Taliesin is on the right track. You must not type in your password at
all. Let a program inject the password (internally) - there is no
simulation of keyboard typing anywhere otherwise the keyboard logger
will capture your keystrokes. That program may possible be an injected
DLL (in the windoze world).
In response to what <ipguardian@hotmail.com> posted in
news:1121511806.553075.153150@g47g2000cwa.googlegr oups.com:
> Taliesin is on the right track. You must not type in your password at
> all. Let a program inject the password (internally) - there is no
> simulation of keyboard typing anywhere otherwise the keyboard logger
> will capture your keystrokes. That program may possible be an injected
> DLL (in the windoze world).
There are lots of programs for that purpose, some free (e.g. Password Safe)
and some pay-for (e.g. Personal Info Keeper).
I never type passwords in anywhere, always drag/drop or cut/paste.
--
Joe Soap.
JUNK is stuff that you keep for 20 years,
then throw away a week before you need it.
Joe Soap wrote:
> There are lots of programs for that purpose, some free (e.g. Password Safe)
> and some pay-for (e.g. Personal Info Keeper).
>
> I never type passwords in anywhere, always drag/drop or cut/paste.
>
Hi Joe,
Good start but two potential flaws
1) keyboard logger still has a chance of capturing your screen (of your
original password document because it is in clear text)
2) someone may overlook your shoulder.
For more secure needs, search for password manager tools instead.
In response to what <ipguardian@hotmail.com> posted in
news:1121992402.451432.88260@g49g2000cwa.googlegro ups.com:
> Joe Soap wrote:
>> There are lots of programs for that purpose, some free (e.g. Password
>> Safe) and some pay-for (e.g. Personal Info Keeper).
>>
>> I never type passwords in anywhere, always drag/drop or cut/paste.
>>
> Hi Joe,
>
> Good start but two potential flaws
> 1) keyboard logger still has a chance of capturing your screen (of
> your original password document because it is in clear text)
That is NOT a keylogger, it's sumpn else
> 2) someone may overlook your shoulder.
Wouldn't get them anywhere - even if I didn't notice (unlikely)
>
> For more secure needs, search for password manager tools instead.
Thanks, but I don't have a problem. Save your advice for someone who does.
--
Joe Soap.
JUNK is stuff that you keep for 20 years,
then throw away a week before you need it.
ipguardian@hotmail.com wrote:
> Joe Soap wrote:
>
>>There are lots of programs for that purpose, some free (e.g. Password Safe)
>>and some pay-for (e.g. Personal Info Keeper).
>>
>>I never type passwords in anywhere, always drag/drop or cut/paste.
>>
>
> Hi Joe,
>
> Good start but two potential flaws
> 1) keyboard logger still has a chance of capturing your screen (of your
> original password document because it is in clear text)
> 2) someone may overlook your shoulder.
>
> For more secure needs, search for password manager tools instead.
>
password safe (free utility) never shows the password after day1 (first
time you set up specific site) and stores password using blowfish on
local machine, and requires a separate password to access the "safe".
Security wise I have not tried to crack it, but for me it is a handy
utility for storing login passwords for multiple sites. It has a
reasonable random password generator (though only alpha numeric) for new
sites. The password generator does not do special or alt chats, but the
safe will support manual entry of those char types. The random password
Generator will support user define password lengths which is useful for
long password strings irrespective of the char type restrictions. One
may add or modify a couple of the random generated chars with alt or
special chars to further enhance the security of the chosen password,
users call. Bear in mind blowfish isn't bulletproof,but meets casual
encryption requirements for my local system.
Another way to protect passwords from people looking over your
shoulder is to use biometrics. I use Microsoft fingerprint reader
and never have to type in passwords. Pretty cheap at $35.
RangerFrank
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
Comment: Encrypted Classified Document - Recipients Eyes Only
On a sunny day (22 Jul 2005 06:51:17 -0700) it happened "RangerFrank"
<airbornerangerfrank@gmail.com> wrote in
<1122040277.472731.38180@g14g2000cwa.googlegroups. com>:
>Another way to protect passwords from people looking over your
>shoulder is to use biometrics. I use Microsoft fingerprint reader
>and never have to type in passwords. Pretty cheap at $35.
>
>RangerFrank
http://www.microsoft.com/hardware/mo...ngerprint.mspx
Says:
The Fingerprint Reader should not be used for protecting sensitive data
such as financial information or for accessing corporate networks.
