digg

Facebook Connect Join Digg About

How To Login From an Internet Cafe Without Worrying About Keyloggers

cups.cs.cmu.edu — "We tested five shareware or commercial keylogging programs: HomeKeylogger 1.70, GhostKeylogger, KG-BKeylogger, Spytector 1.2.8 and ProBot. None of them captured passwords entered using the trick we describe."

Who dugg this? Made popular Nov 24, 2006

submitted by

inactive Nov 23, 2006

1458 diggs
digg

What is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

Top in Security

A Message to Annoying Neighbor via Network Connections (PIC)thumb

2440

Botnet Responsible for 1/3 of Worlds Spam Shut Downthumb

1885

Windows 7 vulnerable to 8 out of 10 viruses

938

World's First iPhone Worm Rick-Rolls Wallpaperthumb

898

MPAA: Copyright Treaty Critics Hate Hollywoodthumb

647

People Who Dugg This Also Dugg

Invisible Refrigerator = ZOMG!

1472

Congress unlocks US cellphones

1607

How To: Become A Hacker

1705

Firefox password security hole

897

Man gets patent for the WHEEL

1304

116 Comments

Daniel591992, on 10/12/2007, -6/+104PDF!!
Tu13erhead, on 10/12/2007, -14/+89For those who dislike PDF's...

