at 0:39

You must log in to answer this question.