Defeating keyloggers on untrustworthy machines?

Discussion in 'NZ Computing' started by Nik Coughlin, Mar 21, 2006.

  1. Nik Coughlin

    Nik Coughlin Guest

    I was talking to someone today about how I prefer web based mail such as
    Gmail to using client software because I can access my mail from anywhere
    easily. They said they didn't like the idea because you could be using an
    untrustworthy machine, for example an Internet cafe, or a friend or relative
    who is naive about security's home, and that they could be infected with one
    of many different malware products that do keystroke logging.

    Got me thinking, I could put something on my webserver (probably php/snoopy)
    whereby whenever I am using an untrustworthy computer, I could go to a
    fairly anonymous page on my own domain with a form on it, fill in say, half
    the password, and have it append the other half of the password and then
    submit that to the gmail login page, and feed me the results. Kind of a
    proxy.

    That's just one solution, it probably has some flaw that I've overlooked, I
    just thought of this. The thing is, I'm positive other people have thought
    about this before, I just can't formulate a good Google search that finds
    something like I am thinking of. Does anyone know of any alternative
    solutions to this problem? Apart from constantly having to come up with new
    passwords and then having to remember them :p
    Nik Coughlin, Mar 21, 2006
    #1
    1. Advertising

  2. Nik Coughlin

    Shane Guest

    Nik Coughlin wrote:

    > I was talking to someone today about how I prefer web based mail such as
    > Gmail to using client software because I can access my mail from anywhere
    > easily. They said they didn't like the idea because you could be using an
    > untrustworthy machine, for example an Internet cafe, or a friend or
    > relative who is naive about security's home, and that they could be
    > infected with one of many different malware products that do keystroke
    > logging.
    >
    > Got me thinking, I could put something on my webserver (probably
    > php/snoopy) whereby whenever I am using an untrustworthy computer, I could
    > go to a fairly anonymous page on my own domain with a form on it, fill in
    > say, half the password, and have it append the other half of the password
    > and then
    > submit that to the gmail login page, and feed me the results. Kind of a
    > proxy.
    >
    > That's just one solution, it probably has some flaw that I've overlooked,
    > I
    > just thought of this. The thing is, I'm positive other people have
    > thought about this before, I just can't formulate a good Google search
    > that finds
    > something like I am thinking of. Does anyone know of any alternative
    > solutions to this problem? Apart from constantly having to come up with
    > new passwords and then having to remember them :p



    Except if youve been keylogged (which you are concerned about) the bad guys
    will just go to your domain and fill in the half of the password they
    already have, and, just like you be given the total password for gmail of
    course you may want to defeat that vector by constantly changing the page
    holding the half password , which is really self defeating.

    The option I liked for this scenario was your page on your webserver
    providing (say) a virtual keyboard, that changes each time its accessed,
    and you click away your password with the mouse, the problem here is screen
    capture comes with most trojans today.. :-\

    Another option favoured by most people is bootable Cd's, eg Knoppix, Ubuntu,
    or (for windows fans) BartsPE etc. Therefore your machine is almost
    guaranteed to be keylog free, however this doesnt prevent an unscrupulous
    Inet Cafe operator watching your data as it passes through his gateway, or
    hardware keyloggers (but maybe a combo of virtual KB + bootable OS will
    work here)
    The other problem with that solution, is convincing the computers owner that
    you should be allowed to boot another OS on their computer


    HTH
    Shane, Mar 21, 2006
    #2
    1. Advertising

  3. On Tue, 21 Mar 2006 20:48:12 +1200, Shane wrote:

    > Except if youve been keylogged (which you are concerned about) the bad guys
    > will just go to your domain and fill in the half of the password they
    > already have, and, just like you be given the total password for gmail of
    > course you may want to defeat that vector by constantly changing the page
    > holding the half password , which is really self defeating.


    Remember those old one-time pads that spies used to encrypt messages? What
    about an electronic version of those linked to a website? Either that or
    sending random txt messages to a phone could work I guess.

    --
    Regards,

    Waylon Kenning.
    Waylon Kenning, Mar 21, 2006
    #3
  4. Nik Coughlin

    Craig Shore Guest

    On Tue, 21 Mar 2006 20:37:53 +1200, "Nik Coughlin"
    <> wrote:

    >I was talking to someone today about how I prefer web based mail such as
    >Gmail to using client software because I can access my mail from anywhere
    >easily.


