RE: Most common keystroke loggers?

["Aditya Deshmukh" <aditya.deshmukh () online gateway strangled net>]

> I'm looking for input on what you all believe the most common 
> keystroke loggers are. 

http://keylogger.org/ claims to be an independent testing site 
for all keyloggers, but they have all the old versions of the 
Keylogger. 

You can use this site as starting point for your search.
Visit the home pages of all the keylogger software creators
And download the latest versions.

> I've been challenged to write an  authentication method 
> (for a web site) that can be secure while using a 
> compromised system.

First off, look at the challenge in this way :

1. what is the website about ?
2. does it really need so much security ?
3. if it does then keep in mind about the
   Man in the middle attacks
4. when a client is compromised all the 
   Data must be assumed to be stolen.

If I were in your place I would design a system
where the clients were auth with x.509 certs on 
the clients ie "client certs" with "user auth"
purpose defined in them and store them on something 
like a hardware token, which required a pin to unlock.
and send something signed with a client cert as a part
of the login process before any kind of server response 
is even issued.

This way the bar of security is raised a bit further.

also I am a very big fan of hardware tokens that generate 
challenge response from random numbers... But they tend to 
be quite costly. But worth the cost if your application
requires it.





________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/