| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 1 17:57:41 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Most common keystroke loggers? On Thu, 01 Dec 2005 10:24:50 MST, Shannon Johnston said: > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. Forget it. You can't do it without going to two-factor authentication, *and* make sure that the second factor is *not* subvertible by the compromised system (for instance, even a SecureID won't totally work, because the keystroke logger can snarf what the user entered, use that to formulate a bogus request, and then issue the user's actual request, which should get rejected as a replay attack). Using crypto all the way from the web server to a smart-card (so all the compromised system can see is encrypted data it can't get the key for) can help yere. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/67a84e59/attachment.bin
Powered by blists - more mailing lists