What is Digg?Sponsored by Dragon Age: Origins
Can't get enough Dragon Age: Origins? Play the flash game. view!
DragonAgeJourneys.com - Play the free companion flash game to Dragon Age: Origins.
71 Comments
- bsoric, on 10/12/2007, -4/+22"If you don't want to superglue your keyboard onto your computer as suggested in the digg about the $440 million bank heist this is a simple method to defeat them."
*****. - 1raZer1, on 10/12/2007, -1/+13There's still the small matter of software keyloggers...
- ceralor, on 10/12/2007, -1/+13There's actually at least one. They're expensive.
- p9s50W5k4GUD2c6, on 10/12/2007, -0/+8USB keyboard: plug it in to a front panel USB slot. You should end up tripping over a hardware logger.
Do NOT trust ant-virus/security products to protect you from key-loggers. You need specialized redundant software for that. Same for spy-ware (unfortunately). - inactive, on 10/12/2007, -5/+13Just use a USB keyboard ... problem solved. How many USB keyloggers have you seen?
- iSEPIC, on 10/12/2007, -0/+7there are a ***** load, search
here is the first one on the list... http://www.keyghost.com/USB-Keylogger.htm - AbaraiRenji, on 10/12/2007, -2/+9how about CHECKING if there is any weird devices connected to your keyboard cable, seems like a lot less trouble than using an on screen keyboard.
- 06metzp, on 10/12/2007, -1/+8It seems like with an on-screen keyboard, anyone could just sit across the room and watch you type it in, since a screen isn't nearly as concealed as a keyboard and it would take longer to type the password in via point/click. Of course you could rearrange the room layout or which way your monitor faces, but if your "computer is in a unsecured place like an open office at work or a dorm room" then it may not be possible to do so.
- esaba.com, on 10/12/2007, -0/+7Comparing a keylogers results from two instances of your method would reveal the password.
- tackle, on 10/12/2007, -0/+7start->run->osk (enter) is better.
- drigz, on 10/12/2007, -0/+7type part of password, type some random letters, select them, press backspace once (no keylogger will know how many where selected) then type the rest of your password. repeat for more security. it would require a recording of the screen or incredibly accurate analysis of the mouse sounds to record this, and video needs to much storage atm.
- cranium, on 10/12/2007, -0/+4Just use a laptop, DUH...
- dognose, on 10/12/2007, -0/+4keelog.com has an internally mounted logger.
- gmelone, on 10/12/2007, -5/+9Um. Are you stupid, blind or illiterate?
- kimos, on 10/12/2007, -0/+4Clever, but still beatable. Passwords have a pretty finite length, and though you haven't revelaed your exact password, you've still narrowed it down to about five or ten possibilities. Unless you select and backspace multipe times, some from the middle of the word... But that seems like a silly workaround. Just check the back of the computer if you're that worried.
- kimos, on 10/12/2007, -0/+3Well for starters you'd need two USB keystroke loggers. You'd also need quite a huge chunk of undisturbed time to modify the computer. If you're that worried about someone snatching your password, there are other thigns you can do...
- rvalles, on 10/12/2007, -0/+3Version 2 attack: Just use a microphone.
http://it.slashdot.org/article.pl?sid=05/09/13/1644259 - GazP, on 10/12/2007, -1/+4actually that probably wont help...
most of the software keyloggers ive come across also report whats in the clipboard. - cybersamurai, on 10/12/2007, -4/+6and how exactly am i supposed to use window's on-screen keyboard to log into windows?
- DIGGADEEP, on 10/12/2007, -2/+4useful!
- SaulGood, on 10/12/2007, -2/+4What's to keep an intruder from inserting a key logger in between the motherboard and the front panel USB ports?
- SanityInAnarchy, on 10/12/2007, -0/+2If you assume someone can get inside the case, you're more hosed than if you assume someone can install a keylogger on your keyboard. There's much more damage they could to do you than simply steal a password.
Anyway, I have a case lock, so if I were to carry my USB keyboard with me at all times and plug it directly into the front panel, I'd be reasonably sure there's no keylogger. - NghtShd, on 10/12/2007, -0/+2I don't know about two instances, but multiple instances would reveal the password. However, if you used the same phrase everytime and then cut out the parts that weren't the password then you'd probably be relatively safe, and if you cut out the non-password chars differently each time it would be even better.
Either way, asking users to do something tedious is probably not reliable. - linuxrebel, on 10/12/2007, -0/+2I'm reminded of a number of high end homes being sold a few years back. The spent a lot of time talking about security and the quality of door locks. The newsmen also noted the 7 foot tall 1 foot wide window next to each door.