We continue to recommend that you use a strong password for these types of
activities.
RangerFrank wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Another way to protect passwords from people looking over your
> shoulder is to use biometrics. I use Microsoft fingerprint reader
> and never have to type in passwords. Pretty cheap at $35.
>
> RangerFrank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
> Comment: Encrypted Classified Document - Recipients Eyes Only
>
> iQA/AwUBQuD5o50rlc6Kk7oXEQK+wgCgzt0bhKcP0CYpxLAFHX18f9 5WRp0AoIdZ
> 6Typ+77k4IYPYtb+HgLOU8PJ
> =St5C
> -----END PGP SIGNATURE-----
>
My daughter opens my laptop fingerprint reader easier than I can. I
recorded the prints and have rerecorded them, I have a difficult time
opening device with my print but she just walks on in...Boy I hope she
never kills anyone...
The Microsoft Fingerprint Reader is primarily used for logging onto
windows, accessing Internet sites that require a User Name and
Password. The disclaimer with the Fingerprint Reader should not be
used with financial sites, etc. is for Microsoft's protection from
liability. The Fingerprint Reader is very convenient and easy to use.
PGP is used to protect E-Mail messages, attachments, and files stored
on the computer.
On a sunny day (23 Jul 2005 08:21:31 -0700) it happened "RangerFrank"
<airbornerangerfrank@gmail.com> wrote in
<1122132091.403881.95640@z14g2000cwz.googlegroups. com>:
>
>
>The Microsoft Fingerprint Reader is primarily used for logging onto
>windows, accessing Internet sites that require a User Name and
>Password. The disclaimer with the Fingerprint Reader should not be
>used with financial sites, etc. is for Microsoft's protection from
>liability. The Fingerprint Reader is very convenient and easy to use.
>PGP is used to protect E-Mail messages, attachments, and files stored
>on the computer.
>
Several years ago there was some tests in the German magazine C'T.
I think one trick was to breathe on the sensor after somebody used it,
that made the pattern 're-appear'.
Have you had any success with things like that?
And making a fake fingerprint with some silicone kit?
Is there a Linux driver?
I guess that is a remote possiblity to counterfit my fingerprint. I'm
not concerned, because my computer is in a safe enviorment.
No Linux driver on my computer.
Jan Panteltje <pNaonStpealmtje@yahoo.com> wrote in
news:1122139496.cc8a4cd8660fd788bc69c9d858757b79@t eranews:
> On a sunny day (23 Jul 2005 08:21:31 -0700) it happened "RangerFrank"
> <airbornerangerfrank@gmail.com> wrote in
> <1122132091.403881.95640@z14g2000cwz.googlegroups. com>:
>
>>
>>
>>The Microsoft Fingerprint Reader is primarily used for logging onto
>>windows, accessing Internet sites that require a User Name and
>>Password. The disclaimer with the Fingerprint Reader should not be
>>used with financial sites, etc. is for Microsoft's protection from
>>liability. The Fingerprint Reader is very convenient and easy to use.
>>PGP is used to protect E-Mail messages, attachments, and files stored
>>on the computer.
>>
> Several years ago there was some tests in the German magazine C'T.
> I think one trick was to breathe on the sensor after somebody used it,
> that made the pattern 're-appear'.
> Have you had any success with things like that?
> And making a fake fingerprint with some silicone kit?
> Is there a Linux driver?
>
It is generally trivial to "capture" soneone else's fingerprint, especially
if one shares some environment with him (home, work, social, etc.). For
instance, offer him a glass of wine to taste, or even just take his coffee
cup - the imaginative will readily think of dozens of additional methods.
BTW cyanoacrylate (crazy glue) can be used to lift even very faint prints.
Most cheap (and even some expensive) fingerprint readers do not do very (or
any!) "aliveness" tests - they just read the pattern.
Moreover, many fingerprint readers are simple USB devices and do NOT
authenticate themselves to the computer (or vice versa) - chances are there
is no encryption of the data transmitted either. This makes it very easy
to spoof a genuine reader, do replay attacks, etc.
Nope, fingerprint readers, as currently implemented, are generally very
feeble reeds on which to lean.
"RangerFrank" <airbornerangerfrank@gmail.com> wrote in message
news:1122164270.430906.273060@f14g2000cwb.googlegr oups.com...
> Hi Jan,
>
> I guess that is a remote possiblity to counterfit my fingerprint.
