[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: Most common keystroke loggers?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Re: Most common keystroke loggers?
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Dec 2005 11:33:09 +1300

Dave Korn wrote:

>   How about one-time passwords?  Just go ahead and *let* them keylog it all 
> they like; by the time they've snarfed a pw, it's no use any more.  (See 
> S/Key for more details.)

Ignoring the silliness of pre-printed lists of of OTP (such as some 
European banking systems' TANs) and the ease of extracting a few from 
gullible users, even dynamically generated OTPs are still vulnerable to 
man-in-the-middling _if_ the bad guy has code running on the device by 
which the user interacts with whatever service the OP is hoping to 
"protect".  I know the OP said "keylogger compromised", but if the 
machine _is_ compromised (and you can't tell from your remote web 
server) as the folk running the server you have no control over how it 
was compromised, so that is a chronically arbitrary condition (which 
suggests to me that the OP doesn't understand his actual problem set).

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Re: Most common keystroke loggers?
  - From: Dave Korn

Prev by Date: Re: [Full-disclosure] Most common keystroke loggers?
Next by Date: Re: [Full-disclosure] Most common keystroke loggers?
Previous by thread: Re: [Full-disclosure] Re: Most common keystroke loggers?
Next by thread: RE: [Full-disclosure] Re: Most common keystroke loggers?
Index(es):
- Date
- Thread