You don't defeat key loggers by superglueing the keyboard to the comp. All this does is increase the ability of the "bad guy" to put a new one on. You have to call an outside company to "fix" the computer. Instead of just changing a keyboard. Then an employee notes that you can install a new keyboard cheaper if it's USB and the boss says OK since the budget is tight.... and you are right back at square 1.
Actually key loggers don't have to be attached. The work by sound of typing and by induction as well. Inline ones are cheaper but compared to 440 mil who cares. The key to defeating key loggers is to drop passwords and remember the 3 rules of access.
1. Something you have
2. Something you know
3. Something you are.
Not one thing that fits all 3 but 3 things that fit the rules. Until people stop thinking of themselves as idiots and start being responsible. It's a thieves world. - bsoric, on 10/12/2007, -0/+1I do the same thing when I enter in my Bank Account Info, I just mentally picture the password behind the asterisks and enter it in randomly. Even on my own computer, which I'm fairly certain has no keyloggers, hardware or software.
Yes, I really am that paranoid, for some reason. - sumoricky, on 10/12/2007, -1/+2None, BUT there are USB-to-PS/2 adapters...
- sufferingant, on 10/12/2007, -0/+1Then theres the matter of getting even more time to remove it...
- matt.rubin, on 10/12/2007, -0/+1but what about Macs? if i don't want to spend 300 bucks
- gxti, on 10/12/2007, -0/+1Standard password entry fields let you paste, but not copy.
- faxxy, on 10/12/2007, -1/+2Simple solution:
http://getroboform.com - cheesy1, on 10/12/2007, -0/+1Pretty stupid solution as well, it won't protect you from a good software logger or a cleverly constructed hardware logger in/on the pointing device.
There are several simple ways to solve this efficiently.
A. Use the aid of a hardware key, such as a smart card. Combine this with login and pass.
This was popular around '96 and it was considered for incorporation into national IDs in several countries.
B. Use scratchable cards with one time passes combined with user login pass, this is what my current bank uses.If the perp knows the login and pw from a keylogger, then he still have to guess the temporary onetime key.
C. Use a software certificate (p12 ?) combined with user pass. This won't protect you if crook has 100% access to your computer though. This is popular with online banks and some governments for auth.
D. Use an external device, relying on a radio-signal from an atom clock. This is often done with challenge-response and is extremely safe. First time i used one of these devices was a DES gold-key to get callback Internet/intranet from a major telecom manufacturer 10-12 years ago but it is still a very popular method among online banks due to it making use of public computers not-so dangerous.
Personal favorites are B and D.
Regarding superglue, it's trivial to make a key-logger yourself for less than 2 USD (really, the micro-controller and the memory is available as free samples from microchip.com or buy an Atmel for like 1.5 USD, then add a few passive components and a crystal and your good to go. Source code for an Atmel is found on keelog.com) and mount it internally inside the keyboard in less than 5 minutes. Just flip it over, unscrew, cut wires, apply cold solder or use a wireless solder gun, reassemble.
Making a mouse logger to foil this attempt at security shouldn't be that hard because the pattern to input keystrokes on an onscreen keyboard is very specific and the professional user won't use the onscreen keyboard for anything other than login/password if they want any kind of productivity. - doctorarcane, on 10/12/2007, -1/+2This is pretty lame. First off, it leaves you wide open to shoulder surfing. Second, many places are going to lock down OSK and similar crap for most users. You think at a place with thousands of employees you let everyone do start run? Or a web cafe? No way.
Better ideas:
A crypto exchange between mobo and keyboard. Automatic 'trust' of a peripheral is a bad bad thing.
I'm not positive, I'd have to get my hands on one... but dont you think you might be able to detect these things in software? I bet they introduce a measurable delay on the timers.
And the superglue idea is completely moronic. I'm no electrical engineer but couldn't you measure signal via induction by clamping onto the cable? The cables arent that thick, I bet their shielding is ass. Plus, with key timing methods (as revealed by the accoustic attacks someone mentioned) you might be able to extrapolate pretty well even if you couldn't pull clean data.
Just some hair brained ideas - ASoggyWaffle, on 10/12/2007, -0/+1well you would prolly do that for the most important things you want to keep secret: passwords, and a lot of password diolauges dont let you paste
- matt.rubin, on 10/12/2007, -0/+1ok so if we all did have ocd we would all carry around our own USB keyboards and hard drives to connect to whenever we had to use a computer then ontop of that a 3M privacy filter with a box of tissues and antibactira solution and make sure that the computer is not conencted to the internet defeating the purpose of the computer
- click81, on 10/12/2007, -0/+1I can't believe nobody has mentioned this, but a bluetooth wireless keyboard is pretty hard to attach a hardware keylogger to. Especially if the system has built in bluetooth.
