PaulDotCom mailing list archives
Re: Defeating Keystroke Loggers
From: "Chesmore, Michael [DAS]" <Michael.Chesmore () iowa gov>
Date: Thu, 20 Dec 2012 10:59:55 -0600
A.Nixon hits the nail on the head here. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore If a bad guy can alter the operating system on your computer, it's not your computer anymore I wonder if the better question might be what are we protecting and how much does it need protected? How much do I care if a user's password is logged if their system cannot get anywhere except to the specifically segregated place I allow them to go? The answer of course is it depends. A sys admin pw who's PC we have ACL'd to allow into multiple networks might require extreme authentication measures. While a call center worker who deals with public data and whose PC can only make a connection to one IP, inside a specific security zone, and is restricted at layer 2/3 so that they cannot ever traverse anywhere else on the network, I am a lot less concerned with. There are ways to mitigate risk of password theft via keystroke loggers. Two factor auth with one time passwords, using randomized picture based password technology and others I am not smart enough to conceptualize yet, but at the end of the day if I have enough time and resources you will never stop me. For example action that you as a user take creates something that authorizes and authenticates you as who you say you are. Compromise that process and your 22 random digit password with biometric verification is worthless. Yea, attacks lower in the stack are harder but if you can intercept or fool the operation that says "yep, smith is smith" have all the PW complexity you want I still own you. This reminds me of a quote from Adrew Jaquith's book Security Metrics. "Trust is good, Control is better". Thanks Mike From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of allison nixon Sent: Thursday, December 20, 2012 12:03 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Defeating Keystroke Loggers If a bad guy can persuade you to run his program on your computer, it's not your computer anymore If a bad guy can alter the operating system on your computer, it's not your computer anymore I think you are making a lot of assumptions about malware here that you can't reasonably make -a On Tue, Dec 18, 2012 at 11:48 PM, Robert Cazares <robertcazares () gmail com<mailto:robertcazares () gmail com>> wrote: Defeating Keystroke Loggers I've had some thoughts about defeating keystroke loggers in potentially hostile environments where one may not have a choice if one wants to access password protected accounts. For example any web based email account. Google, Yahoo Mail, etc. Keystroke Loggers - Hardware In my opinion, finding one and removing one is pretty much a no-brainer, on a desktop system that is. Provided of course that you're looking for one. I will admit, that I've never had an opportunity to see one other than in pictures. How about laptops? Considering that any laptop I would carry, in order to carry out a hardware placement would be ridiculously obvious, unless one were to be inserted in an unused PCMCIA slot when I wasn't paying attention. <rhetoric>I know! Who has PCMCIA slots on newer systems anymore. </rhetoric> - Software Laptop or Desktop. The user must somehow be coerced into installing software. Or the system must be logged into somehow to have the software installed. Or perhaps a web drive-by drops malicious software on the system. And even then, something has to be installed VIA an account on the system. Right? OK, regardless of hardware or software types, my question is how to work-around on a compromised system. Going on the premise that I'm on a compromised system, or that my own system is compromised, and I just have no other choice, the immediate manner of dropping my credentials into a Web Browser UI would be to copy and paste. I use PasswordSafe and run it from a thumbdrive. passwordsafe.sourceforge.net/<http://passwordsafe.sourceforge.net/> Considering the fact that there is a logger on the system, my thought about an the ideal method of launching PasswordSafe would be to not have a master password to open, which would not reveal the launching of a password container type application. I can, later on, on a known safe system, re-enable a master password. Kinda sketchy to even have an open password safe type application. The idea is to copy and paste both user name and password into the credential fields. Anyway, this is mostly just food for thought. It's been on my mind for quite some time I got tired of waiting for the right time to post/ask this. :^) You folks always come up with good ideas and then other ideas for things like this. Robert Cazares (206) 650-0478<tel:%28206%29%20650-0478> (mobile) CEH / CSFA / ACE / ASMP Digital Forensic / InfoSec Analyst http://www.linkedin.com/in/robertcazares _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Defeating Keystroke Loggers Robert Cazares (Dec 19)
- Re: Defeating Keystroke Loggers allison nixon (Dec 20)
- Re: Defeating Keystroke Loggers Chesmore, Michael [DAS] (Dec 20)
- Re: Defeating Keystroke Loggers gold flake (Dec 21)
- Re: Defeating Keystroke Loggers Sandro Gauci (Dec 21)
- Re: Defeating Keystroke Loggers Robin Wood (Dec 21)
- Re: Defeating Keystroke Loggers Chesmore, Michael [DAS] (Dec 20)
- Re: Defeating Keystroke Loggers allison nixon (Dec 20)
- Re: Defeating Keystroke Loggers Robin Wood (Dec 20)