> I'm
> not concerned, because my computer is in a safe enviorment.
> No Linux driver on my computer.
>
> RangerFrank
>
I say, if someone wants something so bad they are willing to take
your finger . . . I suggest you just give it to them.
--
"When you have to choose between a first-rate company with a
second-rate product and a second-rate company with a first-rate
product, it's never an ideal choice. " -Ed (www.overclockers.com)
Maybe a combination of biometrics scanners - including smart card
readers (the latter should be more stringent in its encryption). Having
said this, the suggested solution has a hint of over paranoid and has
definitely gone overboard.
Since this topic is "what can one do against keylogger attacks", my
guess is that to be sure,
1) we have to make sure our environment are scanned to make sure there
is no keyboard logger,
2) every time we install a new software, we check that we are
installing good software.
3) we monitor all outgoing IP traffic (to detect suspicious IP
activities)
4) we do not key in any password when we enter our password
5) we do not allow the keyboard logger to capture any screen that would
show our password
1 is probably achieved by using a good AV program and constant O/S
security upgrades.
2 is probably achieved by adoptaion of good common sense practice
3 is probably achieved by a non intrusive IP activity monitor (e.g.
ipTicker or Ethereal. ipTicker is easier though)
4 is probably achieved by a good password manager (one that reads in
encryption data that translates the data internally and then injects
the password internally i.e. not simulating the keyboard AND not using
cut and paste technology).
5 is ??? (not sure) ???.
"Joe Peschel" <jpeschel@no.spam.org> wrote in message
news:Xns969CD0A92544Ffa0khgj7ji8i8jo9@216.168.3.44 ...
> "Luc The Perverse" <sll_noSpamlicious_z_XXX_m@cc.usu.edu> wrote in
> news:42e2e6a4$0$38354$3a2ecee9@news.csolutions.net :
>
>> I say, if someone wants something so bad they are willing to take
>> your finger . . . I suggest you just give it to them.
>>
>
> But if you give 'em the finger, they'll be really pissed off.
LOL
--
"When you have to choose between a first-rate company with a
second-rate product and a second-rate company with a first-rate
product, it's never an ideal choice. " -Ed (www.overclockers.com)
"pclogger" <pclogger_888@hotmail.com> wrote in
news:1122175226.326061.178960@g43g2000cwa.googlegr oups.com:
> Maybe a combination of biometrics scanners - including smart card
> readers (the latter should be more stringent in its encryption). Having
> said this, the suggested solution has a hint of over paranoid and has
> definitely gone overboard.
>
> Since this topic is "what can one do against keylogger attacks", my
> guess is that to be sure,
> 1) we have to make sure our environment are scanned to make sure there
> is no keyboard logger,
> 2) every time we install a new software, we check that we are
> installing good software.
> 3) we monitor all outgoing IP traffic (to detect suspicious IP
> activities)
> 4) we do not key in any password when we enter our password
> 5) we do not allow the keyboard logger to capture any screen that would
> show our password
>
> 1 is probably achieved by using a good AV program and constant O/S
> security upgrades.
> 2 is probably achieved by adoptaion of good common sense practice
> 3 is probably achieved by a non intrusive IP activity monitor (e.g.
> ipTicker or Ethereal. ipTicker is easier though)
> 4 is probably achieved by a good password manager (one that reads in
> encryption data that translates the data internally and then injects
> the password internally i.e. not simulating the keyboard AND not using
> cut and paste technology).
> 5 is ??? (not sure) ???.
>
>
> My 2 cents worth
>
All of those are sensible precautions and will work reasonably well
against garden-variety spies.
However, they are grotesquely deficient against skilled adversaries. For
instance, if one has uninterrupted access to the machine for a short
while, it is child's play to install (i.e., substitute) a modified driver
such that it is also a software keylogger (in addition to whatever else
it is supposed to do). Drivers will (usually) be invoked at kernel level
and can log whatever they wish (even simpler if all that is required is
outside input during system initiation - passwords and such - rather than
all user input during a session.)
Similar actions can be done (more conveniently but not quite as robustly)
with dlls. And it goes on and on.
Thwarting such methods is possible but usually too inconvenient (e.g.,
regularly sweep for the SHA256 of all files and check agaionst known-good
list - and this presumes that third party software is not compromised by
design in the first place!).
