RE: [inbox] Re: Most common keystroke loggers?

["Exibar" <exibar () thelair com>]

nah, screen grabber and keylogger installed on system, compromised password.

  Biometrics, SecurID, one time password, usb key fob, actual physical key, something that is not on the system is what 
would be needed to be secure... perhaps not totally secure, but pretty damn secure.... using more than just one of the 
above too....  a physical key/credit card, USB key, and SecurID used together would be pretty secure...  throw in a 
finger print reader too, why not...  hell, DNA scanner like in Gataca too....

 Mike B  

> -----Original Message-----
> From: Kyle Lutze [mailto:kyle () randomvoids com]
> Sent: Thursday, December 01, 2005 7:35 PM
> To: full-disclosure () lists grok org uk
> Subject: [inbox] Re: [Full-disclosure] Most common keystroke loggers?
>
>
> Blue Boar wrote:
> > Shannon Johnston wrote:
> >
> > > Hi All,
> > > I'm looking for input on what you all believe the most common keystroke
> > > loggers are. I've been challenged to write an authentication 
> method (for
> > > a web site) that can be secure while using a compromised system.
> >
> >
> > I don't think that's possible for all compromise situations, given 
> > today's desktop OS software.  It might be possible with a 
> Palladium-like 
> > system (and you trust that the secure side isn't compromised) and/or a 
> > hardware assist that doesn't trust the host OS (think small 
> USB-attached 
> > computer on a stick.)
> >
> > However, given your query, if you simply want to play the known-threats 
> > game, you can just require that the Client have up-to-date AV and 
> > antispyware software, and scans clean.  That's a little orthogonal to 
> > the issue of trying to be secure in the face of a keylogger installed, 
> > but probably a better thing to shoot for.
> >
> > If, for some reason, you only care about the case where a 
> "keylogger" is 
> > installed, then you can go with some scheme like making the user pick 
> > numbers of a randomly-scrambled keypad on the screen, with the mouse.
> >
> > Note, however, that "keyloggers" that grab some portion of the screen 
> > surrounding the mouse pointer every time you click have already been 
> > observed in the wild.  They are designed to specifically defeat this 
> > kind of mechanism.
> Actually, I think there's a relatively easy solution, make it so every 
> single time they want to login, have a different set of characters line 
> up to their password.
> That didn't make much sense, here's a good example
>
> say somebody's password is foobar, on screen there would be a page that 
> shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. 
> so instead of typing foobar the password they would type in for that 
> session would be hnnzck.
>
> The next time the screen came up, it would be a=n, b=l, etc. and the 
> password they would enter would be something else. Then, if the computer 
> had a keylogger, not too much anybody could do with that info.
>
> Kyle
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/