Full Disclosure mailing list archives
Re: Most common keystroke loggers?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 02 Dec 2005 12:01:14 +1300
deepquest wrote:
To me the only thing that can defeat keystroke is what a software or trojan can not do: See (OCR is just a partial application of guess but not applicable in that case)
Then you are so far inside the box you cannot see the walls... The OP said "keystroke logger" BUT he also said "compromised". If the machine is compromised you cannot limit yourself to "keylogging" as a compromised machine may be running _anything_ (including something not yet written, as we are talking about a hypothetical future situation, so the OP limiting the original question to "the most common keylogger" is further evidence that the OP does not understand the actual problem set he has been posed).
Imagine a web page with a virtual keyboard page (clickable). In order to prevent the localisation on the keys mapping based on position of the mouse, display the keyboard on random location of the screen. ...
Trivially, and already long ago, overcome by screen-shot keyloggers.
... Add a random password and challenge authentication process.
Why? This adds nothing but annoyance to the user, thus reducing usability. If you're going to move to OTP, why _also_ move to an onscreen keyboard? It's almost like you believe that taking two unrelated approaches that indivdually make no improvement whatsoever will suddenly make some real improvement when combined. A hint -- zero plus zero equals ?????? As already explained ad nauseum to the other naïve "use OTP", if you do not do something "out of band" _relative to any and all possible "bad code" that could be running on a compromised machine_, you have lost. To achieve that requires a second, "secure" piece of _hardware_ that simply uses the network connection through the compromised machine to communicate in a crptographically secure way with the server. The OP made no mention of designing hardware
my 2 cents,
If that's really what the above "advice" is worth, inflation must be _really bad_ where you are! Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Most common keystroke loggers?, (continued)
- Re: Most common keystroke loggers? Valdis . Kletnieks (Dec 01)
- Re: Most common keystroke loggers? foofus (Dec 01)
- Re: Most common keystroke loggers? Mike Jones (Dec 01)
- Re: Most common keystroke loggers? deepquest (Dec 01)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- Re: Most common keystroke loggers? deepquest (Dec 01)
- Re: Most common keystroke loggers? php0t (Dec 01)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
- Re: Most common keystroke loggers? php0t (Dec 01)
- Re: Most common keystroke loggers? foofus (Dec 01)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- Re: Most common keystroke loggers? Valdis . Kletnieks (Dec 01)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 02)
- Re: Most common keystroke loggers? Dave Korn (Dec 01)
- Re: Re: Most common keystroke loggers? Thierry Zoller (Dec 01)
- Re: Re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
- RE: Re: Most common keystroke loggers? Aditya Deshmukh (Dec 01)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 01)
- Re: Most common keystroke loggers? Kyle Lutze (Dec 01)
- Re: Most common keystroke loggers? Blue Boar (Dec 01)