In short, if you do not have continuous control and custody of the
machine you are extremely vulnerable. And ANY network connection
(especially internet) counts as shared custody and control!
nemo_outis wrote:
>
> All of those are sensible precautions and will work reasonably well
> against garden-variety spies.
>
> However, they are grotesquely deficient against skilled adversaries. For
> instance, if one has uninterrupted access to the machine for a short
> while, it is child's play to install (i.e., substitute) a modified driver
Good one! To counteract this, besides good sensible precautions, one
should also have a good pc audit trail logger; an install and forget
utility that captures normal and unsolicited installation changes
including
1) important directory changes (this would capture dll changes as well)
2) changes to nt services
3) changes to activex registrations
4) changes to auto startups
5) changes to standard installations
6) changes to schedulers
7) changes to shared drives and so on ...
Probably,k depending on the "security needs", one may need to install
some form of instrusion detector. I think we are going o/t but still
keen in this discussion - BTW - What is the best intrusion detector in
the market and how many are using?
> Thwarting such methods is possible but usually too inconvenient (e.g.,
> regularly sweep for the SHA256 of all files and check agaionst known-good
> list - and this presumes that third party software is not compromised by
> design in the first place!).
Having a dynamic checksum on all files takes a long time. I should know
as I did it myself and at the end of the day, I gave up on the
additional security. Instead, I have to selectively checksum just one
or two selected directories. Still, I think this is probably the job of
a good av instead.
> In short, if you do not have continuous control and custody of the
> machine you are extremely vulnerable. And ANY network connection
> (especially internet) counts as shared custody and control!
Hence one really need constant O/S patches and a review of
services/daemons that may expose our vulnerabilities.
Joe Peschel wrote:
> "Luc The Perverse" <sll_noSpamlicious_z_XXX_m@cc.usu.edu> wrote in
> news:42e2e6a4$0$38354$3a2ecee9@news.csolutions.net :
>
> > I say, if someone wants something so bad they are willing to take
> > your finger . . . I suggest you just give it to them.
> >
>
> But if you give 'em the finger, they'll be really pissed off.
>
> j
There is a saying here:
Some people will want the whole hand if you give them a finger.....
"pclogger" <pclogger_888@hotmail.com> wrote in
news:1122184213.095971.216300@o13g2000cwo.googlegr oups.com:
> nemo_outis wrote:
>>
>> All of those are sensible precautions and will work reasonably well
>> against garden-variety spies.
>>
>> However, they are grotesquely deficient against skilled adversaries.
>> For instance, if one has uninterrupted access to the machine for a
>> short while, it is child's play to install (i.e., substitute) a
>> modified driver
> Good one! To counteract this, besides good sensible precautions, one
> should also have a good pc audit trail logger; an install and forget
> utility that captures normal and unsolicited installation changes
> including
> 1) important directory changes (this would capture dll changes as
> well) 2) changes to nt services
> 3) changes to activex registrations
> 4) changes to auto startups
> 5) changes to standard installations
> 6) changes to schedulers
> 7) changes to shared drives and so on ...
>
> Probably,k depending on the "security needs", one may need to install
> some form of instrusion detector. I think we are going o/t but still
> keen in this discussion - BTW - What is the best intrusion detector in
> the market and how many are using?
An intrusion detector is a good idea, but far from a panacea. While not a
classical ID, I use ProcessGuard (in combination with RegDefend). However,
ANY protection run under the OS is potentially inadequate if one does not
have continuous control and custody.
For instance, in principle, the OS could have been compromised to not show
the keylogger, to misreport its SHA256 or MD5 hash, etc. IOW the keylogger
may be, in essence, part of a rootkit suite.
The only solid defence against this is a scan from OUTSIDE the regular OS
- such as a hash-checker run from a Knoppix CD.
Yes, it's incredibly tedious but anything less is a kludge.
Yortuk Festrunk wrote:
> On Sun, 24 Jul 2005 04:57:25 GMT, nemo_outis wrote:
>
>
>>However, they are grotesquely deficient against skilled adversaries.
>
>
> you mean like fuckin' Braniac, man?
