| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 1 18:47:12 2005 From: sopiaz57 at gmail.com (Mike Jones) Subject: Most common keystroke loggers? Whats up with www.zorro.hu/sc-kl/ I download the .dll file to my desktop along with the .exe and they dissapear. Strange. Dos dosent show them, either does attrib. foofus@...fus.net wrote: >On Thu, Dec 01, 2005 at 12:57:16PM -0500, Valdis.Kletnieks@...edu wrote: > > >>Forget it. You can't do it without going to two-factor authentication, >>*and* make sure that the second factor is *not* subvertible by the >>compromised system (for instance, even a SecureID won't totally work, >>because the keystroke logger can snarf what the user entered, use that >>to formulate a bogus request, and then issue the user's actual request, >>which should get rejected as a replay attack). >> >> > >But note that this is not an *authentication* problem: SecurID did >offer reliable evidence that the user in question was indeed present >at the computer in question at the time of the request. > >If the challenge is just to provide safe authentication, this plan >works: the user is authentic. It's the content of the request that's >bogus, which is a subtly different issue. > > > >>Using crypto all the >>way from the web server to a smart-card (so all the compromised system >>can see is encrypted data it can't get the key for) can help yere. >> >> > >You sure? :) > >--Foofus. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > >
Powered by blists - more mailing lists