There are those of us who look for the padlock icon at login pages and crank up the security on their home wireless networks, and there are those of us who understand the value of security, but believe that too much paranoia often kills the cat, or, in this case, the whole point of the underappreciated convenience of the Internet.
Full disclosure: Know the kind who paste “Ask for ID” labels on the back of their credit cards and turn off power to their entire home Internet infrastructure when they’re heading out the door? I’m one of those – just in case the slug under the headline of this blog didn’t convey that sentiment already.
So, there you are – smiling gleefully as you spot an Internet cafe at the airport during your layover; knowing that spending the few overpriced hours on the Internet there would certainly be a bargain compared to the unnecessary overpriced shopping that you would do otherwise. A few quick moments later, you’re at a terminal, and clicking away furiously. Your email, your banks, your blogs, your friends’ photo galleries…you’re in the zone.
A few hours later, you’re en route to your destination; probably feeling more than a tad proud of having used your time ‘productively’ during your layover. As you settle into the relative comfort of your ergonomically disastrous resting position; a.k.a a coach class seat; an employee at that Internet cafe you visited whistles a happy tune as he does his maintenance rounds over his domain. Remotely or locally, he retrieves the equivalent of tons of user information left there by many users, much like yourself, over the period of the day…
Bank websites, bank account logins, email passwords, URLs, your little side trips to the digital underground when you thought nobody was looking. Everything.
How, you wonder? You checked for the padlock icon ‘and everything’. “This is impossible”, isn’t it?
Well, as with most cases, the last mile defines the journey. The path taken by your passwords over the Internet was certainly secure, however, the same couldn’t be said regarding the path between your fingers flying furiously over the keyboard and the letters appearing with equal ferocity on the screen.
A “keyboard sniffer”, they call it. Sometimes hardware, sometimes software – its sole purpose is to monitor and store everything that you type in, on that keyboard. Some call it a “key logger”. Others just call it a devilish little monstrosity that should’ve never been allowed to enter the civilian domain.
Alright, so, how does one beat it? Telekinesis with a computer so that one doesn’t have to use the keyboard? Like, c’mon! One HAS to use the keyboard, right? Right?!
Wrong. Here’s what you do instead:
- Click Start > Programs > Accessories > Accessibility
- Find and click on ‘On-screen keyboard’
- After the application starts up, bring up the window that needs the password
- Navigate over to the actual password-entry area and click in it
- Ensure that the little mouse thing (its called a “cursor”, but who really cares?) is blinking in the password-entry area
- Navigate over to the On-screen Keyboard utility
- Move the application window (by clicking and holding the mouse button down in the title bar) to any other position on the screen
- Use the mouse to type out your password
- Navigate back to the window that needs the password and click ‘Enter’ or ‘Proceed’ or whatever it needs you to click to proceed
- Close the on-screen keyboard. You don’t want to advertise your 133t skills, do you?
That’s all. You just keyed in a password without using a keyboard. That keyboard sniffer got nothing, and your secrets are safe – at least from Mr. Nosy Parker in that Internet cafe.
So…what was that about step #7 – about “moving the window to any other position on the screen”? Why bother with that at all?
Elementary, my dear Watson. Most Windows applications tend to start up in the same screen area. Meaning, when started, they tend to pop up in the exact same spot as when they were last run, and/or have a default ’starting location’ on the screen. Now, if I were Nosy Parker’s mad genius cousin Vinny Parker, I would write some software that would look for applications started within a certain area of the screen and record the goings-on within it.
Ergo, by moving the application to any non-default area of the screen, you make Vinny’s job a lot more challenging. Dig?
Or you could just skip step #7 altogether. Doing the rest is probably “good enough”. I’m tempted to run that line about 64 KB here, but you get it, don’t ya?
What’s to say that the Internet cafe computer’s gonna have this “On-screen keyboard”, you ask?
Well, its a standard install in most flavors of Windows after Windows 2000. Windows has always been good about the “Accessibility Options” in the OS, and this is where it pays off for them. The size of the application alone is under 225 KB, which is probably lesser than the average digital photo today; and it doesn’t hog memory or the sort. Its just a simple, underappreciated, unadvertised application that can do a whole lot, from a security perspective, for those of us who value security but don’t want to spend too much time and effort into it.
If that sounds like the mind in the mirror, now you know what to do the next time you’re using a public computer and entering a password.
If you’re looking for deets regarding this “On-screen keyboard”, here they are:
Filename: osk.exe
Commonly found in: \Windows\system32
File size: 211 KB
Standalone execution: Yes (Meaning, you could carry this application around by itself on your USB drive. But, then you trust the public computer in question to have an available USB port and allow the insertion of your USB drive. With Internet worms and the sort, that assumption’s getting a lot of flak)
Apple / Mac-compatibility: Don’t know, don’t care.
Why?: That’s another post.
What does it look like?: Oh, alright. Here you go…
For more geekspeak about its innards, head on over to the Microsoft page ’bout it.