    I'm looking at doing something similar as I access my mail from two
    computers here. A mail service running IMAP with a webmail interface
    as well seems to be the best solution. Unfortunately ihug don't
    appear to support IMAP.

    I'm thinking about www.fastmail.net


    > They said they didn't like the idea because you could be using an
    >untrustworthy machine, for example an Internet cafe, or a friend or relative
    >who is naive about security's home, and that they could be infected with one
    >of many different malware products that do keystroke logging.


    There's nothing you can do to stop that if you're using someone elses
    machine.
    Craig Shore, Mar 21, 2006
    #4
  5. Nik Coughlin

    shannon Guest

    Nik Coughlin wrote:
    > I was talking to someone today about how I prefer web based mail such as
    > Gmail to using client software because I can access my mail from anywhere
    > easily. They said they didn't like the idea because you could be using an
    > untrustworthy machine, for example an Internet cafe, or a friend or relative
    > who is naive about security's home, and that they could be infected with one
    > of many different malware products that do keystroke logging.
    >
    > Got me thinking, I could put something on my webserver (probably php/snoopy)
    > whereby whenever I am using an untrustworthy computer, I could go to a
    > fairly anonymous page on my own domain with a form on it, fill in say, half
    > the password, and have it append the other half of the password and then
    > submit that to the gmail login page, and feed me the results. Kind of a
    > proxy.
    >
    > That's just one solution, it probably has some flaw that I've overlooked, I
    > just thought of this. The thing is, I'm positive other people have thought
    > about this before, I just can't formulate a good Google search that finds
    > something like I am thinking of. Does anyone know of any alternative
    > solutions to this problem? Apart from constantly having to come up with new
    > passwords and then having to remember them :p
    >
    >


    You could use the onscreen keyboard accessory
    shannon, Mar 21, 2006
    #5
  6. Nik Coughlin

    Alan Guest

    "Waylon Kenning" <> wrote in
    message news:p...
    > On Tue, 21 Mar 2006 20:48:12 +1200, Shane wrote:
    >
    > Remember those old one-time pads that spies used to encrypt
    > messages? What
    > about an electronic version of those linked to a website? Either
    > that or
    > sending random txt messages to a phone could work I guess.
    >



    I suspect you'll find they are still in use, just in electronic form.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 21, 2006
    #6
  7. Nik Coughlin

    David Guest

    Waylon Kenning wrote:
    > On Tue, 21 Mar 2006 20:48:12 +1200, Shane wrote:
    >
    >> Except if youve been keylogged (which you are concerned about) the bad guys
    >> will just go to your domain and fill in the half of the password they
    >> already have, and, just like you be given the total password for gmail of
    >> course you may want to defeat that vector by constantly changing the page
    >> holding the half password , which is really self defeating.

    >
    > Remember those old one-time pads that spies used to encrypt messages? What
    > about an electronic version of those linked to a website? Either that or
    > sending random txt messages to a phone could work I guess.
    >


    That could be an idea for google to implement, text message password
    verification (it sends you a code you type in). Google would have the
    power to make this work with all the cell networks, but I bet it
    wouldn't be available in NZ, or at least not to telecom customers.
    David, Mar 21, 2006
    #7
  8. On Tue, 21 Mar 2006 22:14:18 +1200, David wrote:

    > That could be an idea for google to implement, text message password
    > verification (it sends you a code you type in). Google would have the
    > power to make this work with all the cell networks, but I bet it
    > wouldn't be available in NZ, or at least not to telecom customers.


    You get sent a random code to sign up with Gmail http://gmail.google.com.
    Works with Vodafone at least. At least it stops spammers a little I guess.

