lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200508051353.14033.requiem@praetor.org>
Date: Fri Aug  5 21:47:46 2005
From: requiem at praetor.org (Jeremy Bishop)
Subject: Defeating Citi-Bank Virtual Keyboard Protection

On Friday 05 August 2005 13:10, Michal Zalewski wrote:
> Wouldn't that be trivial to snoop on simply by making a trojan /
> spyware application that records a section of screen in the immediate
> proximity of mouse cursor on every mouse click? It's not that
> resource consuming, and easy to arrange.

You'd need to squeeze in some OCR code as well, or figure it out 
manually (or maybe use the same techniques as for getting around 
"captchas").

> Probably no programs do that routinely today, of course. My point is,
> although I have no practical experience with Citibank's offering, I
> see nothing that was meant to be secure about it - they just bank (no
> pun intended) on the fact one would need to target their logon
> mechanism specifically, and that generic keyloggers indeed fail to
> capture this traffic. This is pretty good.

Correct, it may be generally safe for a short while.  However, once a 
critical mass of institutions implement such schemes it is likely that 
keyloggers would move in a direction similar to Internet Explorer BHOs, 
by intercepting the page information after it's entered and before it's 
wrapped by SSL.  (Actually, this may already be the preferred technique 
for some spy software.)

While the original poster's technique may be a first attempt at directly 
circumventing virtual keyboards, a Google search turns up examples of 
the same or similar techniques as an improvement on traditional 
keylogging methods.  It doesn't directly target virtual keyboards so 
much as it simply ignores them.

Example:
http://www.codeguru.com/Cpp/W-P/system/security/article.php/c5761


-- 
My other computer is your Windows machine.
              -- sig

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