How To Login From an Internet Caf ́e Without Worrying
About Keyloggers
Cormac Herley and Dinei Flor ˆencio
Microsoft Research, Redmond
ABSTRACT
Roaming users who use untrusted machines to access password protected accounts have few good options. An internet caf ́e machine can easily be running a keylog- ger. The roaming user has no reliable way of determin- ing whether it is safe, and has no alternative to typing the password. We describe a simple trick the user can employ that is entirely effective in concealing the pass- word. We verify its efficacy against the most popular keylogging programs.
1. INTRODUCTION
Keylogging is one of the most insidious threats to a user’s personal information. Passwords, credit card numbers, PII etc. are potentially exposed; and the in- cidence of keyloggers in-the-wild is apparently growing rapidly. Unlike Phishing, this is not an attack that alert and sophisticated users can avoid. Writing a keylogger is a trivially easy task [6, 4], there are numerous free- ware offerings, and many of them make efforts to con- ceal their presence. For example, they will not show up in the Task Manager process list. There’s even a feature comparison site [1] for those interested in the hardest to detect keyloggers.
Home and enterprise users may be able to trust their systems if they maintain good firewall, anti-virus and update strategies. However roaming users have no con- trol over what is installed. Certain internet kiosks re- strict input access to the machine to prevent software installation. This makes it less likely that another user of the machine has installed a keylogger, so long as the administrator has set good policies. But this requires knowing that the administrator is both competent and trustworthy. As things stand a user has no reliable way to determine if a machine is running a keylogger or not. In this environment is there anything a user can do to protect themselves from the possibly catastrophic loss of data ?
2. A SIMPLE TRICK
We assume that the machine we use has a keylogger running. We’ll also assume that it’s not discoverable by the user, and that we wish to primarily protect any passwords the user types (we’re less concerned about other typing). There are many ways of implement- ing such a keylogger, and the details won’t concern us; in Windows user32.dll provides event handlers that any application can invoke to trap every keyboard and mouse event. There are many other approaches, and it is true for every ma jor OS [6, 4]. Thus the keylogger gets a string that grows in length as keys are typed. For convenience, some keyloggers generate different strings for the keys that are intended for different applications. This just involves checking which window has focus at the time of the key event. It is now very easy for the key- logger to harvest passwords. The string of keys sent to the browser will often contain domain names (at an in- ternet caf ́e most people will type domains since they are not in “favorites”), followed by userid and passwords. For example the segment www.hotmail.comsarahj7@hotmail.comsnoopy2 tells the logger that sarahj7@hotmail.com has pass- word “snoopy2” at hotmail. By parsing the string for common domains such as hotmail, paypal, amazon, fi- delity, the task is made even easier. At first our task may seem impossible: if the keylog- ger sees everything how can we hide the password from it? Rather than hide the password our approach is to embed it in a sequence of random characters. So we seek a way of entering random keys so that they will be seen by the keylogger, but will not affect normal lo- gin. The trick lies in the fact that keyloggers employ very low level OS calls. The keylogger sees everything, but it doesn’t understand what it sees. The browser also sees everything, but it doesn’t use everything that it sees: it does not know what to do with keys that are typed anywhere other than the text entry fields, and lets them fal l on the floor. The keylogger has no easy way to determine which keys are used by the browser and which fall on the floor. It is very easy to record all of the keys or mouse events (this is true both for Windows and Linux based systems [4, 7]). It is also very easy to determine which application had focus at the time of the event (e.g. this key went to the browser). But it is 1 very hard to determine what the application did with those events.
Between successive keys of the password we will enter random keys. In the spirit of chaffing and winnowing [5], the string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible. Observe that we are not exploiting a particular feature of any particular browser: this trick works with all versions of Internet Explorer, Netscape Navigator and Mozilla Firefox. We are ex- ploiting the difficulty from the OS layer of determining how the GUI of an an application handles events. Here, then is the method:
Navigate to the login page desired;
Type in the userid; for (each pwd character){ Give focus to anywhere but the pwd field;
Type some random characters;
Give focus to the pwd field;
Type the next character of the pwd} Submit;
It involves typing random characters between succes- sive characters of the password, and changing focus to and from the password field using the mouse. Instead of the password snoopy2 the keylogger now gets: hotmail.comspqmlainsdgsosdgfsodgfdpuouuyhdg2 Here a total of 26 random characters have been inserted among the 7 characters of the actual password. In gen- eral a total of n extra characters in a length k password will yield so many possible passwords that attack is in- feasible (recall the password that can only be tested by attempting login). There are various attacks on this method as we explain below. However, none of the key- loggers reviewed in [1] appear to have to functionality to defeat this simple trick.
2.1 On Screen Keyboards
Rather than have users key in their passwords some web sites have experimented with on-screen keyboards as a method of secure data entry. Like our trick this forces keyloggers to do screen captures at every mouse click or every key event. One security startup [2] is offering on-screen keyboard login as a service offering to banks. Again, this relies on the fact that a non- trivial increase in the resources consumed would be re- quired to capture these passwords. The same is not true of the on-screen keyboard offered by Windows XP Accessability tools (this is available under Programs- Accessories-Accessability Tools-On Screen Keyboard). Unfortunately this emulates keystrokes and sends them to the application that has focus. Even the simplest keylogger will catch all of the entries from the On screen keyboard as though they were typed.
3. RESULTS, LIMITATIONS, DIRECTION
We tested five shareware or commercial keylogging programs: HomeKeylogger 1.70, GhostKeylogger, KG- BKeylogger, Spytector 1.2.8 and ProBot. None of them captured passwords entered using the trick we describe. It bears pointing out that this is not a universal durable solution to the problem of keylogging. There are many tricks in the Security space that work well when used by a small number of people, but which will not withstand the attacks that a large deployment can be expected to bring. The security here comes from the fact that figur- ing out what an application does with keys is non-trivial for a layer of code that is below that application. Doing a screen capture at every keystroke will reveal which of the keys typed using this method belong to the pass- word (the password field of the browser indicates how many keys have been typed). But we point out that taking a per-keystroke screenshot greatly increases the spyware’s resource consumption (and hence it’s risk of discovery) and harvesting of passwords becomes more difficult to automate.
Nonetheless, the simple mechanism of embedding the password in random keys to be extracted elsewhere is valuable. Here we inserted the random keys manually, and “extracted” them by knowing what the browser al- lows to fall on the floor. We pointed out that this can be attacked (though it suffices to give real protection to real users today). A truly secure approach is to have the random keys extracted somewhere other than the untrusted machine. In [3] we demonstrate how this can be done using a simple proxy server. The user again enters the password embedded in random keys, and the proxy extracts the random keys using a secret shared between the the user and proxy. In this way we can en- tirely avoid leaving any information about the password on the untrusted machine. Spyware that logs the keys, captures screenshots and monitors all network traffic would still be unable to discover the password without the shared secret. Details and variants are in [3].
4. REFERENCES
[1] http://www.keylogger.org.
[2] http://www.bharosa.com.
[3] D. Florˆencio and C. Herley. Entering Passwords on a Spyware Infected Machine Using a Shared Secret Proxy. MSR Tech. Report, 2006.
[4] S. McClure, J. Scambray, and G. Kurtz. Hacking Exposed. McAfee, fifth edition, 2005. [5] R. Rivest. Chaffing and Winnowing:
Confidentiality without Encryption. 1998. http:
//theory.lcs.mit.edu/∼rivest/chaffing.txt. [6] M. E. Russinovich and D. A. Solomon. Microsoft Windows Internals. Microsoft Press, 2005. [7] E. Skoudis and L. Zeltser. Malware: Fighting Malicious Code. Prentice Hall, 2004.
2
mirzmaster, on 10/12/2007, -0/+34@flameboy:

