| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 1 22:33:38 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Most common keystroke loggers? Gustavo wrote: > If you want to provide reliable authentication, given that the user > has a keystroke logger installed, you may simply use a visual keyboard > written in Java. Dude -- you really are out of your depth here... Barclays (and other UK banks?) were doing this in the late 90s. Within months keyloggers that took screenshots of a small area around the mouse pointer hot-spot were being found. Some South American banks currently under massive identity theft/keylogging "attack" (like Banco Brasil) apparently don't talk to others in the banking industry, as some have recently started using such "on-screen keyboards" to "defeat" the keylogging attackers that hound their customers. Within a very short time period we saw some of those keyloggers adapt by adding screenshot-grabbing of a small area around the mouse point hot-spot. Seems they talked with uninformed "security consultants" rather than folk who know how systems work, what malware is, what it can do that it may not be doing today and, in this case, what has already been tried and trivially beaten... If you don't understand that all the I/O on the "compromised" machine (for the types of machine we are talking about) can be intercepted, you shouldn't be trying to answer the OP's question (and if the OP understood that, he would not have asked as he would have realized he was aiming at doing the impossible). Regards, Nick FitzGerald
Powered by blists - more mailing lists