lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Dec  1 18:02:09 2005
From: foofus at foofus.net (foofus@...fus.net)
Subject: Most common keystroke loggers?

On Thu, Dec 01, 2005 at 12:57:16PM -0500, Valdis.Kletnieks@...edu wrote:
> Forget it.  You can't do it without going to two-factor authentication,
> *and* make sure that the second factor is *not* subvertible by the
> compromised system (for instance, even a SecureID won't totally work,
> because the keystroke logger can snarf what the user entered, use that
> to formulate a bogus request, and then issue the user's actual request,
> which should get rejected as a replay attack).  

But note that this is not an *authentication* problem: SecurID did
offer reliable evidence that the user in question was indeed present
at the computer in question at the time of the request.

If the challenge is just to provide safe authentication, this plan
works: the user is authentic.  It's the content of the request that's
bogus, which is a subtly different issue.

> Using crypto all the
> way from the web server to a smart-card (so all the compromised system
> can see is encrypted data it can't get the key for) can help yere.

You sure?  :)

--Foofus.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