I suggested a similar copy-and-paste trick to a friend of a mind who had to
access his U.S. mortgage account at an internet cafe while traveling in
Russia. This is an acceptable solution against keyloggers. However, it
offers no protection against form sniffers which grab form fields from login
forms before the data is sent to the Web site. A form sniffer gets to look
at the data before it is encrypted. Form sniffers are also easy to write
using IE's document object module. Using a clever trick, it is even
possible to write the form sniffer entirely in JavaScript and have IE run
this JavaScript code in each and every Web page viewed in the browser. BHOs
and external programs can also easily access the DOM.
Form sniffers will also defeat some (many? most? all?) of the other
solutions mentioned in this thread.
Running Portable Firefox
(http://johnhaller.com/jh/mozilla/portable_firefox/) from a USB drive will
add another line of defense although clearly this solution is hackable also.
Richard
-----Original Message-----
From: Sachin Shetty [mailto:sachin.shetty (at) paladion (dot) net [email concealed]]
Sent: Wednesday, April 06, 2005 10:12 AM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Re: keyloggers?
In-Reply-To: <a984753d050401114836cfab86 (at) mail.gmail (dot) com [email concealed]>
Hi,
First of all let me begin by stating that its very difficult to find out if
there are keyloggers in the machine that you are accessing in a Internet
Cafe. If its a kernel based keylogger then its next to impossible. So what
i suggest is open a notepad type any random characters with your password in
between. Then copy this and paste it in the password textbox. Please
remember that if its a common/dictionary password an attacker can still
compromise it by looking at the logs. So choose a password thats complex
enough.
Also you can install the microsoft anti-spyware (beta) that will detect the
more famous keyloggers (since its signature based).
Since you are referring to a online banking scenario, make use of the
virtual keypad that most banks provide nowadays. But be aware that
keylogging can still be possible as most keyloggers have an option whereby
they capture screenshot on each mouse click. So the only foolproof solution
would be to use virtual keypad that enters the character by placing the
mouse cursor over it for some random time (say two secs).It will provide
protection against all the three types of keyloggers viz hardware,hook based
and kernel based.
Hope this reply answers your questions.
Regards
Sachin Shetty
>Hi!
>
>Any recommendations of Best Practices when accessing your Online
>Banking account from an Internet Cafe? Assuming your bank does not
>provide two factor authentication, are there any specific checks you
>can do, tools you can run on a machine to ensure it is not Logging
>keystrokes, caching UID/pwds etc
>
>Any suggestions or advice in this area is greatly appreciated
>
>Thanks
>
>SB
>
access his U.S. mortgage account at an internet cafe while traveling in
Russia. This is an acceptable solution against keyloggers. However, it
offers no protection against form sniffers which grab form fields from login
forms before the data is sent to the Web site. A form sniffer gets to look
at the data before it is encrypted. Form sniffers are also easy to write
using IE's document object module. Using a clever trick, it is even
possible to write the form sniffer entirely in JavaScript and have IE run
this JavaScript code in each and every Web page viewed in the browser. BHOs
and external programs can also easily access the DOM.
Form sniffers will also defeat some (many? most? all?) of the other
solutions mentioned in this thread.
Running Portable Firefox
(http://johnhaller.com/jh/mozilla/portable_firefox/) from a USB drive will
add another line of defense although clearly this solution is hackable also.
Richard
-----Original Message-----
From: Sachin Shetty [mailto:sachin.shetty (at) paladion (dot) net [email concealed]]
Sent: Wednesday, April 06, 2005 10:12 AM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Re: keyloggers?
In-Reply-To: <a984753d050401114836cfab86 (at) mail.gmail (dot) com [email concealed]>
Hi,
First of all let me begin by stating that its very difficult to find out if
there are keyloggers in the machine that you are accessing in a Internet
Cafe. If its a kernel based keylogger then its next to impossible. So what
i suggest is open a notepad type any random characters with your password in
between. Then copy this and paste it in the password textbox. Please
remember that if its a common/dictionary password an attacker can still
compromise it by looking at the logs. So choose a password thats complex
enough.
Also you can install the microsoft anti-spyware (beta) that will detect the
more famous keyloggers (since its signature based).
Since you are referring to a online banking scenario, make use of the
virtual keypad that most banks provide nowadays. But be aware that
keylogging can still be possible as most keyloggers have an option whereby
they capture screenshot on each mouse click. So the only foolproof solution
would be to use virtual keypad that enters the character by placing the
mouse cursor over it for some random time (say two secs).It will provide
protection against all the three types of keyloggers viz hardware,hook based
and kernel based.
Hope this reply answers your questions.
Regards
Sachin Shetty
>Hi!
>
>Any recommendations of Best Practices when accessing your Online
>Banking account from an Internet Cafe? Assuming your bank does not
>provide two factor authentication, are there any specific checks you
>can do, tools you can run on a machine to ensure it is not Logging
>keystrokes, caching UID/pwds etc
>
>Any suggestions or advice in this area is greatly appreciated
>
>Thanks
>
>SB
>
[ reply ]