Re: Most common keystroke loggers?

[foofus () foofus net]

On Thu, Dec 01, 2005 at 12:57:16PM -0500, Valdis.Kletnieks () vt edu wrote:
> Forget it.  You can't do it without going to two-factor authentication,
> *and* make sure that the second factor is *not* subvertible by the
> compromised system (for instance, even a SecureID won't totally work,
> because the keystroke logger can snarf what the user entered, use that
> to formulate a bogus request, and then issue the user's actual request,
> which should get rejected as a replay attack).  

But note that this is not an *authentication* problem: SecurID did
offer reliable evidence that the user in question was indeed present
at the computer in question at the time of the request.

If the challenge is just to provide safe authentication, this plan
works: the user is authentic.  It's the content of the request that's
bogus, which is a subtly different issue.

> Using crypto all the
> way from the web server to a smart-card (so all the compromised system
> can see is encrypted data it can't get the key for) can help yere.

You sure?  :)

--Foofus.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/