Comments on: How to resist keyloggers http://www.securityteacher.com/2007/10/10/security-tip/ Internet Security Tips and Advice Thu, 22 Jan 2009 18:13:06 -0600 http://wordpress.org/?v=2.8.6 hourly 1 By: Igor Pankov http://www.securityteacher.com/2007/10/10/security-tip/comment-page-1/#comment-194 Igor Pankov Wed, 18 Jun 2008 13:43:09 +0000 http://www.securityteacher.com/2007/10/10/security-tip/#comment-194 to NSR: Depending on the keylogger app, mouse clicks can also be captured. Web-based virtual keyboards are more isolated from this threat, however, and that was my point in the article – to chose the best option amongst poor alternatives. Igor Pankov, Agnitum to NSR: Depending on the keylogger app, mouse clicks can also be captured. Web-based virtual keyboards are more isolated from this threat, however, and that was my point in the article – to chose the best option amongst poor alternatives.

Igor Pankov,
Agnitum

]]> By: NSR http://www.securityteacher.com/2007/10/10/security-tip/comment-page-1/#comment-189 NSR Tue, 17 Jun 2008 15:15:14 +0000 http://www.securityteacher.com/2007/10/10/security-tip/#comment-189 This method is NOT secure. Software keyloggers can also detect mouse clicks so they would log something like this: ------------- MYPA *left mouse click* qwertradsffaas837aefud *left mouse click* SSWORD ------------- And I think software keyloggers are more common than hardware ones since these ones costs money (and some of them can be easily detected just by looking for something strange on the wire from the keyboard to the motherboard) and the first ones can be obtained for free on the internet and installed by some random kid. Just imagine the typical cyber-cafe and you'll understand what I mean :D The only methods to securely insert a password in an insecure environment I can think of are these: -Use the "On-Screen Keyboard" under "Accessibility" (Microsoft Windows) or the web page you say. The first one is more secure since with the second one you have to copy and paste, so that information can be stored by the keylogger if it supports this feature. -Type random characters anywhere and then copy and paste them one by one with your mouse in the user/password field (not with "shift+direction keys"). You can also paste fake characters and then left click (so they don't know where that vertical bar that appears when you type is) and delete them. This way, and if you don't paste the letters/numbers/symbols in order, even if they can see what did you copy or paste it will be really difficult to reconstruct your password if it isn't something logic (random characters instead of the name of your favorite football player) and it's long enough. There's also the problem that some software keyloggers also can take screenshots every certain ammount of time. Due to resources and hardware capacity limits it is usually set to take one every X minutes though, so that souldn't be a problem with the methods I say since they will never see every character you copy and where do you paste it, and also remember that the password field usually only shows ***. Also there are ones which can specify the mouse position (x,y) in the moment of the click, but that is just too paranoid and I don't think the everyday lamer who install a keylogger on your cyber-cafe will use that feature and will spend hours to guess where the mouse was and reconstruct what you did. And of course all that is meaningless if you don't log out after using the service and deleting the cookies/browser/windows cache after using it or if you don't log in using the ssl option. PS: There are other methods to obtain passwords and usernames such as cameras and that sort of stuff. PS2: It is also recomended to do that with the username, since it can be bruteforced to obtain the password or used to track your activities on the internet and obtain personal data you post on the internet. Trust me, with only an username you can even obtain a photo of the person and also lots of information in forums and so on... This method is NOT secure. Software keyloggers can also detect mouse clicks so they would log something like this:

————-
MYPA *left mouse click* qwertradsffaas837aefud *left mouse click* SSWORD
————-

And I think software keyloggers are more common than hardware ones since these ones costs money (and some of them can be easily detected just by looking for something strange on the wire from the keyboard to the motherboard) and the first ones can be obtained for free on the internet and installed by some random kid. Just imagine the typical cyber-cafe and you’ll understand what I mean :D

The only methods to securely insert a password in an insecure environment I can think of are these:
-Use the “On-Screen Keyboard” under “Accessibility” (Microsoft Windows) or the web page you say. The first one is more secure since with the second one you have to copy and paste, so that information can be stored by the keylogger if it supports this feature.

-Type random characters anywhere and then copy and paste them one by one with your mouse in the user/password field (not with “shift+direction keys”). You can also paste fake characters and then left click (so they don’t know where that vertical bar that appears when you type is) and delete them. This way, and if you don’t paste the letters/numbers/symbols in order, even if they can see what did you copy or paste it will be really difficult to reconstruct your password if it isn’t something logic (random characters instead of the name of your favorite football player) and it’s long enough.

There’s also the problem that some software keyloggers also can take screenshots every certain ammount of time. Due to resources and hardware capacity limits it is usually set to take one every X minutes though, so that souldn’t be a problem with the methods I say since they will never see every character you copy and where do you paste it, and also remember that the password field usually only shows ***. Also there are ones which can specify the mouse position (x,y) in the moment of the click, but that is just too paranoid and I don’t think the everyday lamer who install a keylogger on your cyber-cafe will use that feature and will spend hours to guess where the mouse was and reconstruct what you did.

And of course all that is meaningless if you don’t log out after using the service and deleting the cookies/browser/windows cache after using it or if you don’t log in using the ssl option.

PS: There are other methods to obtain passwords and usernames such as cameras and that sort of stuff.
PS2: It is also recomended to do that with the username, since it can be bruteforced to obtain the password or used to track your activities on the internet and obtain personal data you post on the internet. Trust me, with only an username you can even obtain a photo of the person and also lots of information in forums and so on…

]]>