Re: Most common keystroke loggers?

[Frank Knobbe <frank () knobbe us>]

On Fri, 2005-12-02 at 10:48 -0800, Blue Boar wrote:
> You can make the authentication step as secure as you like (and granted, 
> that's what the thread is about, and what the OTP asked for) but don't 
> forget that the 0wner of your machine still has the option to take over 
> your transaction(s) post-authentication.

That's why I emphasized that the use of tokens should not only be made
for initial authentication, but also for *each transaction*. Any
transaction can be hashed with a one-time code generated by a token and
sent as a control with the transaction parameters. Any MITM interception
and modification will invalidate that hash thus voiding the transaction.

These things have been available since the mid-nineties, but are either
still not applied, or improperly applied. There are a lot of cases where
tokens are used for authentication, but only there, not preventing MITM
attacks. (why should they, it's protected with SSL, right ;)

So, yeah, we need to stress the fact that transactions need to be
secured, not just initial auth.

Cheers!
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/