lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Dec  1 22:33:45 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Most common keystroke loggers?

David Harker wrote:

> It may be easier and safer to require the user to follow onscreen
> instructions for character substitution into their password than attempt
> to defeat many individual bits of software. Since it's online, a munged
> dynamic image could be used to supply the instructions quite easily...
> just a thought.

Any idea how trivially _and cheaply_ such systems are man-in-the-
middled?

OK -- so the OP said compromised with a keylogger, but face it -- if 
the machine is compromised you have NO idea from the remote web server 
_what_ is running on the machine, so it could be a MitM agent shuffling 
all your traffic off somewhere else and sending the appropriate 
responses back and forward between your server the real user and 
whoever else is needed to crack the puzzle.

There are (reputedly -- I've not actually tried to find one for my own 
use) call-centres in India (?) that will "crack" captchas ("visually 
garbled while still being humanly readable but (hopefully) not machine-
readable/OCR'able images") and the like in real time for a few pennies 
(or less) per "crack".  And, if there aren't and what the OP is trying 
to "protect" is valuable enough, the bad guys wanting access to it can 
certainly setup something of their own along those lines for the 
duration of their attack.

Depending on exactly what you mean (it's not entirely clear to me) it 
may just be sufficient to record the keystrokes _and_ a screenhot so 
the theif can later reverse the substitution cypher (if that's what you 
mean by "require the user to follow onscreen instructions for character 
substitution into their password").

And, finally, asking the user to be the encryption implementation is 
going to be very slow and error-prone -- not at all usable...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