lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMEAJDJMDLJLOIOCIKJJMEGHGNAA.exibar@thelair.com>
Date: Fri Dec  2 05:31:33 2005
From: exibar at thelair.com (Exibar)
Subject: [inbox] Re: Most common keystroke loggers?

nah, screen grabber and keylogger installed on system, compromised password.

  Biometrics, SecurID, one time password, usb key fob, actual physical key, something that is not on the system is what would be needed to be secure... perhaps not totally secure, but pretty damn secure.... using more than just one of the above too....  a physical key/credit card, USB key, and SecurID used together would be pretty secure...  throw in a finger print reader too, why not...  hell, DNA scanner like in Gataca too....

 Mike B  

> -----Original Message-----
> From: Kyle Lutze [mailto:kyle@...domvoids.com]
> Sent: Thursday, December 01, 2005 7:35 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [inbox] Re: [Full-disclosure] Most common keystroke loggers?
> 
> 
> Blue Boar wrote:
> > Shannon Johnston wrote:
> > 
> >> Hi All,
> >> I'm looking for input on what you all believe the most common keystroke
> >> loggers are. I've been challenged to write an authentication 
> method (for
> >> a web site) that can be secure while using a compromised system.
> > 
> > 
> > I don't think that's possible for all compromise situations, given 
> > today's desktop OS software.  It might be possible with a 
> Palladium-like 
> > system (and you trust that the secure side isn't compromised) and/or a 
> > hardware assist that doesn't trust the host OS (think small 
> USB-attached 
> > computer on a stick.)
> > 
> > However, given your query, if you simply want to play the known-threats 
> > game, you can just require that the Client have up-to-date AV and 
> > antispyware software, and scans clean.  That's a little orthogonal to 
> > the issue of trying to be secure in the face of a keylogger installed, 
> > but probably a better thing to shoot for.
> > 
> > If, for some reason, you only care about the case where a 
> "keylogger" is 
> > installed, then you can go with some scheme like making the user pick 
> > numbers of a randomly-scrambled keypad on the screen, with the mouse.
> > 
> > Note, however, that "keyloggers" that grab some portion of the screen 
> > surrounding the mouse pointer every time you click have already been 
> > observed in the wild.  They are designed to specifically defeat this 
> > kind of mechanism.
> > 
> Actually, I think there's a relatively easy solution, make it so every 
> single time they want to login, have a different set of characters line 
> up to their password.
> That didn't make much sense, here's a good example
> 
> say somebody's password is foobar, on screen there would be a page that 
> shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. 
> so instead of typing foobar the password they would type in for that 
> session would be hnnzck.
> 
> The next time the screen came up, it would be a=n, b=l, etc. and the 
> password they would enter would be something else. Then, if the computer 
> had a keylogger, not too much anybody could do with that info.
> 
> Kyle
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