Actually, the article is suggesting that you blend your password characters with characters typed anywhere else within the same window, just not in the password field. The keylogger should not be able to tell whether you are typing within a password field or not.
Jelfish, on 10/12/2007, -0/+30A good way around a key and click logger may be to type your password out of order, but to click on the appropriate position when you get to a specific letter.

For example, for the password "elephant," you could type "lpat" and then click and type the locations for "e," "e," "h," and "n." You could also combine that with the random letter jumble by clicking outside the field for a moment.
chongli, on 10/12/2007, -4/+34The keylogger could simply combine the keystroke and mouse click logs together. So if I was using this method to enter the password doggy23 it might look like this:

dhfygasgdaahdg[click]d[click]hda4yaswg[click]o[click]ytewayw34sadg[click]g[click]y23hashsgawesy34y3[click]g[click]gasdh4agadsh3ty43[click]y[click]3t2wegyaghw4ggwagad[click]2[click]sdagw3gas[click]3[click]gaygsdgas

As you can see, it is very obvious where the password is, since we are not entering any of the random characters into the password field.
Sonic_Molson, on 10/12/2007, -1/+24I like typing a-z0-9 in the url bar and then dragging the characters for my password into the login field.
thydzik, on 10/12/2007, -3/+23should be more digg articles linking to pdf articles rather blogs.
khag7, on 10/12/2007, -4/+24If your keylogger logs mouse clicks(which many do) it would look like this (for the password "snoopy2"):

s(leftclick)asdlkfajsdlfkjd(leftclick)n(leftclick)alsdkfjasdlkj(leftclick)o(leftclick)dsflksjflkaj(leftclick)o(leftclick)dkdaslkdfjalsdkf(leftclick)p(leftclick)sldkfajs;dlfkjs;ldkjf(leftclick)y(leftclick)asldkfjasd(leftclick)2(leftclick)(enter)

so the password is set off by (leftclick) tags.. so this is a useless method unles you insert random left clicks as well
flameboy, on 10/12/2007, -17/+35I stopped reading when I figured out its just telling you switch focus and type random text

Even back in 1999 the keylogger i had detected which application had focus and logged the text after [Application name]
rebrane, on 10/12/2007, -0/+18A hardware sniffer would be just as compromised by this method. Read the paper, dude.
p2pintel, on 10/12/2007, -0/+18interesting to see that the paper came out of the folks at MS research :P
id34, on 10/12/2007, -0/+16I used to hate using these net cafes in Spain.

What I used to do was copy and paste letters and also write every other letter somewhere else. It can only help a little mind : (
se1zure, on 10/12/2007, -1/+13the best method is to copy and paste the letters one by one from the individual charachters int he text on the page :D
rebrane, on 10/12/2007, -0/+11Practically every webmail service uses SSL now. Gotta sniff at a lower level if you want those sweet, juicy passwords.
WhiteT, on 10/12/2007, -1/+12secure wireless networks, oxymoron? ;)
nzgizmoguy, on 10/12/2007, -0/+10Or view the google cached version in plain text :)
http://72.14.253.104/search?q=cache:http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf
adfsj, on 10/12/2007, -3/+12It is easy to tell which window has focus in windows. Many key loggers keep track of the in focus window, along with mouse clicks (not location, just that the even takes place) and other characters like arrow keys and the delete key. This may help obsecure your password aginst the most basic and low level keyloggers, but it is still not a good way to log into a public terminal.

