[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Most common keystroke loggers?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Most common keystroke loggers?
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 03 Dec 2005 13:15:26 +1300

Lionel Ferette wrote:

> > Using crypto all the way from the web server to a smart-card (so all the
> > compromised system can see is encrypted data it can't get the key for) can
> > help yere. 
> Even then, you would need a card reader with integrated pinpad. Otherwise, 
> the 
> keylogger can still sniff the PIN code entry - and then generate any 
> signature it wants by accessing the PC/SC layer directly (been there, done 
> that).

I'm not entirely convinced of that.  _Some part_ of displaying the 
transactions and accepting/rejecting the transactions has to occur 
"securely" (off the compromised machine), but I don't think it 
necessarily has to be the stage you suggest...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Most common keystroke loggers?
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Most common keystroke loggers?
  - From: Lionel Ferette

Prev by Date: RE: [Full-disclosure] Most common keystroke loggers?
Next by Date: Re: [Full-disclosure] Most common keystroke loggers?
Previous by thread: Re: [Full-disclosure] Most common keystroke loggers?
Next by thread: Re: [Full-disclosure] Most common keystroke loggers?
Index(es):
- Date
- Thread