Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: keyloggers?

from [Mehmet Buyukozer] Network Security [Permanent Link]
Subject: RE: keyloggers?
Date: Thu, 7 Apr 2005 09:25:59 +0300 
Not to be rude but in my point of view, it is just paranoia. It would be easier 
just to go to a bank, and do whatever you want there.

But technically, yes you can do something like this with just running vnc 
viewer which does not require admin right.

An ssh client placed on a webpage owned by you 
(http://www.appgate.com/products/80_MindTerm/) and with this java based client 
you can tunnel your connection and connect to your personal computer's screen.

For your scenario, last part is not logical, when you connect to your personal 
machine, It is better if you use Roboform or something like that will stop 
anybody to see your password. It will form password into the web page.

Cheers

Mehmet



 
-----Original Message-----
From: Antonio Fontes [mailto:saphyr@infomaniak.ch] 
Sent: Thursday, April 07, 2005 12:14 AM
To: webappsec@securityfocus.com
Subject: Re: keyloggers?


What would be your feeling about this scenario ? 

- setting a computer for remote access like vnc or remote desktop
- encapsulate the connection into a ssh tunnel using cygwin
or a linux/unix gateway with a ssh daemon running
- connect to your personnal computer through the secured tunnel
- launch a virtual keyboard on your personnal computer. this virtual
keyboard can be made in any common RAD language or even 
a simple javascript  : a keyboard is drawn on the screen, and you 
click the letters to compose your strings. 
- thanks to windows OLE stuff, you select the string with the mouse
and drop it into a web form for example. the string does not get
'copied' to the clipboard through this manipulation.
- disconnect when you're done.

Some remarks:

- they should be able to capture your keystrokes : there won't be any.

- they should be able to capture your mouse click positions : just
improve your virtual keyboard to redraw the keys in another position
after X mouse clicks. 

- they should be able to capture your transmitted data. I admin they
still can decode it through ssh sniffers and mitm attacks  BUT : if you 
use a remote access sending graphical information,  such as VNC , 
that would need a huge effort to reconstitute 'what you saw'.

- the last possible failure would be the case where they see or record 
everything you see. About 'seeing' : try to go to a cyber cafe running 
fully privileged accounts (there are many who simply restore disk images
at reboot time) and kill every thing you can in the task manager. 

About 'recording' what you see : are there really many places where they 
can record every client's desktop view ?

There's still a risk, I know there are tools which are unseen in the task
manager but... come on... If you're that paranoid, you wouldn't even
open an e-banking account.

my 2 (swiss) cents...

AF
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: keyloggers?, Michael Silk
Next by Date:  Re: keyloggers? - dont doit, James . Barkley
Previous by Thread:  Re: keyloggers?, Michael Silk
Next by Thread:  Re: keyloggers?, Gareth Davies
Indexes:  [Date] [Thread] [Top] [All Lists]