WebApp Sec mailing list archives
Re: keyloggers?
From: Michael Silk <michaelslists () gmail com>
Date: Thu, 7 Apr 2005 13:54:12 +1000
Antonio, Think about it this way - you can't trust _ANYTHING_ shown to you by a computer that you do not trust. -- Michael On Apr 7, 2005 7:14 AM, Antonio Fontes <saphyr () infomaniak ch> wrote:
What would be your feeling about this scenario ? - setting a computer for remote access like vnc or remote desktop - encapsulate the connection into a ssh tunnel using cygwin or a linux/unix gateway with a ssh daemon running - connect to your personnal computer through the secured tunnel - launch a virtual keyboard on your personnal computer. this virtual keyboard can be made in any common RAD language or even a simple javascript : a keyboard is drawn on the screen, and you click the letters to compose your strings. - thanks to windows OLE stuff, you select the string with the mouse and drop it into a web form for example. the string does not get 'copied' to the clipboard through this manipulation. - disconnect when you're done. Some remarks: - they should be able to capture your keystrokes : there won't be any. - they should be able to capture your mouse click positions : just improve your virtual keyboard to redraw the keys in another position after X mouse clicks. - they should be able to capture your transmitted data. I admin they still can decode it through ssh sniffers and mitm attacks BUT : if you use a remote access sending graphical information, such as VNC , that would need a huge effort to reconstitute 'what you saw'. - the last possible failure would be the case where they see or record everything you see. About 'seeing' : try to go to a cyber cafe running fully privileged accounts (there are many who simply restore disk images at reboot time) and kill every thing you can in the task manager. About 'recording' what you see : are there really many places where they can record every client's desktop view ? There's still a risk, I know there are tools which are unseen in the task manager but... come on... If you're that paranoid, you wouldn't even open an e-banking account. my 2 (swiss) cents... AF
Current thread:
- Re: keyloggers?, (continued)
- Re: keyloggers? Louis Baumann (Apr 06)
- Re: keyloggers? Augusto Paes de Barros (Apr 06)
- Re: keyloggers? Greg Stiavetti (Apr 06)
- Re: keyloggers? Yoanne LE MERCIER (Apr 06)
- RE: keyloggers? P.B. Wagenaar (Apr 06)
- Re: keyloggers? - dont doit Alvin Oga (Apr 06)
- Re: keyloggers? - dont doit Kyle Maxwell (Apr 06)
- Re: keyloggers? - dont doit Antoine Martin (Apr 06)
- Re: keyloggers? Michael Silk (Apr 06)
- Re: keyloggers? Antonio Fontes (Apr 06)
- Re: keyloggers? Michael Silk (Apr 06)
- RE: keyloggers? Mehmet Buyukozer (Apr 06)
- RE: keyloggers? P.B. Wagenaar (Apr 06)
- Re: keyloggers? Louis Baumann (Apr 06)
- Re: keyloggers? Zero Burnout (Apr 06)
- RE: keyloggers? And form sniffers? Richard M. Smith (Apr 06)