Full Disclosure mailing list archives
Re: Most common keystroke loggers?
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 02 Dec 2005 12:53:22 -0600
On Fri, 2005-12-02 at 10:48 -0800, Blue Boar wrote:
You can make the authentication step as secure as you like (and granted, that's what the thread is about, and what the OTP asked for) but don't forget that the 0wner of your machine still has the option to take over your transaction(s) post-authentication.
That's why I emphasized that the use of tokens should not only be made for initial authentication, but also for *each transaction*. Any transaction can be hashed with a one-time code generated by a token and sent as a control with the transaction parameters. Any MITM interception and modification will invalidate that hash thus voiding the transaction. These things have been available since the mid-nineties, but are either still not applied, or improperly applied. There are a lot of cases where tokens are used for authentication, but only there, not preventing MITM attacks. (why should they, it's protected with SSL, right ;) So, yeah, we need to stress the fact that transactions need to be secured, not just initial auth. Cheers! Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- re: Most common keystroke loggers?, (continued)
- re: Most common keystroke loggers? mz4ph0d (Dec 01)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- RE: Most common keystroke loggers? Jeroen van Meeuwen (Dec 02)
- re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
- re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- Re: Most common keystroke loggers? Michael Holstein (Dec 02)
- Re: Most common keystroke loggers? ascii (Dec 02)
- Re: Most common keystroke loggers? Rodrigo Barbosa (Dec 02)
- Re: Most common keystroke loggers? Blue Boar (Dec 02)
- Re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- Re: Most common keystroke loggers? Blue Boar (Dec 02)
- Re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- re: Most common keystroke loggers? mz4ph0d (Dec 01)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- Re: Most common keystroke loggers? gboyce (Dec 02)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 02)