[Full-disclosure] Most common keystroke loggers?
Kyle Lutze
kyle at randomvoids.com
Fri Dec 2 00:34:49 GMT 2005
Blue Boar wrote:
> Shannon Johnston wrote:
>
>> Hi All,
>> I'm looking for input on what you all believe the most common keystroke
>> loggers are. I've been challenged to write an authentication method (for
>> a web site) that can be secure while using a compromised system.
>
>
> I don't think that's possible for all compromise situations, given
> today's desktop OS software. It might be possible with a Palladium-like
> system (and you trust that the secure side isn't compromised) and/or a
> hardware assist that doesn't trust the host OS (think small USB-attached
> computer on a stick.)
>
> However, given your query, if you simply want to play the known-threats
> game, you can just require that the Client have up-to-date AV and
> antispyware software, and scans clean. That's a little orthogonal to
> the issue of trying to be secure in the face of a keylogger installed,
> but probably a better thing to shoot for.
>
> If, for some reason, you only care about the case where a "keylogger" is
> installed, then you can go with some scheme like making the user pick
> numbers of a randomly-scrambled keypad on the screen, with the mouse.
>
> Note, however, that "keyloggers" that grab some portion of the screen
> surrounding the mouse pointer every time you click have already been
> observed in the wild. They are designed to specifically defeat this
> kind of mechanism.
>
Actually, I think there's a relatively easy solution, make it so every
single time they want to login, have a different set of characters line
up to their password.
That didn't make much sense, here's a good example
say somebody's password is foobar, on screen there would be a page that
shows the new alignment of characters,such as saying a=c, d=3, b=z, etc.
so instead of typing foobar the password they would type in for that
session would be hnnzck.
The next time the screen came up, it would be a=n, b=l, etc. and the
password they would enter would be something else. Then, if the computer
had a keylogger, not too much anybody could do with that info.
Kyle
Full-Disclosure is hosted and sponsored by Secunia.