lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Dec  2 00:15:34 2005
From: lyal.collins at key2it.com.au (Lyal Collins)
Subject: Most common keystroke loggers?

Just expand the size of the image captured under the hotspot to include
surrounding buttons. 
If the image shows the values "around" the button clicked, it makes it
possible (but less trivial) to infer the value clicked.

<humour on> Having a totally blank on-screen keypad might work - let the
users guess their own passwords!!! <humour off>

Lyal


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
mz4ph0d@...il.com
Sent: Friday, 2 December 2005 10:18 AM
To: full-disclosure@...ts.grok.org.uk
Subject: re: [Full-disclosure] Most common keystroke loggers?


At 9:41 AM +1100 2/12/05, Lyal Collins wrote:
>In 1996, this virtual keypad concept was broken by taking 10x10 pixel 
>images under the cursor click, showing the number/letters used in that 
>password.
>
>Virtual keypads are just a minor change of tactics, not a long term 
>resolution to this risk, imho.

[snip]
What about a system that used a randomly built and placed keyboard where the
button (or more effectively the entire keyboard, though less usable
obviously) went blank on mouseover and click?

That would at least stop two of those problems, those being basic
keylogging, and screenshots of the hotspot on click. At least then if a
system like this is the only one that is deemed doable it would be more
secure than one that didn't have those features. Yes? It may as well be on
the higher end of insecure than the lower end, (if "insecure" can be seen as
a scale, as unfortunately it often has to be in the real world with budgets
and stupid management).


Z.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