- OwlBoy, on 10/12/2007, -2/+3Who ever wrote this is a retard when it comes to macs…
- griz, on 10/12/2007, -0/+1If you're going to take the time to pull up an onscreen keyboard to enter a password, wouldn't it make more sense to look down at your keyboard connector and see if there is a keystroke logger in place? If you are that consciously aware of the possibility of a keystroke logger being in place that you take the time to pull up an onscreen keyboard, then you should be aware of who has been messing with your hardware.
- JestaMcMerv, on 10/12/2007, -0/+1Let's all hope Valve learns this lessons and uses on screen keyboard to program Half-Life 3. No more source code getting stolen.
- Gyga, on 10/12/2007, -0/+1Do you mean measure when more current than usual is being drawn? That is actually a good idea, but the problem I see is turning on and off the caps/num/scroll lock turns a LED on that draws more power which could set it off.
- G-RaZoR, on 10/12/2007, -0/+1It would seem to me that the best method that would fool anyone (standing near the computer), anything (hardware and software keyloggers) is a program that uses mouse gestures (I believe there is a firefox extension that does this task). The only problems I could see is how it would know what you are typing (you would need to store the gesture in there somehow), if some person sitting next to the computer can learn the gesture with enough practice to foil the system, etc.
If that doesn't work there is always the fingerprint reader heh.... - Agret, on 10/12/2007, -0/+1Press windows key and U and it will start the utility manager, from there you can start the on-screen keyboard. Yes, this works on the logon screen (I mess with the utilities at school)
- iSEPIC, on 10/12/2007, -0/+1I agree with kimos - unless you do like 250 before and 250 after, over and over, seems overkill to me, why not just open up the compter and check?
- dsander, on 10/12/2007, -0/+1Could someone create software that measures the electrical connection from the port when you install a keyboard and then it could recognise a change to that line that a keylogger might create, or track if the keyboard was ever unplugged at some point? It could email you if an occurance happens.
- socket, on 10/12/2007, -0/+1Mmmmmm, DRM keyboards. Actually as long as it's an open standard that might be a good idea. Very simple scheme would just have you type in 12-14 characters (or more) of random keystrokes on the first boot and use that as the cyphers key. The system would have to work with either support in the BIOS for the scheme, or on the OS level. Both have their high and low points implementation wise. Having the BIOS take care of it would make it automatically transparent to the OS. But getting manufactures to agree on one standard would be hellish. So in the end it might only work well with a driver in the OS... with an open standard porting drivers would be a snap.
The scheme depends on the user being smart enough to notice if there is already a keylogger install on the box at installation time. =) Otherwise the crypto setup process will be compromised obviously.
**added: Oh yah and the keyboard would have to be specially designed to support the standard... just so nobody gets confused reading that, this assumes special hardware in the keyboard. - inactive, on 10/12/2007, -1/+1you go to the bathroom and i can have a keylogger on your system in seconds.
bank computers arent exactly public.
if someone wants to really bad they can sneak into your hoe and place one of these on your computer.
Still i am not supper gluing a keyboard to my comp.. would suck when it is time to replace.. banks should lock up the computer.. as only the tech really needs access to the actual machine.
I use OSK all the time as i am lazy and often my wireles keyboard it too far to reach.. it really sucks to type much... kinda like tm'in.. i just am not going to write much with it... but is fine with the auto complete on web addys. - jeylux, on 10/12/2007, -1/+1buy a laptop.
but in a password.
take it with you. - killa62, on 10/12/2007, -0/+0yeah, but lets say your password is dragon
you type
dumb
then click between the u and the d and type remove
now you have
dremoveumb
but keylogger sees
dumbremove
then you click between m and o and press backspace 2 times and type ag
now you have
dragoveumb
then click at end and press backspace 5 times and type n
the keylogger sees some random words and letters that have no meaning - Gyga, on 10/12/2007, -1/+1The problem with a mouse logger would be where the keyboard is at on the screen and where the mouse starts by default.
A mouse just sends a signal to move in a direction it in no way compares to the current screen. So if you mouse starts in the middle and you move to the left, the cracker wouldn't know if you went from the right to the middle.
Also the onscreen keyboard could be in different locations further confusing a would be cracker.
That said there are more problems as others in this story have commented on. - a3r0, on 10/12/2007, -0/+0Couldn't you also use one of these with the keylogger?
http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=1220387&CatId=469 - tke248, on 10/12/2007, -1/+1Roboform is a favorite of mine also
-
Show 51 - 71 of 71 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is