The first bit of common sense is: Do not enter any crucial passwords on a public terminal,

If you have to enter any passwords at all, copy and paste each individual characters from any random webpage, and paste them into the password box in a non sequential order. Of course not even that will save you from everything (especially packet sniffing, or IE/firefox extensions)
KiTchMe, on 10/12/2007, -0/+9If your keylogger logs mouse clicks(which many do) it would look like this (for the password "snoopy2"):

s(leftclick)asdlkfajsdlfkjd(leftclick)n(leftclick)alsdkfjasdlkj(leftclick)o(leftclick)dsflksjflkaj(leftclick)o(leftclick)dkdaslkdfjalsdkf(leftclick)p(leftclick)sldkfajs;dlfkjs;ldkjf(leftclick)y(leftclick)asldkfjasd(leftclick)2(leftclick)(enter)

so the password is set off by (leftclick) tags.. so this is a useless method unles you insert random left clicks as well
---------------------------------------------------------------------------------------------------------------------------
That's correct if you clicked only once between password space (where you type it) and somewhere else on the page...However if you do it randomly, then it's almost impossible to figure it out...For example if your password is "like" (I'll make it in capital letters in order to see it easier)--

L[click]o[click]v[click]I[click]ng[click]m[click]on[click]K[click]ey[click]re[click]s[click]cu[click]E[click]d[click]
inactive, on 10/12/2007, -0/+8The really good phishing malware just reads the data sent to the websites anyway, so none of this helps anything. The real threat hasn't been from keyloggers for quite some time.
brendanc, on 10/12/2007, -2/+10How about "Linux isn't always the answer"

There are many things to consider before you tout the "use linux" cop out.

Network configuration? Wireless (VERY POSSIBLE, and we all know the reliability of linux when it comes to wireless support)? Proxies? Kiosk software? Is there even a CD drive on the terminal (could be a slim terminal)?

There are hundreds of factors that could make linux useless in this type of situation.
wallitron, on 10/12/2007, -0/+8Why doesn't Gmail offer a one time password auth option? You could have a standard password for trusted systems, and your OTP list in your wallet. What other passwords would you really need while traveling without your own PC?
nzgizmoguy, on 10/12/2007, -0/+8Or go to the google cached version http://72.14.253.104/search?q=cache:http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf
vermin, on 10/12/2007, -1/+9I too was thinking that the copy+paste method would provide at least some level of security as well.
ezen, on 10/12/2007, -0/+7I was always a bit wary of this - so I wrote a small program to create an onscreen keyboard. (Windows only - I didn't see any benefit in writing this for Mac or Linux.)

It's advantage is that you NEVER need to type on the keyboard.

With it you can 'type' passwords with your mouse (to fool keyloggers), and the keyboard changes size, shape and placement each time it's run to fool mouseloggers.
...and as this is not a commercial tool, keyloggers won't be able to pick up on it!

So unless the computer is infected with a screencapture program to capture at more than a few frames a second (which is currently _extremely_ rare), then it will work fine.

It's free - download it here: http://www.aplin.com.au/?p=204

Neo
Tanath, on 10/12/2007, -0/+7I've just suggested this feature, with a few additional suggestions to Google.
cyssero, on 04/18/2009, -0/+7You know, this is a very good idea. I absolutely hate logging into my Gmail account at work, school - or any public PC. I would definitely use a one time password / disposable password. Do you know of any web mail providers that do such a thing?
anymir, on 10/12/2007, -0/+6Um, I'm thinking you didn't read the article.
twooster, on 10/12/2007, -4/+9This is ridiculous on a variety of levels.

A) The procedure is inane. Yes, it works, but the process is rather ridiculous. There's gotta be a better way. Why not just use copy and paste from Character Map? Why not copy and paste from a sufficiently large data source?
B) I cannot believe, for a second, that any sufficiently intelligent key-logger, which could, for example, detect the current running application window, couldn't also detect the currently focused subwindow (e.g., a text input box, whatever type of widget), and distinguish based on that. This would EASILY defeat the trick as described. Hell, if it's using standard OS widgets (arguably, most do) you could also detect if it's a password field (one that hashes input) or not.
C) I don't care what MS says. This is a combination deficiency of the operating system and system administration. Key-loggers should not be that easy to install without administrative privileges, and admins should understand how to set up a kiosked user-install. Some OSes/software bundles even make this easy, with user-account wipes and reloads after logout.
D) It isn't safe to access personal things through a public terminal. Let's not pretend that it is.
rebrane, on 10/12/2007, -2/+7They should've called this paper 'How I Learned To Stop Worrying And Love Logging In From Internet Cafes'
cyssero, on 04/18/2009, -1/+6One more revision to step one;