    --
    Regards,

    Waylon Kenning.
    "Don't concentrate on the folly of others - he is not wise who is not wise
    for himself".
    Waylon Kenning, Mar 21, 2006
    #8
  9. Nik Coughlin

    Dave Taylor Guest

    Shane <-a-geek.net> wrote in
    news:dvoejs$rvt$:

    > The option I liked for this scenario was your page on your webserver
    > providing (say) a virtual keyboard, that changes each time its
    > accessed, and you click away your password with the mouse, the problem
    > here is screen capture comes with most trojans today.. :-\
    >
    > Another option favoured by most people is bootable Cd's, eg Knoppix,
    > Ubuntu, or (for windows fans) BartsPE etc. Therefore your machine is
    > almost guaranteed to be keylog free, however this doesnt prevent an
    > unscrupulous Inet Cafe operator watching your data as it passes
    > through his gateway, or hardware keyloggers (but maybe a combo of
    > virtual KB + bootable OS will work here)
    > The other problem with that solution, is convincing the computers
    > owner that you should be allowed to boot another OS on their computer
    >


    Yup.

    --
    Ciao, Dave
    Dave Taylor, Mar 21, 2006
    #9
  10. "Nik Coughlin" <> wrote in message
    news:dvoe0o$rbc$...
    >I was talking to someone today about how I prefer web based mail such as
    >Gmail to using client software because I can access my mail from anywhere
    >easily. They said they didn't like the idea because you could be using an
    >untrustworthy machine, for example an Internet cafe, or a friend or
    >relative who is naive about security's home, and that they could be
    >infected with one of many different malware products that do keystroke
    >logging.
    >
    > Got me thinking, I could put something on my webserver (probably
    > php/snoopy) whereby whenever I am using an untrustworthy computer, I could
    > go to a fairly anonymous page on my own domain with a form on it, fill in
    > say, half the password, and have it append the other half of the password
    > and then submit that to the gmail login page, and feed me the results.
    > Kind of a proxy.
    >
    > That's just one solution, it probably has some flaw that I've overlooked,
    > I just thought of this. The thing is, I'm positive other people have
    > thought about this before, I just can't formulate a good Google search
    > that finds something like I am thinking of. Does anyone know of any
    > alternative solutions to this problem? Apart from constantly having to
    > come up with new passwords and then having to remember them :p
    >


    The best, would be 2-factor authentication but gmail does not support this -
    you would be provided with a user id, password, and , a 2nd password .

    To signon , you would enter your user name/ password,

    Then, it would request 3 random characters from your 2nd password. Even if
    a key logger detected all your keystrokes, the info would be useless , since
    they only have 3 characters from the 2nd password. So, if they tried to
    signon, they would be asked to enter 3 alternate characters from your 2nd
    password , which they do not have.
    news.xtra.co.nz, Mar 21, 2006
    #10
  11. Nik Coughlin

    Nik Coughlin Guest

    Nik Coughlin wrote:
    > Got me thinking, I could put something on my webserver (probably
    > php/snoopy) whereby whenever I am using an untrustworthy computer, I
    > could go to a fairly anonymous page on my own domain with a form on
    > it, fill in say, half the password, and have it append the other half
    > of the password and then submit that to the gmail login page, and
    > feed me the results. Kind of a proxy.


    Well, here's what I came up with, if anyone's interested:

    http://nrkn.com/securitah/index.php?inString=zomfg

    The grid sequence changes every time the page is accessed.

    Obviously if it's working properly you shouldn't be able to get into it --
    that's not a challenge by the way :)
    Nik Coughlin, Mar 22, 2006
    #11
  12. Nik Coughlin

    Shane Guest

    Nik Coughlin wrote:

    > Nik Coughlin wrote:
    >> Got me thinking, I could put something on my webserver (probably
    >> php/snoopy) whereby whenever I am using an untrustworthy computer, I
    >> could go to a fairly anonymous page on my own domain with a form on
    >> it, fill in say, half the password, and have it append the other half
    >> of the password and then submit that to the gmail login page, and
    >> feed me the results. Kind of a proxy.

