Full Disclosure mailing list archives
Re: Most common keystroke loggers?
From: foofus () foofus net
Date: Thu, 1 Dec 2005 12:04:57 -0600
On Thu, Dec 01, 2005 at 12:57:16PM -0500, Valdis.Kletnieks () vt edu wrote:
Forget it. You can't do it without going to two-factor authentication, *and* make sure that the second factor is *not* subvertible by the compromised system (for instance, even a SecureID won't totally work, because the keystroke logger can snarf what the user entered, use that to formulate a bogus request, and then issue the user's actual request, which should get rejected as a replay attack).
But note that this is not an *authentication* problem: SecurID did offer reliable evidence that the user in question was indeed present at the computer in question at the time of the request. If the challenge is just to provide safe authentication, this plan works: the user is authentic. It's the content of the request that's bogus, which is a subtly different issue.
Using crypto all the way from the web server to a smart-card (so all the compromised system can see is encrypted data it can't get the key for) can help yere.
You sure? :) --Foofus. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Most common keystroke loggers? Shannon Johnston (Dec 01)
- Re: Most common keystroke loggers? foofus (Dec 01)
- Re: Most common keystroke loggers? Very Unprivate Software (Dec 01)
- Re: Most common keystroke loggers? Mike Jones (Dec 01)
- Re: Most common keystroke loggers? Valdis . Kletnieks (Dec 01)
- Re: Most common keystroke loggers? foofus (Dec 01)
- Re: Most common keystroke loggers? Mike Jones (Dec 01)
- Re: Most common keystroke loggers? deepquest (Dec 01)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- Re: Most common keystroke loggers? deepquest (Dec 01)
- Re: Most common keystroke loggers? php0t (Dec 01)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
- Re: Most common keystroke loggers? php0t (Dec 01)
- Re: Most common keystroke loggers? foofus (Dec 01)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)