Re: [Full-disclosure] Most common keystroke loggers?

[Blue Boar <BlueBoar@xxxxxxxxxxx>]

Shannon Johnston wrote:
> Hi All,
> I'm looking for input on what you all believe the most common keystroke
> loggers are. I've been challenged to write an authentication method (for
> a web site) that can be secure while using a compromised system.

I don't think that's possible for all compromise situations, given 
today's desktop OS software.  It might be possible with a Palladium-like 
system (and you trust that the secure side isn't compromised) and/or a 
hardware assist that doesn't trust the host OS (think small USB-attached 
computer on a stick.)

However, given your query, if you simply want to play the known-threats 
game, you can just require that the Client have up-to-date AV and 
antispyware software, and scans clean.  That's a little orthogonal to 
the issue of trying to be secure in the face of a keylogger installed, 
but probably a better thing to shoot for.

If, for some reason, you only care about the case where a "keylogger" is 
installed, then you can go with some scheme like making the user pick 
numbers of a randomly-scrambled keypad on the screen, with the mouse.

Note, however, that "keyloggers" that grab some portion of the screen 
surrounding the mouse pointer every time you click have already been 
observed in the wild.  They are designed to specifically defeat this 
kind of mechanism.

                                                BB
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/