lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200512011757.jB1HvHmn021363@turing-police.cc.vt.edu>
Date: Thu Dec  1 17:57:41 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Most common keystroke loggers? 

On Thu, 01 Dec 2005 10:24:50 MST, Shannon Johnston said:
> I'm looking for input on what you all believe the most common keystroke
> loggers are. I've been challenged to write an authentication method (for
> a web site) that can be secure while using a compromised system.

Forget it.  You can't do it without going to two-factor authentication,
*and* make sure that the second factor is *not* subvertible by the
compromised system (for instance, even a SecureID won't totally work,
because the keystroke logger can snarf what the user entered, use that
to formulate a bogus request, and then issue the user's actual request,
which should get rejected as a replay attack).  Using crypto all the
way from the web server to a smart-card (so all the compromised system
can see is encrypted data it can't get the key for) can help yere.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/67a84e59/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