lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Dec  1 23:01:31 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Most common keystroke loggers?

deepquest wrote:

> To me the only thing that can defeat keystroke is what a software or  
> trojan can not do: See (OCR is just a partial application of guess  
> but not applicable in that case)

Then you are so far inside the box you cannot see the walls...

The OP said "keystroke logger" BUT he also said "compromised".  If the 
machine is compromised you cannot limit yourself to "keylogging" as a 
compromised machine may be running _anything_ (including something not 
yet written, as we are talking about a hypothetical future situation, 
so the OP limiting the original question to "the most common keylogger" 
is further evidence that the OP does not understand the actual problem 
set he has been posed).

> Imagine a web page with a virtual keyboard page (clickable). In order  
> to prevent the localisation on the keys mapping based on position of  
> the mouse, display the keyboard on random location of the screen.  ...

Trivially, and already long ago, overcome by screen-shot keyloggers.

> ...  Add  
> a random password and challenge authentication process.

Why?

This adds nothing but annoyance to the user, thus reducing usability.  
If you're going to move to OTP, why _also_ move to an onscreen 
keyboard?  It's almost like you believe that taking two unrelated 
approaches that indivdually make no improvement whatsoever will 
suddenly make some real improvement when combined.  A hint -- zero plus 
zero equals ??????

As already explained ad nauseum to the other na?ve "use OTP", if you do 
not do something "out of band" _relative to any and all possible "bad 
code" that could be running on a compromised machine_, you have lost.  
To achieve that requires a second, "secure" piece of _hardware_ that 
simply uses the network connection through the compromised machine to 
communicate in a crptographically secure way with the server.  The OP 
made no mention of designing hardware

> my 2 cents,

If that's really what the above "advice" is worth, inflation must be 
_really bad_ where you are!


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