What can one do against Keylogger Attacks?

Discussion in 'Computer Security' started by Yoy G0, Jun 20, 2005.

  1. Yoy G0

    nemo_outis Guest



    Silly me. I allowed myself to become involved in a battle of wits with
    someone who came unarmed.

    But, never let it be said I am not man enough to admit a mistake. And
    correct it! Sooooo..... PLONK!
     
    nemo_outis, Jun 27, 2005
    #61
    1. Advertisements

  2. Yoy G0

    paul Guest

    Excellent decision, sir. When you have nothing to say, perhaps it's
    best just to shut up.

    Now, back to defeating keyloggers. I contend that for any given acceptable
    risk, it is completely possible to defeat a keylogger attack. This
    is trivial if all you wish to do is authenticate or perform simple
    instructions. Less so if you wish to preserve confidentiality too,
    but still possible.

    Paul
     
    paul, Jun 27, 2005
    #62
    1. Advertisements

  3. Yoy G0

    John Guest

    or use a token with a protected authentication path (eg. smartcard &
    finread) for logging on, decryption, etc.
     
    John, Jul 7, 2005
    #63
  4. Yoy G0

    Taliesin Guest

    If I need 100% protection against possible keylogger virus attack, so
    quite a neat thing I've seen was a "self-made" (self-programmed)
    mouse-keyboard so that you can "type in" your password/paraphrase via
    mouse so that a keyboard-hook doesn't work...


    wfg,
    Taliesin
     
    Taliesin, Jul 7, 2005
    #64
  5. Yoy G0

    Markus Kuhn Guest

    Markus Kuhn, Jul 7, 2005
    #65
  6. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Taliesin schreef:
    Sarah Dean OTFE comparison? <fires up google>
    <http://www.sdean12.org/SecureTrayUtil.htm>
    Thomas
    - --
    "You can't be safer, can't be more secure than with a breast in each
    palm, that's the way I was born and that's the way I want to die" -
    Sugarcubes, Mama, 1988
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iQB5AwUBQs/iUwEP2l8iXKAJAQJIUAMgoAFVNya1Dpnf3PLZu47EJEVOwpUjbe3V
    Y923HyZ/R+NQNDzaDIy5tFjRFCBA6j7CFlJNCc8bBIS2OL3v9CRuexCSeTjbjcve
    qkfO3gMaxs6BP0X3cl7lAIXKAi/Q8fuZk2Nikg==
    =el7a
    -----END PGP SIGNATURE-----
     
    Thomas J. Boschloo, Jul 9, 2005
    #66
  7. Yoy G0

    ipguardian Guest

    Taliesin is on the right track. You must not type in your password at
    all. Let a program inject the password (internally) - there is no
    simulation of keyboard typing anywhere otherwise the keyboard logger
    will capture your keystrokes. That program may possible be an injected
    DLL (in the windoze world).
     
    ipguardian, Jul 16, 2005
    #67
  8. Yoy G0

    Joe Soap Guest

    There are lots of programs for that purpose, some free (e.g. Password Safe)
    and some pay-for (e.g. Personal Info Keeper).

    I never type passwords in anywhere, always drag/drop or cut/paste.
     
    Joe Soap, Jul 16, 2005
    #68
  9. Yoy G0

    ipguardian Guest

    Hi Joe,

    Good start but two potential flaws
    1) keyboard logger still has a chance of capturing your screen (of your
    original password document because it is in clear text)
    2) someone may overlook your shoulder.

    For more secure needs, search for password manager tools instead.
     
    ipguardian, Jul 22, 2005
    #69
  10. Yoy G0

    Joe Soap Guest

    That is NOT a keylogger, it's sumpn else
    Wouldn't get them anywhere - even if I didn't notice (unlikely)
    Thanks, but I don't have a problem. Save your advice for someone who does.
     
    Joe Soap, Jul 22, 2005
    #70
  11. Yoy G0

    winged Guest

    password safe (free utility) never shows the password after day1 (first
    time you set up specific site) and stores password using blowfish on
    local machine, and requires a separate password to access the "safe".
    Security wise I have not tried to crack it, but for me it is a handy
    utility for storing login passwords for multiple sites. It has a
    reasonable random password generator (though only alpha numeric) for new
    sites. The password generator does not do special or alt chats, but the
    safe will support manual entry of those char types. The random password
    Generator will support user define password lengths which is useful for
    long password strings irrespective of the char type restrictions. One
    may add or modify a couple of the random generated chars with alt or
    special chars to further enhance the security of the chosen password,
    users call. Bear in mind blowfish isn't bulletproof,but meets casual
    encryption requirements for my local system.

