Re: Defeating Keystroke Loggers

["Chesmore, Michael [DAS]" <Michael.Chesmore () iowa gov>]

A.Nixon hits the nail on the head here.

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
If a bad guy can alter the operating system on your computer, it's not your computer anymore

I wonder if the better question might be what are we protecting and how much does it need protected?  How much do I 
care if a user's password is logged if their system cannot get anywhere except to the specifically segregated place I 
allow them to go?  The answer of course is it depends.  A sys admin pw who's PC we have ACL'd to allow into multiple 
networks might require extreme authentication measures.  While a call center worker who deals with public data and 
whose PC can only make a connection to one IP, inside a specific security zone, and is restricted at layer 2/3 so that 
they cannot ever traverse anywhere else on the network, I am a lot less concerned with.

There are ways to mitigate risk of password theft via keystroke loggers. Two factor auth with one time passwords,  
using randomized picture based password technology and others I am not smart enough to conceptualize yet, but at the 
end of the day if I have enough time and  resources you will never stop me. For example action that you as a user take 
creates something that authorizes and authenticates you as who you say you are. Compromise that process and your 22 
random digit password with biometric verification is worthless.  Yea, attacks lower in the stack are harder but if you 
can intercept or fool the operation that says "yep, smith is smith" have all the PW complexity you want I still own you.

This reminds me of a quote from Adrew Jaquith's book Security Metrics.  "Trust is good, Control is better".

Thanks
Mike

From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of allison 
nixon
Sent: Thursday, December 20, 2012 12:03 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Defeating Keystroke Loggers

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
If a bad guy can alter the operating system on your computer, it's not your computer anymore

I think you are making a lot of assumptions about malware here that you can't reasonably make

-a
On Tue, Dec 18, 2012 at 11:48 PM, Robert Cazares <robertcazares () gmail com<mailto:robertcazares () gmail com>> wrote:
Defeating Keystroke Loggers

I've had some thoughts about defeating keystroke loggers in
potentially hostile environments where one may not have a choice if
one wants to access password protected accounts. For example any web
based email account. Google, Yahoo Mail, etc.

Keystroke Loggers
- Hardware
In my opinion, finding one and removing one is pretty much a
no-brainer, on a desktop system that is. Provided of course that
you're looking for one. I will admit, that I've never had an
opportunity to see one other than in pictures.
How about laptops? Considering that any laptop I would carry, in order
to carry out a hardware placement would be ridiculously obvious,
unless one were to be inserted in an unused PCMCIA slot when I wasn't
paying attention.
<rhetoric>I know! Who has PCMCIA slots on newer systems anymore.
</rhetoric>

- Software
Laptop or Desktop.
The user must somehow be coerced into installing software.
Or the system must be logged into somehow to have the software installed.
Or perhaps a web drive-by drops malicious software on the system. And
even then, something has to be installed VIA an account on the system.
Right?

OK, regardless of hardware or software types, my question is how to
work-around on a compromised system.
Going on the premise that I'm on a compromised system, or that my own
system is compromised, and I just have no other choice, the immediate
manner of dropping my credentials into a Web Browser UI would be to
copy and paste.

I use PasswordSafe and run it from a thumbdrive.
passwordsafe.sourceforge.net/<http://passwordsafe.sourceforge.net/>
Considering the fact that there is a logger on the system, my thought
about an the ideal method of launching PasswordSafe would be to not
have a master password to open, which would not reveal the launching
of a password container type application. I can, later on, on a known
safe system, re-enable a master password. Kinda sketchy to even have
an open password safe type application.

The idea is to copy and paste both user name and password into the
credential fields.

Anyway, this is mostly just food for thought.
It's been on my mind for quite some time I got tired of waiting for
the right time to post/ask this. :^)
You folks always come up with good ideas and then other ideas for
things like this.

Robert Cazares
(206) 650-0478<tel:%28206%29%20650-0478> (mobile)
CEH / CSFA / ACE / ASMP
Digital Forensic / InfoSec Analyst
http://www.linkedin.com/in/robertcazares
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



--
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com