|
Full Disclosure
mailing list archives
Re: Most common keystroke loggers?
From: Valdis.Kletnieks () vt edu
Date: Thu, 01 Dec 2005 12:57:16 -0500
On Thu, 01 Dec 2005 10:24:50 MST, Shannon Johnston said:
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
Forget it. You can't do it without going to two-factor authentication,
*and* make sure that the second factor is *not* subvertible by the
compromised system (for instance, even a SecureID won't totally work,
because the keystroke logger can snarf what the user entered, use that
to formulate a bogus request, and then issue the user's actual request,
which should get rejected as a replay attack). Using crypto all the
way from the web server to a smart-card (so all the compromised system
can see is encrypted data it can't get the key for) can help yere.
Attachment:
_bin
Description:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
Intro
