Re: Defeating Keystroke Loggers

[Robin Wood <robin () digininja org>]

On 19 December 2012 04:48, Robert Cazares <robertcazares () gmail com> wrote:
> Defeating Keystroke Loggers
>
> I've had some thoughts about defeating keystroke loggers in
> potentially hostile environments where one may not have a choice if
> one wants to access password protected accounts. For example any web
> based email account. Google, Yahoo Mail, etc.
>
> Keystroke Loggers
> - Hardware
> In my opinion, finding one and removing one is pretty much a
> no-brainer, on a desktop system that is. Provided of course that
> you're looking for one. I will admit, that I've never had an
> opportunity to see one other than in pictures.
> How about laptops? Considering that any laptop I would carry, in order
> to carry out a hardware placement would be ridiculously obvious,
> unless one were to be inserted in an unused PCMCIA slot when I wasn't
> paying attention.
> <rhetoric>I know! Who has PCMCIA slots on newer systems anymore.
> </rhetoric>
>
> - Software
> Laptop or Desktop.
> The user must somehow be coerced into installing software.
> Or the system must be logged into somehow to have the software installed.
> Or perhaps a web drive-by drops malicious software on the system. And
> even then, something has to be installed VIA an account on the system.
> Right?
>
> OK, regardless of hardware or software types, my question is how to
> work-around on a compromised system.
> Going on the premise that I'm on a compromised system, or that my own
> system is compromised, and I just have no other choice, the immediate
> manner of dropping my credentials into a Web Browser UI would be to
> copy and paste.
>
> I use PasswordSafe and run it from a thumbdrive.
> passwordsafe.sourceforge.net/
> Considering the fact that there is a logger on the system, my thought
> about an the ideal method of launching PasswordSafe would be to not
> have a master password to open, which would not reveal the launching
> of a password container type application. I can, later on, on a known
> safe system, re-enable a master password. Kinda sketchy to even have
> an open password safe type application.
>
> The idea is to copy and paste both user name and password into the
> credential fields.
>
> Anyway, this is mostly just food for thought.
> It's been on my mind for quite some time I got tired of waiting for
> the right time to post/ask this. :^)
> You folks always come up with good ideas and then other ideas for
> things like this.

If you are assuming the level of software compromise that you say then
I reckon you are screwed whatever you do. If I were to go to the
lengths to get a key logger on your machine I'd probably also drop
something on to watch your browser traffic so anything you did to
defeat the key logger when entering the password would be undone as I
pulled the credentials directly out of the browser.

I'd also grab your clipboard so even copy and paste won't work. See
Mubix's post on this in room362.com

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com