Full Disclosure mailing list archives

Re: Most common keystroke loggers?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 02 Dec 2005 12:01:14 +1300

deepquest wrote:

To me the only thing that can defeat keystroke is what a software or
trojan can not do: See (OCR is just a partial application of guess
but not applicable in that case)


Then you are so far inside the box you cannot see the walls...

The OP said "keystroke logger" BUT he also said "compromised".  If the
machine is compromised you cannot limit yourself to "keylogging" as a
compromised machine may be running _anything_ (including something not
yet written, as we are talking about a hypothetical future situation,
so the OP limiting the original question to "the most common keylogger"
is further evidence that the OP does not understand the actual problem
set he has been posed).

Imagine a web page with a virtual keyboard page (clickable). In order
to prevent the localisation on the keys mapping based on position of
the mouse, display the keyboard on random location of the screen.  ...


Trivially, and already long ago, overcome by screen-shot keyloggers.

...  Add
a random password and challenge authentication process.


Why?

This adds nothing but annoyance to the user, thus reducing usability.
If you're going to move to OTP, why _also_ move to an onscreen
keyboard?  It's almost like you believe that taking two unrelated
approaches that indivdually make no improvement whatsoever will
suddenly make some real improvement when combined.  A hint -- zero plus
zero equals ??????

As already explained ad nauseum to the other naïve "use OTP", if you do
not do something "out of band" _relative to any and all possible "bad
code" that could be running on a compromised machine_, you have lost.
To achieve that requires a second, "secure" piece of _hardware_ that
simply uses the network connection through the compromised machine to
communicate in a crptographically secure way with the server.  The OP
made no mention of designing hardware

my 2 cents,


If that's really what the above "advice" is worth, inflation must be
_really bad_ where you are!


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Most common keystroke loggers?, (continued)
- Re: Most common keystroke loggers? Valdis . Kletnieks (Dec 01)
  - Re: Most common keystroke loggers? foofus (Dec 01)
    - Re: Most common keystroke loggers? Mike Jones (Dec 01)
    - Re: Most common keystroke loggers? deepquest (Dec 01)
    - RE: Most common keystroke loggers? Lyal Collins (Dec 01)
    - Re: Most common keystroke loggers? deepquest (Dec 01)
    - Re: Most common keystroke loggers? php0t (Dec 01)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
    - Re: Most common keystroke loggers? php0t (Dec 01)
    - RE: Most common keystroke loggers? Lyal Collins (Dec 01)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
  - Re: Most common keystroke loggers? Lionel Ferette (Dec 01)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 02)
- Re: Most common keystroke loggers? Blue Boar (Dec 01)
  - Re: Most common keystroke loggers? Dave Korn (Dec 01)
    - Re: Re: Most common keystroke loggers? Thierry Zoller (Dec 01)
    - Re: Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
    - RE: Re: Most common keystroke loggers? Aditya Deshmukh (Dec 01)
  - RE: Most common keystroke loggers? Debasis Mohanty (Dec 01)
  - Re: Most common keystroke loggers? Kyle Lutze (Dec 01)
    - Re: Most common keystroke loggers? Blue Boar (Dec 01)

(Thread continues...)