    >
    > Well, here's what I came up with, if anyone's interested:
    >
    > http://nrkn.com/securitah/index.php?inString=zomfg
    >
    > The grid sequence changes every time the page is accessed.
    >
    > Obviously if it's working properly you shouldn't be able to get into it --
    > that's not a challenge by the way :)



    Hi nick, great job, One thought I had after I made my post was that you
    could add another layer of security by using ssl, on https. This would
    pretty much kill (rather, slow down) man in the middle attacks.
    All in all I dont think anything more(at this point) can be done further
    than that

    HTH
    Shane, Mar 22, 2006
    #12
  13. Nik Coughlin

    Craig Shore Guest

    On Wed, 22 Mar 2006 17:40:13 +1200, Shane <-a-geek.net> wrote:

    >Nik Coughlin wrote:
    >
    >> Nik Coughlin wrote:
    >>> Got me thinking, I could put something on my webserver (probably
    >>> php/snoopy) whereby whenever I am using an untrustworthy computer, I
    >>> could go to a fairly anonymous page on my own domain with a form on
    >>> it, fill in say, half the password, and have it append the other half
    >>> of the password and then submit that to the gmail login page, and
    >>> feed me the results. Kind of a proxy.

    >>
    >> Well, here's what I came up with, if anyone's interested:
    >>
    >> http://nrkn.com/securitah/index.php?inString=zomfg
    >>
    >> The grid sequence changes every time the page is accessed.
    >>
    >> Obviously if it's working properly you shouldn't be able to get into it --
    >> that's not a challenge by the way :)

    >
    >
    >Hi nick, great job, One thought I had after I made my post was that you
    >could add another layer of security by using ssl, on https. This would
    >pretty much kill (rather, slow down) man in the middle attacks.
    >All in all I dont think anything more(at this point) can be done further
    >than that


    Unfortunatly it's still open to monitoring. A screen grab and monitoring of
    where the mouse clicks are would reveal the password.
    The two letters from a second password thing like the banks do, that someone
    else suggested here, seems the best idea.
    Craig Shore, Mar 22, 2006
    #13
  14. Nik Coughlin

    Alan Guest

    "Craig Shore" <> wrote in message
    news:p...
    > On Wed, 22 Mar 2006 17:40:13 +1200, Shane
    > <-a-geek.net> wrote:
    >
    > Unfortunately it's still open to monitoring. A screen grab and
    > monitoring of
    > where the mouse clicks are would reveal the password.
    > The two letters from a second password thing like the banks do, that
    > someone
    > else suggested here, seems the best idea.
    >


    I'd definitely use that, but be aware that if you are being 'watched'
    and you have a short password that doesn't change often, after a few
    logins, the watcher would likely have a good chance of knowing the two
    characters that they are asked for.

    For example, with an eight character password, if you are asked for,
    say, 1 and 3 the first time, and then 5 and 7 the second time, a
    watcher would have half of the possible 8 chars they might be asked
    for.

    Therefore, a long (64 chars or more?) password seems like a good idea,
    perhaps written down even (since losing that password wouldn't allow
    someone access without the digital info too).

    Just a thought.

    Alan.




    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 22, 2006
    #14
  15. Nik Coughlin

    Nik Coughlin Guest

    Craig Shore wrote:
    > On Wed, 22 Mar 2006 17:40:13 +1200, Shane
    > <-a-geek.net> wrote:
    >
    >> Nik Coughlin wrote:
    >>
    >>> Nik Coughlin wrote:
    >>>> Got me thinking, I could put something on my webserver (probably
    >>>> php/snoopy) whereby whenever I am using an untrustworthy computer,
    >>>> I could go to a fairly anonymous page on my own domain with a form
    >>>> on it, fill in say, half the password, and have it append the
    >>>> other half of the password and then submit that to the gmail login
    >>>> page, and feed me the results. Kind of a proxy.
    >>>
    >>> Well, here's what I came up with, if anyone's interested:
    >>>
    >>> http://nrkn.com/securitah/index.php?inString=zomfg
    >>>
    >>> The grid sequence changes every time the page is accessed.
    >>>
    >>> Obviously if it's working properly you shouldn't be able to get
    >>> into it -- that's not a challenge by the way :)

    >>
    >>
    >> Hi nick, great job, One thought I had after I made my post was that
    >> you could add another layer of security by using ssl, on https.
    >> This would pretty much kill (rather, slow down) man in the middle
    >> attacks.
    >> All in all I dont think anything more(at this point) can be done
    >> further than that

    >
    > Unfortunatly it's still open to monitoring. A screen grab and
    > monitoring of where the mouse clicks are would reveal the password.
    > The two letters from a second password thing like the banks do, that
    > someone else suggested here, seems the best idea.


