On 3/28/06, Ryan Barnett <rcbarnett@gmail.com> wrote:
Their is nothing that a website can do
to prevent keyloggers on the user's machine.
Well, now that I think about it, that is not entirely true... Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302)
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.
I haven't used Sygate, but I suspect that malware that can install a
key logger could also hide from Sygate if it wanted to.
Another option is to try to limit the damage a key logger can do. For
example, if your web site uses password authentication, a key logger
can capture the password. The attacker can later use that password to
impersonate the end user. If, OTOH, your web site uses some kind of
two-factor authentication such as a hardware certificate + passphrase,
the situation is much better. The key logger can capture the
passphrase, but it won't do much good to the attacker because they do
not have the certificate.
Of course this hypothetical malware is still in a very powerful
position, sitting between the user and the web application and
essentially doing whatever it pleases as the user. But as soon as the
user's session ends, the malware is locked out again.
Regards,
Brian
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
