vknowles
asked on
Is there a way to "trick" a keylogger?
Sometimes I'm on a trip without a pc. I know I can go to a web cafe or even a hotel's public pc... but I wonder about keylogging.
Since I know virtually nothing about how those things work, I want to know if this will protect my web mail user id and password:
1) Open a Notepad window.
2) Type the alphabet (upper and lower case) and numbers 0-9.
3) Using the mouse, painfully copy and paste the bits of my webmail user name and password onto subsequent lines of the document.
4) Highlight the completed user name, CTRL-C, mouse over to the web page, CTRL-V into the user id field. (Or, alternately, use the context menu to copy and paste without using the keyboard at all.)
5) Ditto for the password.
Does that in any way prevent a keylogger from recording my info?
Thanks!
Since I know virtually nothing about how those things work, I want to know if this will protect my web mail user id and password:
1) Open a Notepad window.
2) Type the alphabet (upper and lower case) and numbers 0-9.
3) Using the mouse, painfully copy and paste the bits of my webmail user name and password onto subsequent lines of the document.
4) Highlight the completed user name, CTRL-C, mouse over to the web page, CTRL-V into the user id field. (Or, alternately, use the context menu to copy and paste without using the keyboard at all.)
5) Ditto for the password.
Does that in any way prevent a keylogger from recording my info?
Thanks!
I guess it depends on the keylogger, but the clipboard will look to the system as keyboard entry, so I suspect most of them wold get it anyway.
Corporate webmail?
If you've got a large pocket book or buget, you could go with RSA authentication ??
If you've got a large pocket book or buget, you could go with RSA authentication ??
What exactly does "RSA authentication" mean here?
If you mean SecurID, you should be aware that the SecurID algorithm is reversable, allogin someone that has snarfed SecurID credentials with a keylogger to generate the SecurID values needed for login in the future.
If you mean SecurID, you should be aware that the SecurID algorithm is reversable, allogin someone that has snarfed SecurID credentials with a keylogger to generate the SecurID values needed for login in the future.
Yes, RSA SecureID.
I've heard it's reversable, but it is still far more secure that not doing anything....
OR...
You 'could' setup something on your mail server to scramle you a new password after you logout.
I've heard it's reversable, but it is still far more secure that not doing anything....
OR...
You 'could' setup something on your mail server to scramle you a new password after you logout.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Low tech solution:
Set up a list of challenge response pairs in a DB at the web site.
Option 1)
Send chappenge word, look it up in your 'cheat book' and reply (Set the system to NOT reuse words in the future, use once, and gone)
Option 2)
Same basic db, but on signoff, it shows the challege word for the NEXT login, use that new key (from the lookup book) to login at the next stop (Option, just make the password go through the list sequentialy in the lookup book)
Option 3)
Same but you give the challengword to be used in the future. This allows you to change the PW when ever you use a public terminal, but you decide.
Tom
Set up a list of challenge response pairs in a DB at the web site.
Option 1)
Send chappenge word, look it up in your 'cheat book' and reply (Set the system to NOT reuse words in the future, use once, and gone)
Option 2)
Same basic db, but on signoff, it shows the challege word for the NEXT login, use that new key (from the lookup book) to login at the next stop (Option, just make the password go through the list sequentialy in the lookup book)
Option 3)
Same but you give the challengword to be used in the future. This allows you to change the PW when ever you use a public terminal, but you decide.
Tom
(listening)
I found something else for you also, yesterday after I saw your question, and have been trying to look out for some solution other than acting intelligent ourselves. I found something called anti-keyloggers. These are some programs acting against the keyloggers. This can even be done with some of the firewalls like zonealarm, if you properly use it. Try visiting this page
http://www.styopkin.com/keylogger_hunter.html
For more clarifications, contact me. I believe you will have enough information from what I have said.
MOkShAA
http://www.styopkin.com/keylogger_hunter.html
For more clarifications, contact me. I believe you will have enough information from what I have said.