    Hi Craig,

    Something similar to the 'two letters from password thing' *is* built in.
    There are some subtleties involving the colour of the tiles that are
    randomised each time but from which I can deduce how it wants me to enter my
    password, they would need to capture a a very high number of logins to work
    out how to get around this.
    Nik Coughlin, Mar 23, 2006
    #15
  16. On Thu, 23 Mar 2006 14:08:51 +1200, someone purporting to be Nik Coughlin
    didst scrawl:

    > Craig Shore wrote:

    *SNIP*
    >> Unfortunatly it's still open to monitoring. A screen grab and
    >> monitoring of where the mouse clicks are would reveal the password.
    >> The two letters from a second password thing like the banks do, that
    >> someone else suggested here, seems the best idea.

    >
    > Hi Craig,
    >
    > Something similar to the 'two letters from password thing' *is* built in.
    > There are some subtleties involving the colour of the tiles that are
    > randomised each time but from which I can deduce how it wants me to enter my
    > password, they would need to capture a a very high number of logins to work
    > out how to get around this.


    I'm puzzled at why you guys aren't just using OTP for this? Fine, it means
    you have to carry a sheet around with you, but you simply cannot beat it
    for security.
    Of course, that's based on the (probably flawed) assumption that I've
    followed the conversation properly and you're talking about logging into a
    website that you have created yourself to avoid keylogging when working on
    insecure computers, and that site then logs into whichever secure site you
    really want to get to.

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
    Matthew Poole, Mar 23, 2006
    #16
  17. Nik Coughlin

    Nik Coughlin Guest

    Matthew Poole wrote:
    > On Thu, 23 Mar 2006 14:08:51 +1200, someone purporting to be Nik
    > Coughlin didst scrawl:
    >
    >> Craig Shore wrote:

    > *SNIP*
    >>> Unfortunatly it's still open to monitoring. A screen grab and
    >>> monitoring of where the mouse clicks are would reveal the password.
    >>> The two letters from a second password thing like the banks do, that
    >>> someone else suggested here, seems the best idea.

    >>
    >> Hi Craig,
    >>
    >> Something similar to the 'two letters from password thing' *is*
    >> built in. There are some subtleties involving the colour of the
    >> tiles that are randomised each time but from which I can deduce how
    >> it wants me to enter my password, they would need to capture a a
    >> very high number of logins to work out how to get around this.

    >
    > I'm puzzled at why you guys aren't just using OTP for this? Fine, it
    > means you have to carry a sheet around with you, but you simply
    > cannot beat it for security.
    > Of course, that's based on the (probably flawed) assumption that I've
    > followed the conversation properly and you're talking about logging
    > into a website that you have created yourself to avoid keylogging
    > when working on insecure computers, and that site then logs into
    > whichever secure site you really want to get to.


    You said it, I would have to carry a sheet around with me, and I would
    almost certainly lose it! OTP is almost certainly a better solution for
    most people most of the time but I am happy doing it my way. One of the big
    advantages IMO is that I get considerable security through obscurity, this
    being the only implementation of this particular system. I'm pretty sure
    it's safe against any non-directed automated attacks, which is what I am
    concerned about.
    Nik Coughlin, Mar 23, 2006
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. William W. Plummer

    Defeating default host

    William W. Plummer, Jul 21, 2004, in forum: Firefox
    Replies:
    2
    Views:
    380
    William W. Plummer
    Jul 22, 2004
  2. John Taylor

    KeyLoggers.

    John Taylor, Apr 26, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    530
    John Taylor
    Apr 26, 2004
  3. Walter Traprock

    Helpful Tip On Defeating Macrovision DVDs

    Walter Traprock, Dec 23, 2005, in forum: DVD Video
    Replies:
    6
    Views:
    2,219
  4. Bryan Souster

    Defeating spam.

    Bryan Souster, Sep 22, 2003, in forum: NZ Computing
    Replies:
    41
    Views:
    992
    Nicolaas Hawkins
    Sep 28, 2003
  5. Guest

    Defeating pre flash on FZ18

    Guest, Sep 10, 2008, in forum: Digital Photography
    Replies:
    8
    Views:
    581
    Bob Williams
    Sep 15, 2008
Loading...

Share This Page