    Winged
     
    winged, Jul 22, 2005
    #71
  12. Yoy G0

    RangerFrank Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Another way to protect passwords from people looking over your
    shoulder is to use biometrics. I use Microsoft fingerprint reader
    and never have to type in passwords. Pretty cheap at $35.

    RangerFrank

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
    Comment: Encrypted Classified Document - Recipients Eyes Only

    iQA/AwUBQuD5o50rlc6Kk7oXEQK+wgCgzt0bhKcP0CYpxLAFHX18f95WRp0AoIdZ
    6Typ+77k4IYPYtb+HgLOU8PJ
    =St5C
    -----END PGP SIGNATURE-----
     
    RangerFrank, Jul 22, 2005
    #72
  13. http://www.microsoft.com/hardware/mouseandkeyboard/features/fingerprint.mspx
    Says:
    The Fingerprint Reader should not be used for protecting sensitive data
    such as financial information or for accessing corporate networks.
    We continue to recommend that you use a strong password for these types of
    activities.

    Wonder if there is a Linux driver?
     
    Jan Panteltje, Jul 22, 2005
    #73
  14. Yoy G0

    Winged Guest

    My daughter opens my laptop fingerprint reader easier than I can. I
    recorded the prints and have rerecorded them, I have a difficult time
    opening device with my print but she just walks on in...Boy I hope she
    never kills anyone...

    Winged
     
    Winged, Jul 23, 2005
    #74
  15. Yoy G0

    RangerFrank Guest

    The Microsoft Fingerprint Reader is primarily used for logging onto
    windows, accessing Internet sites that require a User Name and
    Password. The disclaimer with the Fingerprint Reader should not be
    used with financial sites, etc. is for Microsoft's protection from
    liability. The Fingerprint Reader is very convenient and easy to use.
    PGP is used to protect E-Mail messages, attachments, and files stored
    on the computer.
     
    RangerFrank, Jul 23, 2005
    #75
  16. Several years ago there was some tests in the German magazine C'T.
    I think one trick was to breathe on the sensor after somebody used it,
    that made the pattern 're-appear'.
    Have you had any success with things like that?
    And making a fake fingerprint with some silicone kit?
    Is there a Linux driver?
     
    Jan Panteltje, Jul 23, 2005
    #76
  17. Yoy G0

    RangerFrank Guest

    Hi Jan,

    I guess that is a remote possiblity to counterfit my fingerprint. I'm
    not concerned, because my computer is in a safe enviorment.
    No Linux driver on my computer.

    RangerFrank
     
    RangerFrank, Jul 24, 2005
    #77
  18. Yoy G0

    nemo_outis Guest



    It is generally trivial to "capture" soneone else's fingerprint, especially
    if one shares some environment with him (home, work, social, etc.). For
    instance, offer him a glass of wine to taste, or even just take his coffee
    cup - the imaginative will readily think of dozens of additional methods.
    BTW cyanoacrylate (crazy glue) can be used to lift even very faint prints.

    Most cheap (and even some expensive) fingerprint readers do not do very (or
    any!) "aliveness" tests - they just read the pattern.

    Moreover, many fingerprint readers are simple USB devices and do NOT
    authenticate themselves to the computer (or vice versa) - chances are there
    is no encryption of the data transmitted either. This makes it very easy
    to spoof a genuine reader, do replay attacks, etc.

    Nope, fingerprint readers, as currently implemented, are generally very
    feeble reeds on which to lean.

    Regards,
     
    nemo_outis, Jul 24, 2005
    #78
  19. I say, if someone wants something so bad they are willing to take
    your finger . . . I suggest you just give it to them.
     
    Luc The Perverse, Jul 24, 2005
    #79
  20. Yoy G0

    Joe Peschel Guest

    But if you give 'em the finger, they'll be really pissed off.

    j

    --
    __________________________________________

    http://www.impeach-bush-now.org

    Joe Peschel
    D.O.E. SysWorks
    http://members.aol.com/jpeschel/index.htm
    __________________________________________
     
    Joe Peschel, Jul 24, 2005
    #80
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.