Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: keyloggers?

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: keyloggers?
Date: Thu, 7 Apr 2005 07:01:03 +1000 
Although on-screen or virtual keypads are frequently proposed as the
solution to keylogging, they were broken in 1997 or earlier.  
Simply load a driver that takes a 10 x10 pixel snapshot of the screen under
the mouse, and send (or store) the bitmap to an attacker friendly location.

In a shared environment, on-screen keypad may even be worse, since anyone
across the rom can see the entered password/phrase via shoulder surfing.

Other than that, there is very little you can do on a machine owned and
maintained by third parties (to your banking relationship) to ensure freedom
from keyoggers, spyware et all.  Crossing your fingers 'might' work.

Lyal


-----Original Message-----
From: Sachin Shetty [mailto:sachin.shetty@paladion.net] 
Sent: Thursday, 7 April 2005 12:12 AM
To: webappsec@securityfocus.com
Subject: Re: keyloggers?


In-Reply-To: <a984753d050401114836cfab86@mail.gmail.com>

Hi,
First of all let me begin by stating that its very difficult to find out if
there are keyloggers in the machine that you are accessing in a Internet
Cafe. If its a  kernel based keylogger then its next to impossible. So what
i suggest is open a notepad type any random characters with your password in
between. Then copy this and paste it in the password textbox. Please
remember that if its a common/dictionary password an attacker can still
compromise it by looking at the logs. So choose a password thats complex
enough.

Also you can install the microsoft anti-spyware (beta) that will detect the
more famous keyloggers (since its signature based).

Since you are referring to a online banking scenario, make use of the
virtual keypad that most banks provide nowadays. But be aware that
keylogging can still be possible as most keyloggers have an option whereby
they capture screenshot on each mouse click. So the only foolproof solution
would be to use virtual keypad that enters the character by placing the
mouse cursor over it for some random time (say two secs).It will provide
protection against all the three types of keyloggers viz hardware,hook based
and kernel based.

Hope this reply answers your questions.

Regards
Sachin Shetty   



Hi!

Any recommendations of Best Practices when accessing your Online 
Banking account from an Internet Cafe?  Assuming your bank does not 
provide two factor authentication, are there any specific checks you 
can do, tools you can run on a  machine to ensure it is not Logging 
keystrokes, caching UID/pwds etc

Any suggestions or advice in this area is greatly appreciated

Thanks

SB
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: keyloggers?, Augusto Paes de Barros
Next by Date:  Re: keyloggers?, Antonio Fontes
Previous by Thread:  RE: keyloggers? And form sniffers?, Richard M. Smith
Next by Thread:  SV: Java -> .NET RSA Encryption, Fredrik Hesse
Indexes:  [Date] [Thread] [Top] [All Lists]