Full Disclosure mailing list archives

Re: Most common keystroke loggers?

From: Kyle Lutze <kyle () randomvoids com>
Date: Thu, 01 Dec 2005 16:34:49 -0800

Blue Boar wrote:

Shannon Johnston wrote:
Hi All,
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
I don't think that's possible for all compromise situations, giventoday's desktop OS software. It might be possible with a Palladium-likesystem (and you trust that the secure side isn't compromised) and/or ahardware assist that doesn't trust the host OS (think small USB-attachedcomputer on a stick.)
However, given your query, if you simply want to play the known-threatsgame, you can just require that the Client have up-to-date AV andantispyware software, and scans clean. That's a little orthogonal tothe issue of trying to be secure in the face of a keylogger installed,but probably a better thing to shoot for.
If, for some reason, you only care about the case where a "keylogger" isinstalled, then you can go with some scheme like making the user picknumbers of a randomly-scrambled keypad on the screen, with the mouse.
Note, however, that "keyloggers" that grab some portion of the screensurrounding the mouse pointer every time you click have already beenobserved in the wild. They are designed to specifically defeat thiskind of mechanism.

Actually, I think there's a relatively easy solution, make it so everysingle time they want to login, have a different set of characters lineup to their password.

That didn't make much sense, here's a good example

say somebody's password is foobar, on screen there would be a page thatshows the new alignment of characters,such as saying a=c, d=3, b=z, etc.so instead of typing foobar the password they would type in for thatsession would be hnnzck.

The next time the screen came up, it would be a=n, b=l, etc. and thepassword they would enter would be something else. Then, if the computerhad a keylogger, not too much anybody could do with that info.


Kyle

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: Most common keystroke loggers?, (continued)
- - - RE: Most common keystroke loggers? Lyal Collins (Dec 01)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
  - Re: Most common keystroke loggers? Lionel Ferette (Dec 01)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 02)
- Re: Most common keystroke loggers? Blue Boar (Dec 01)
  - Re: Most common keystroke loggers? Dave Korn (Dec 01)
    - Re: Re: Most common keystroke loggers? Thierry Zoller (Dec 01)
    - Re: Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
    - RE: Re: Most common keystroke loggers? Aditya Deshmukh (Dec 01)
  - RE: Most common keystroke loggers? Debasis Mohanty (Dec 01)
  - Re: Most common keystroke loggers? Kyle Lutze (Dec 01)
    - Re: Most common keystroke loggers? Blue Boar (Dec 01)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
    - Re: Most common keystroke loggers? mz4ph0d (Dec 01)
    - Re: Most common keystroke loggers? mz4ph0d (Dec 01)
    - RE: [inbox] Re: Most common keystroke loggers? Exibar (Dec 01)
- Re: Most common keystroke loggers? David Harker (Dec 01)
  - Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
- Re: Most common keystroke loggers? Gustavo (Dec 01)
  - Re: Most common keystroke loggers? Michael Holstein (Dec 01)
  - Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)

(Thread continues...)