MOkShAA
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A quick word on RSA...
YES the algorithm IS reversible, but only if you have access to the seed records....
Hopefully your administrator would have locked these away in a safe.. ;)
Now back to keyloggers.
Most software keyloggers are capable of screen captures, and can more or less copy what you do on screen. However, your casual keystroke logger user, with several logs to look through, will only be looking for readable text, and probably wouldn't understand what you're doing with notepad unless he was particularly forensic about his methodology.
Still - it's a tangible risk.
Any company which has online access, such as Web Mail, really needs 2-factor auth - RSA SecurID, Alladdin etc. This is the ONLY safe way of getting around keystroke loggers.
YES the algorithm IS reversible, but only if you have access to the seed records....
Hopefully your administrator would have locked these away in a safe.. ;)
Now back to keyloggers.
Most software keyloggers are capable of screen captures, and can more or less copy what you do on screen. However, your casual keystroke logger user, with several logs to look through, will only be looking for readable text, and probably wouldn't understand what you're doing with notepad unless he was particularly forensic about his methodology.
Still - it's a tangible risk.
Any company which has online access, such as Web Mail, really needs 2-factor auth - RSA SecurID, Alladdin etc. This is the ONLY safe way of getting around keystroke loggers.
No, you can reverse the algorithm without the seed records if you have a) one value from the token and b) know the date/time that value was generated. This was published a couple of years ago in a report from @stake, and there are programs available in the black-hat community for doing the reversal.
There are a log of good 2-factor auth schemes around, but SecurID isn't one of them.
There are a log of good 2-factor auth schemes around, but SecurID isn't one of them.
Sorry - I meant this is only ABUSABLE if you have access to the seed records.
If you know the algorithm and have some seed records, then you can generate valid passcodes without having access to a token. You'd also need to know its PIN, which is fairly easy to get via a keystroke logger.
Good article:
http://seclists.org/lists/firewall-wizards/2000/Dec/0013.html
The key is keeping seed records safe. Bear in mind most of the US Govt. use SecurID tokens, so they can't be that bad !
If you know the algorithm and have some seed records, then you can generate valid passcodes without having access to a token. You'd also need to know its PIN, which is fairly easy to get via a keystroke logger.
Good article:
http://seclists.org/lists/firewall-wizards/2000/Dec/0013.html
The key is keeping seed records safe. Bear in mind most of the US Govt. use SecurID tokens, so they can't be that bad !
The SecurID algorithm is abusable even without access to the seed records.
It still has advantages over passwords, but ability to keep keyloggers from breaking into your account is not one of them.
See the full @stake report at http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdf (it is curiously no longer on @stake's site)
It still has advantages over passwords, but ability to keep keyloggers from breaking into your account is not one of them.
See the full @stake report at http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdf (it is curiously no longer on @stake's site)
has anyone noticed that the originator of this thread has not made a comment since he started this. Are we talking to ourselves?
Tom
Tom
I think Vin McLellan summed this up quite nicely -
"As with any security technology, the design goal of a SecurID
token was not to make an attack upon it impossible, just impractical (and
more difficult and more costly than alternative attack options.) The next
generation of SecurIDs will push the bar still higher, since it will be
built around a 128-bit SecurID seed. "
I didn't think people would bother and try to reverse engineer 64bit seed records, but I see how it can be done if you're in a position to sniff valid tokencodes / time over the network (or via a keystroke logger, of course !). Even then you'd need to decrypt the DES encryption put in place to protect the tokencodes as they make their merry way to the ACE Server.
Good discussion though ! Shall we let vknowles have his question back yet ? ;)
"As with any security technology, the design goal of a SecurID
token was not to make an attack upon it impossible, just impractical (and
more difficult and more costly than alternative attack options.) The next
generation of SecurIDs will push the bar still higher, since it will be
built around a 128-bit SecurID seed. "
I didn't think people would bother and try to reverse engineer 64bit seed records, but I see how it can be done if you're in a position to sniff valid tokencodes / time over the network (or via a keystroke logger, of course !). Even then you'd need to decrypt the DES encryption put in place to protect the tokencodes as they make their merry way to the ACE Server.
