[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu Dec 1 18:44:39 2005
From: BlueBoar at thievco.com (Blue Boar)
Subject: Most common keystroke loggers?
Shannon Johnston wrote:
> Hi All,
> I'm looking for input on what you all believe the most common keystroke
> loggers are. I've been challenged to write an authentication method (for
> a web site) that can be secure while using a compromised system.
I don't think that's possible for all compromise situations, given
today's desktop OS software. It might be possible with a Palladium-like
system (and you trust that the secure side isn't compromised) and/or a
hardware assist that doesn't trust the host OS (think small USB-attached
computer on a stick.)
However, given your query, if you simply want to play the known-threats
game, you can just require that the Client have up-to-date AV and
antispyware software, and scans clean. That's a little orthogonal to
the issue of trying to be secure in the face of a keylogger installed,
but probably a better thing to shoot for.
If, for some reason, you only care about the case where a "keylogger" is
installed, then you can go with some scheme like making the user pick
numbers of a randomly-scrambled keypad on the screen, with the mouse.
Note, however, that "keyloggers" that grab some portion of the screen
surrounding the mouse pointer every time you click have already been
observed in the wild. They are designed to specifically defeat this
kind of mechanism.
BB
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux