lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <438F96A9.70705@randomvoids.com>
Date: Fri Dec  2 00:35:03 2005
From: kyle at randomvoids.com (Kyle Lutze)
Subject: Most common keystroke loggers?

Blue Boar wrote:
> Shannon Johnston wrote:
> 
>> Hi All,
>> I'm looking for input on what you all believe the most common keystroke
>> loggers are. I've been challenged to write an authentication method (for
>> a web site) that can be secure while using a compromised system.
> 
> 
> I don't think that's possible for all compromise situations, given 
> today's desktop OS software.  It might be possible with a Palladium-like 
> system (and you trust that the secure side isn't compromised) and/or a 
> hardware assist that doesn't trust the host OS (think small USB-attached 
> computer on a stick.)
> 
> However, given your query, if you simply want to play the known-threats 
> game, you can just require that the Client have up-to-date AV and 
> antispyware software, and scans clean.  That's a little orthogonal to 
> the issue of trying to be secure in the face of a keylogger installed, 
> but probably a better thing to shoot for.
> 
> If, for some reason, you only care about the case where a "keylogger" is 
> installed, then you can go with some scheme like making the user pick 
> numbers of a randomly-scrambled keypad on the screen, with the mouse.
> 
> Note, however, that "keyloggers" that grab some portion of the screen 
> surrounding the mouse pointer every time you click have already been 
> observed in the wild.  They are designed to specifically defeat this 
> kind of mechanism.
> 
Actually, I think there's a relatively easy solution, make it so every 
single time they want to login, have a different set of characters line 
up to their password.
That didn't make much sense, here's a good example

say somebody's password is foobar, on screen there would be a page that 
shows the new alignment of characters,such as saying a=c, d=3, b=z, etc. 
so instead of typing foobar the password they would type in for that 
session would be hnnzck.

The next time the screen came up, it would be a=n, b=l, etc. and the 
password they would enter would be something else. Then, if the computer 
had a keylogger, not too much anybody could do with that info.

Kyle

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