Penetration Testing mailing list archives

Re: randomizing keyboard input

From: Larry Offley <lucullus () shaw ca>
Date: Fri, 14 Sep 2007 18:29:08 -0700

It might slow down non-hardware keyloggers. The thing is there issoftware that can unrandomize simple letter exchanges. So if I capture afew paragraphs of keystrokes it should be fairly easy (possible even byhand) to determine the correct letter exchanges. Nice Idea but unlessyou had hardware and software that worked together (like the smart cardsthat change pins every sec minutes). What you need is keyboard thatencrypts the keystrokes and then software reversed it. Again the problemis If i can run software on your system (ie a keylogger) I can probablyrun anything I want.


Larry Offley
http://security.offley.ca



Cypher wrote:

alo alo,
  a friend and i have been working on an idea.  We want to create a
framework the randomizes the keyboard input.  heres the basics, we all
know that the theres a keyboard layout, dumpkeys in linux will show you
what there is, what were trying to do is take and make a random
keylayout on boot, then find a way to decrypt this for an applications.
basically, were trying to find a way past keyloggers.  if a keylogger is
logging what you type, but the keylayout is randomized from the keyboard
to application, then the keylogger is no good.  were trying to create a
framework for this but are having some trouble coming up with some
basics on how to remap the keylayout to say the device input of the
keyboard to the output device like the application openoffice. if this
could be accomplished then it would defeat the purpose if keyloggers
since they depend on standard keyboard layouts to decode keyinputs. has
anyone come across an appication or idea like this that would be of
help?  or even just some thoughts that would lead us in the right
direction would be greatly appreciated.  thank you all for your time.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

randomizing keyboard input Cypher (Sep 14)
- Re: randomizing keyboard input Larry Offley (Sep 14)
- Re: randomizing keyboard input Jerome Athias (Sep 15)
- <Possible follow-ups>
- Re: randomizing keyboard input timisw (Sep 15)