|
Full Disclosure
mailing list archives
Re: Most common keystroke loggers?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 02 Dec 2005 11:33:09 +1300
Gustavo wrote:
If you want to provide reliable authentication, given that the user
has a keystroke logger installed, you may simply use a visual keyboard
written in Java.
Dude -- you really are out of your depth here...
Barclays (and other UK banks?) were doing this in the late 90s. Within
months keyloggers that took screenshots of a small area around the
mouse pointer hot-spot were being found.
Some South American banks currently under massive identity
theft/keylogging "attack" (like Banco Brasil) apparently don't talk to
others in the banking industry, as some have recently started using
such "on-screen keyboards" to "defeat" the keylogging attackers that
hound their customers. Within a very short time period we saw some of
those keyloggers adapt by adding screenshot-grabbing of a small area
around the mouse point hot-spot. Seems they talked with uninformed
"security consultants" rather than folk who know how systems work, what
malware is, what it can do that it may not be doing today and, in this
case, what has already been tried and trivially beaten...
If you don't understand that all the I/O on the "compromised" machine
(for the types of machine we are talking about) can be intercepted, you
shouldn't be trying to answer the OP's question (and if the OP
understood that, he would not have asked as he would have realized he
was aiming at doing the impossible).
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- RE: [inbox] Re: Most common keystroke loggers?, (continued)
|
Intro
