| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <438F448F.402@thievco.com> Date: Thu Dec 1 18:44:39 2005 From: BlueBoar at thievco.com (Blue Boar) Subject: Most common keystroke loggers? Shannon Johnston wrote: > Hi All, > I'm looking for input on what you all believe the most common keystroke > loggers are. I've been challenged to write an authentication method (for > a web site) that can be secure while using a compromised system. I don't think that's possible for all compromise situations, given today's desktop OS software. It might be possible with a Palladium-like system (and you trust that the secure side isn't compromised) and/or a hardware assist that doesn't trust the host OS (think small USB-attached computer on a stick.) However, given your query, if you simply want to play the known-threats game, you can just require that the Client have up-to-date AV and antispyware software, and scans clean. That's a little orthogonal to the issue of trying to be secure in the face of a keylogger installed, but probably a better thing to shoot for. If, for some reason, you only care about the case where a "keylogger" is installed, then you can go with some scheme like making the user pick numbers of a randomly-scrambled keypad on the screen, with the mouse. Note, however, that "keyloggers" that grab some portion of the screen surrounding the mouse pointer every time you click have already been observed in the wild. They are designed to specifically defeat this kind of mechanism. BB
Powered by blists - more mailing lists