lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu Dec  1 20:23:28 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Most common keystroke loggers?


-----Original Message-----
From: Blue Boar
Sent: Friday, December 02, 2005 12:15 AM
To: sjohnston@...ionplus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Most common keystroke loggers?

Shannon Johnston wrote:
> Hi All,
> I'm looking for input on what you all believe the most common 
> keystroke loggers are. I've been challenged to write an authentication 
> method (for a web site) that can be secure while using a compromised
system.

>> If, for some reason, you only care about the case where a "keylogger" is
installed, 
>> then you can go with some scheme like making the user pick numbers of a
randomly-scrambled 
>> keypad on the screen, with the mouse.

"Security" and "randomly-scrambled online keypad" are mutually exclusive ;-)


>> Note, however, that "keyloggers" that grab some portion of the screen
surrounding the 
>> mouse pointer every time you click have already been observed in the
wild.  They are 
>> designed to specifically defeat this kind of mechanism.

I posted a similar but yet an effective way of snatching the user
credentials directly from the input boxes while the user key'n them in a
pre-compromised box. The method shown is bit effective compared to the
screenshot grabbers in the sense that it directly get the clear text and the
***** text from the inputbox directly and donsn't save it until the user
submit the form.

The PoC (defeat-citibank-vk.zip) was created to defeat the virtual keyboard
concept of Citi-Bank used world wide. It can be downloaded from the
following link -  http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html .
Presently, the PoC wont work as CitiBank has made little changes in its site
after the release of the PoC. 

- D 


Powered by blists - more mailing lists