No, he refers to commonly applied methods. These devices, including the
smart card, only create some level of assurance. In the case of
biometric devices, their are a number of methods and techniques that
make these devices close to useless. They do provide a level of
assurance, but they do not provide a high level of assurance. All
consumer grade biometric devices commercially marketed today are quite
capable of being compromised or bypassed, perhaps by the 12 year old
down the street. Nemo is absolutely correct. The device can make the
system no more secure than the systems access availability. This
deficiency applies not only to biometric devices but a number of other
encryption techniques. Key loggers aren't even needed to capture (for
example) data from the CRT emissions. Recently I read and article about
reading data being transmitted via a NIC card or written to a hard drive
by monitoring the LCD light emission flicker on a device from a distance
away. Often simply thinking of the appropriate approach to emulate the
function of a device is enough. The approach usually is not the direct
approach but a vector. Just because you don't know how it can be done
doesn't mean it can't be done and it is usually easier than you think.
It isn't rocket science, it is understanding.
It is not only governments that have this risk but corporations and
research facilities. It is far cheaper to learn what your competition
knows by stealing their data or knowledge base than it is to develop the
data from scratch. These tools and techniques are known by both sides
of the security equation.
> winged <winged@nofollow.com> wrote:
>
>
>>Bear in mind blowfish isn't bulletproof,but meets casual
>>encryption requirements for my local system.
>
>
> What's wrong with Blowfish? I've never seen any documented attack on it
> other than brute force, which is unusable given the key length.
>
All I can find of this person are usenet postings (google with "john ashwood
blowfish"). Is he supposed to be some authority? And if so, what has he
published?
"Johan Wevers" <johanw@vulcan.xs4all.nl> wrote in message
news:IKroJ6.5r0@vulcan.xs4all.nl...
> <Crypto@S.M.S> wrote:
>
>>Joe Ashwood has stated that Blowfish is weak.
>
> All I can find of this person are usenet postings (google with "john
> ashwood
> blowfish"). Is he supposed to be some authority? And if so, what has he
> published?
I'd say you didn't do enough searching, but you won't find anything that I
have published about Blowfish, you will also find that my publications are
difficult to locate as most have nevertouched the internet. But my statement
was never that Blowfish is weak, my statement was that Blowfish has some
minor attacks and is not considered among the state-of-the-art ciphers.
For the case in question (password storage), the data files are likely to be
small enough, the data changes infrequent enough, and the data used in such
a fashion that Blowfish, used in a suitable mode of operation, should be
sufficient.
Joe
> Blowfish ... is not considered among the state-of-the-art
> ciphers.
True, although possibly misleading. "State of the art" is usually a
euphemism for "has no significant track record". Ciphers are about
trust and confidence as much as they are about the latest and greatest
mathematical innovations. Nobody would seriously suggest 3DES as a
state of the art cipher--it's got all the aesthetics of a Soviet-era
automobile--but the trust and confidence in 3DES is nothing short of
profound, given that after 25-plus years of cryptanalysis we've yet to
find any practical results.
My rule of thumb is I don't move a cipher over into the "I really like
it" until there's ten years of history to look back over. So pretty
much by definition, none of my "I really like it" ciphers are state of
the art.
3DES: 25+ years, still going strong.
Blowfish: 12 years, still going strong.
> Joseph Ashwood <ashwood@msn.com> wrote:
>
>
>>But my statement was never that Blowfish is weak,
>
>
> OK, a misinterpretaton from the previous poster I assume.
>
>
>>my statement was that Blowfish has some
>>minor attacks and is not considered among the state-of-the-art ciphers.
>
>
> As is stated in another reply, what matters for ciphers is trust, not
> modernness. Personally I still prefer IDEA.
>
I agree. Trust comes over time.
How do you feel about 3IDEA or triple IDEA?
Crypto@S.M.S wrote:
> Johan Wevers wrote:
>
>> Joseph Ashwood <ashwood@msn.com> wrote:
>>
>>
>>> But my statement was never that Blowfish is weak,
>>
>>
>>
>> OK, a misinterpretaton from the previous poster I assume.
>>
>>
>>> my statement was that Blowfish has some minor attacks and is not
>>> considered among the state-of-the-art ciphers.
>>
>>
>>
>> As is stated in another reply, what matters for ciphers is trust, not
>> modernness. Personally I still prefer IDEA.
>>
>
> I agree. Trust comes over time.
> How do you feel about 3IDEA or triple IDEA?
I did indicate I do use it.
Even with it's long key capabilities I wouldn't trust it with nuclear
secrets, but it's good enough that I use it. I just indicated it might
be broken by someone if they wanted to bad enough. It is a good cypher.
Re: What can one do against Keylogger Attacks? 
Linear Mode
