lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050805214305.7E73E9B0@lists.grok.org.uk>
Date: Fri Aug  5 22:43:15 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Defeating Citi-Bank Virtual Keyboard Protection

MZ,  

>> What I proposed (and I'm sure I'm not innovative here) went along the
lines of hooking up and intercepting the mouse 
>> click button, and then, at the exact moment of mouse click, capturing the
position of the mouse pointer, and a bitmap 
>> of its nearest surroundings - ideally, before the event is delivered to
the browser window. 

I just realised there has been a wrong interpretation of my statement which
reads ".. is not going to workout here". What I actually meant here is, it
won't be advisable to design that way and is comparatively less efficient.

Infact if you see the best of worms / keyloggers / spywares are simple,
smaller & faster. Now won't that be a heavy job if they start capturing
screenshots ??

Sorry for that initial confusion !!


>> That should work regardless of the method used to shuffle displayed keys,
is very much workable on Windows and under 
>> X11, and shouldn't be particularly resource or bandwidth consuming.

Agreed, but again my answer is same again - "won't that be a heavy job if
they start capturing screenshots ??"


- DM -




-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@...ne.ids.pl] 
Sent: Saturday, August 06, 2005 2:21 AM
To: Debasis Mohanty
Cc: full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard
Protection

On Sat, 6 Aug 2005, Debasis Mohanty wrote:

> Read the description section again, perhaps you have missed out the 
> following -
> .	The Virtual Keyboard is dynamic
> .	The sequence in which the numbers appears will change every time,
> the page is refreshed
>
> Hence, desiging something the way that you have proposed is not going 
> to workout here.

Again, I might be wrong (I am not a Citibank customer), but I understand
that, when you visit the logon page, you're presented with an on-screen
keypad with keys in randomized and possibly constantly changing (dynamic)
order, and must enter your PIN or other authentication data by clicking
appropriate on-screen keys using your mouse.

What I proposed (and I'm sure I'm not innovative here) went along the lines
of hooking up and intercepting the mouse click button, and then, at the
exact moment of mouse click, capturing the position of the mouse pointer,
and a bitmap of its nearest surroundings - ideally, before the event is
delivered to the browser window. That should work regardless of the method
used to shuffle displayed keys, is very much workable on Windows and under
X11, and shouldn't be particularly resource or bandwidth consuming.

This is a generalised way of snooping virtual keyboards and similar
on-screen mouse-driven input interfaces.

Cheers,
/mz
http://lcamtuf.coredump.cx/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