WebApp Sec mailing list archives
RE: keyloggers?
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Thu, 7 Apr 2005 07:01:03 +1000
Although on-screen or virtual keypads are frequently proposed as the solution to keylogging, they were broken in 1997 or earlier. Simply load a driver that takes a 10 x10 pixel snapshot of the screen under the mouse, and send (or store) the bitmap to an attacker friendly location. In a shared environment, on-screen keypad may even be worse, since anyone across the rom can see the entered password/phrase via shoulder surfing. Other than that, there is very little you can do on a machine owned and maintained by third parties (to your banking relationship) to ensure freedom from keyoggers, spyware et all. Crossing your fingers 'might' work. Lyal -----Original Message----- From: Sachin Shetty [mailto:sachin.shetty () paladion net] Sent: Thursday, 7 April 2005 12:12 AM To: webappsec () securityfocus com Subject: Re: keyloggers? In-Reply-To: <a984753d050401114836cfab86 () mail gmail com> Hi, First of all let me begin by stating that its very difficult to find out if there are keyloggers in the machine that you are accessing in a Internet Cafe. If its a kernel based keylogger then its next to impossible. So what i suggest is open a notepad type any random characters with your password in between. Then copy this and paste it in the password textbox. Please remember that if its a common/dictionary password an attacker can still compromise it by looking at the logs. So choose a password thats complex enough. Also you can install the microsoft anti-spyware (beta) that will detect the more famous keyloggers (since its signature based). Since you are referring to a online banking scenario, make use of the virtual keypad that most banks provide nowadays. But be aware that keylogging can still be possible as most keyloggers have an option whereby they capture screenshot on each mouse click. So the only foolproof solution would be to use virtual keypad that enters the character by placing the mouse cursor over it for some random time (say two secs).It will provide protection against all the three types of keyloggers viz hardware,hook based and kernel based. Hope this reply answers your questions. Regards Sachin Shetty
Hi! Any recommendations of Best Practices when accessing your Online Banking account from an Internet Cafe? Assuming your bank does not provide two factor authentication, are there any specific checks you can do, tools you can run on a machine to ensure it is not Logging keystrokes, caching UID/pwds etc Any suggestions or advice in this area is greatly appreciated Thanks SB
Current thread:
- RE: keyloggers?, (continued)
- RE: keyloggers? Mehmet Buyukozer (Apr 06)
- Re: keyloggers? Gareth Davies (Apr 06)
- Re: keyloggers? Zero Burnout (Apr 06)
- Re: keyloggers? Michael Silk (Apr 06)
- Re: keyloggers? Adam Shostack (Apr 06)
- Re: keyloggers? colinm () clientsecure net (Apr 06)
- Re: keyloggers? Federico CastaƱeda (Apr 06)
- RE: keyloggers? Griffiths, Ian (Apr 06)
- Re: keyloggers? Sachin Shetty (Apr 06)
- RE: keyloggers? And form sniffers? Richard M. Smith (Apr 06)
- RE: keyloggers? Lyal Collins (Apr 06)