Good discussion though ! Shall we let vknowles have his question back yet ? ;)
ASKER
"has anyone noticed that the originator of this thread has not made a comment since he started this. Are we talking to ourselves?"
No, I have been reading the comments and looking up the references. It's very informative and useful.
Another underlying issue, of course, is that a keylogger would, no doubt, also record all message and document composition you do, regardless of whether it could give a hacker sufficient information to decrypt your SecurID.
So the only real solution is to use your own cleaned and protected PC.
Has anyone invented a single-use PC disinfectant that you can take with you to the cyber cafe? !-)
No, I have been reading the comments and looking up the references. It's very informative and useful.
Another underlying issue, of course, is that a keylogger would, no doubt, also record all message and document composition you do, regardless of whether it could give a hacker sufficient information to decrypt your SecurID.
So the only real solution is to use your own cleaned and protected PC.
Has anyone invented a single-use PC disinfectant that you can take with you to the cyber cafe? !-)
Bit of a catch 22 situation - the Cyber Cafe PCs are usually locked down, so you can't install and run any cleansing utilities....
I quite like the idea of WiFi hotspots - you can use your own laptop and own security and do pretty much whatever you want.
However, with 3rd party / untrusted PCs, you will never ever know what's been installed on them, so always treat with caution.
Have you looked at terminal server, or other desktop-web-enablement devices ? If you use these in conjunction with 2-factor authentication, you'll be pretty safe.
I quite like the idea of WiFi hotspots - you can use your own laptop and own security and do pretty much whatever you want.
However, with 3rd party / untrusted PCs, you will never ever know what's been installed on them, so always treat with caution.
Have you looked at terminal server, or other desktop-web-enablement devices ? If you use these in conjunction with 2-factor authentication, you'll be pretty safe.
ASKER
Even Terminal Server doesn't take care of the keylogger problem. I used to work at a place that had an app server... you just typed in the IP address, went thru the Windows authentication, and you were in. But if a keylogger were on the remote client, they would still get (1) your login information and (2) anything else you type.
(Even with 2-factor authentication, you still have problem #2.)
Maybe we're getting too far afield here, but I wonder if running something like McAfee Freescan on the suspect machine would do anything? Or is there anti-Freescan-ware that could defeat that approach? (If not, I'll bet there will be soon!)
::sigh::
(Even with 2-factor authentication, you still have problem #2.)
Maybe we're getting too far afield here, but I wonder if running something like McAfee Freescan on the suspect machine would do anything? Or is there anti-Freescan-ware that could defeat that approach? (If not, I'll bet there will be soon!)
::sigh::
ASKER
Follow-up --- yes, I realize the browser has to allow ActiveX in order to run Freescan.
:-(
:-(
The problem is that keyloggers and rootkits are usually undetectable unless you have admin rights to go looking through the registry, or ability to install a program that looks for you.
Even with admin rights, some rootkits remain undetected.
Think of this:
Machine gets infected with virus, which appends itself to EXPLORER.EXE, but also modifies the kernel and fools the operating system into thinking EXPLORER.EXE is exactly the same file as it used to be, usually by modifying the file header.
End result - an infected machine !
Solution - hmmm.... how do you detect changes to a file that the operating system doesn't know has changed, seeming it's headers show 'correct' information ?
It's a very difficult problem to solve...
Even with admin rights, some rootkits remain undetected.
Think of this:
Machine gets infected with virus, which appends itself to EXPLORER.EXE, but also modifies the kernel and fools the operating system into thinking EXPLORER.EXE is exactly the same file as it used to be, usually by modifying the file header.
End result - an infected machine !
Solution - hmmm.... how do you detect changes to a file that the operating system doesn't know has changed, seeming it's headers show 'correct' information ?
