lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1133549602.49544.70.camel@localhost>
Date: Fri Dec  2 18:53:36 2005
From: frank at knobbe.us (Frank Knobbe)
Subject: Most common keystroke loggers?

On Fri, 2005-12-02 at 10:48 -0800, Blue Boar wrote:
> You can make the authentication step as secure as you like (and granted, 
> that's what the thread is about, and what the OTP asked for) but don't 
> forget that the 0wner of your machine still has the option to take over 
> your transaction(s) post-authentication.

That's why I emphasized that the use of tokens should not only be made
for initial authentication, but also for *each transaction*. Any
transaction can be hashed with a one-time code generated by a token and
sent as a control with the transaction parameters. Any MITM interception
and modification will invalidate that hash thus voiding the transaction.

These things have been available since the mid-nineties, but are either
still not applied, or improperly applied. There are a lot of cases where
tokens are used for authentication, but only there, not preventing MITM
attacks. (why should they, it's protected with SSL, right ;)

So, yeah, we need to stress the fact that transactions need to be
secured, not just initial auth.

Cheers!
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/86f1b06b/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