| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Dec 2 00:35:03 2005 From: kyle at randomvoids.com (Kyle Lutze) Subject: Most common keystroke loggers? Blue Boar wrote: > Shannon Johnston wrote: > >> Hi All, >> I'm looking for input on what you all believe the most common keystroke >> loggers are. I've been challenged to write an authentication method (for >> a web site) that can be secure while using a compromised system. > > > I don't think that's possible for all compromise situations, given > today's desktop OS software. It might be possible with a Palladium-like > system (and you trust that the secure side isn't compromised) and/or a > hardware assist that doesn't trust the host OS (think small USB-attached > computer on a stick.) > > However, given your query, if you simply want to play the known-threats > game, you can just require that the Client have up-to-date AV and > antispyware software, and scans clean. That's a little orthogonal to > the issue of trying to be secure in the face of a keylogger installed, > but probably a better thing to shoot for. > > If, for some reason, you only care about the case where a "keylogger" is > installed, then you can go with some scheme like making the user pick > numbers of a randomly-scrambled keypad on the screen, with the mouse. > > Note, however, that "keyloggers" that grab some portion of the screen > surrounding the mouse pointer every time you click have already been > observed in the wild. They are designed to specifically defeat this > kind of mechanism. > Actually, I think there's a relatively easy solution, make it so every single time they want to login, have a different set of characters line up to their password. That didn't make much sense, here's a good example say somebody's password is foobar, on screen there would be a page that shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. so instead of typing foobar the password they would type in for that session would be hnnzck. The next time the screen came up, it would be a=n, b=l, etc. and the password they would enter would be something else. Then, if the computer had a keylogger, not too much anybody could do with that info. Kyle
Powered by blists - more mailing lists