It's a very difficult problem to solve...
Has anyone invented a single-use PC disinfectant that you can take with you to the cyber cafe? !-)
Most of the Cyber Cafe's I have been in (Holland to be exact) used a method of reloading the PC after each use. When you logged off, it hard booted, and then loaded a new immage of itself. This meant that whatever the previous user did, was gone. Naturally of the owner was the source of the keylogger, then it would be reloaded also.
Tom
Most of the Cyber Cafe's I have been in (Holland to be exact) used a method of reloading the PC after each use. When you logged off, it hard booted, and then loaded a new immage of itself. This meant that whatever the previous user did, was gone. Naturally of the owner was the source of the keylogger, then it would be reloaded also.
Tom
You can also get small hardware based keyloggers, that sit on the wire between the keyboard and the PC. If you didn't know what you were looking for, you wouldn't find it !
Great thread! Keyloggers are two fold both hardware inline and software. First off... Hardware inline you will never find if you dont know it's there and most times it can capture up to 6 months worth of data. Software keyloggers can be scanned for with the right type of software. issue though...
Why would anyone choose to use a cybercafe for mail? Dont do it.
If you are paying for their service then they should also have some sort of limited WIFI network running also. If not get a airpeak program and a wireless laptop and find one! Use your own resources to be completely secure.
2. Anyone running any snoop program or sniffer will be able to find all the information that he needs anyway both wireless and plugged and I dont care how good the admin for these cafe's are they wont find the snoop program running quickly enough to prevent any damage.
So the moral of the story here is simple... Dont use the hardware at a cafe, use your own. And it really doesnt matter what you use, data is in itself insecure by means of transmission. So if you are doing anything sensitive you might want to do it where you know it's safe. Other than that the SecureID threads are great! You guys are awesome!
Why would anyone choose to use a cybercafe for mail? Dont do it.
If you are paying for their service then they should also have some sort of limited WIFI network running also. If not get a airpeak program and a wireless laptop and find one! Use your own resources to be completely secure.
2. Anyone running any snoop program or sniffer will be able to find all the information that he needs anyway both wireless and plugged and I dont care how good the admin for these cafe's are they wont find the snoop program running quickly enough to prevent any damage.
So the moral of the story here is simple... Dont use the hardware at a cafe, use your own. And it really doesnt matter what you use, data is in itself insecure by means of transmission. So if you are doing anything sensitive you might want to do it where you know it's safe. Other than that the SecureID threads are great! You guys are awesome!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good idea ! You could even use it to put your SecurID passcode in with.. ;)
Or a Key pair book of codes that you manually look up the right response when challenged, Not algorism based, random, and you would need the book to break it. This is the old 'public key' in public books, just private.
They can intercept, but it will not work a second time, and they can not reverse engineer it, it is not derived.
It is a Low tech solution that works when you can never be sure that you are being captured.
Tom
They can intercept, but it will not work a second time, and they can not reverse engineer it, it is not derived.
It is a Low tech solution that works when you can never be sure that you are being captured.
Tom
Just like the old computer games that came with code books you'd need to use before you could play the game ! Mind you, didn't take long for crackers to get past this so games houses just gave up in the end...
Yeah, or an algorithmicly based one-time password scheme that can not be reversed such as S/Key.
ASKER
Thanks, everyone,
I added more points so I could split them up some...
I focused on answers most closely related to the original question (cut-n-paste to avoid keylogger), although I certainly learned a lot from the SecurID stuff.
(I also gave some points to the first person to mention hardware keyloggers -- I hadn't thought about that possibility, although I suppose it doesn't matter what kind it is...)
Thanks again
I added more points so I could split them up some...
I focused on answers most closely related to the original question (cut-n-paste to avoid keylogger), although I certainly learned a lot from the SecurID stuff.
(I also gave some points to the first person to mention hardware keyloggers -- I hadn't thought about that possibility, although I suppose it doesn't matter what kind it is...)
Thanks again