First: Check for hardware loggers, they are likely attached to the end of your keyboard cord, look them up on Google to get a look at them. If you see it take it, finders keepers. Then haul your ass out of there and find a different Internet Cafe.
AbortedFetus, on 10/12/2007, -2/+7charmap FTW?
Sushubh, on 10/12/2007, -0/+5RTFA.
ezen, on 10/12/2007, -0/+4Niku,
No, the program doesn't use "SendKeys". It populates a text box at the bottom of the keyboard, and then you drag the password from the text box to the password field (on, say, the browser).

This way the creation of the password is 100% mouse and the transfer from the text box to the password field (on the browser) is 100% OLE. The windows SendKeys statement is not used and the clipboard is also not used - it's the only safe way.
brendanc, on 10/12/2007, -0/+4Wouldnt make a difference...

The point is that you assume there is a keylogger in place, hardware or software level... by typing random characters outside of focus of the password field, you jumble up what the keylogger is receiving. If anything, a hardware keylogger would be more susceptible to this type of trick than a software one would be (a hardware keylogger can't record clicks... that is, unless its not the type that is a passthrough for a ps2 keyboard).
inactive, on 10/12/2007, -0/+4I actually wrote a program that does exactly this a few weeks ago. I posted it on the truecrypt forums. You can look at what I have done here...

http://forums.truecrypt.org/viewtopic.php?t=4332&highlight=

My program automates random keystrokes. You simply type in your password while at the same time my program is generating tons of random keystrokes and sending them into the system via the sendkeys() function of visual basic. When you are all done, the password box has the password and the logger has a jumble of random crap. I have tested my program with a keystorke logger and yes it does work.
cyssero, on 04/18/2009, -0/+4Use FoxitReader. It's the uTorrent of PDF readers. You'll never worry about opening a PDF again. Freeware, 1.5MB - http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm .
transeunte, on 10/12/2007, -2/+6@Coded1

I can put all you've said in less than 10 words:

Paranoids should avoid Internet cafés overall. kthxbai
darkmist, on 10/12/2007, -2/+6Gonna change the first step a bit

First: Check for hardware loggers, they are likely attached to the end of your keyboard cord, look them up on Google to get a look at them, if you see it take it, finders keepers.
Tanath, on 10/12/2007, -0/+3Another thing you can do is intersperse typing with selecting (most of) the password with the mouse. When you type over selected text, it gets overwritten. You can do this in such a way as to end up having typed a lot of random gibberish, interspersed with random clicks, and end up with the correct password. That way, you don't change the window focus, or even the focus of the text field. You can also combine this with other methods, if you're that paranoid.
But if you're that paranoid about it, you probably shouldn't sign in from that computer in the first place.
Tricky, on 10/12/2007, -1/+4better than a blog
hellomynameisop, on 10/12/2007, -2/+5yeah linking directly to a pdf is just bad form, dude. and no warning, even! you need to brush up a little on your table manners. if you want to post a link to a pdf on digg you should really start the link with PDF or at least end with it.
drmonkey, on 10/12/2007, -0/+3key loggers only pickup on the Xp onscreen keyboard events,

Like they mentioned in the article, the only way to get information from a website embedded onscreen keyboard, would to take a screenshot for every keyboard event (mouse clicks key presses) or to track the position of the mouse on every click, this would start to become noticeable in terms of system resources.

And the logging of mouse coordinates for each left click could be made useless if the website embedded keyboards randomised their key locations.

I think embedded keyboards for entering passwords/usernames should be the next step for login security.
Hopefully in a few years gmail and hotmail will add it.
mattprice, on 10/12/2007, -0/+3Doesn't anyone ever look at links before they click them? Ha, that's your first problem. Don't even worry about keyloggers if you just randomly click links without seeing where they go.

It says .pdf at the end of the link and last time I checked most (if not all) web browsers show the address somewhere (usually the status bar) when you hover over it.
humanerror, on 04/03/2008, -1/+4ezen: If that program uses "Sendkeys" like I'm guessing it does, then keyloggers will still catch whatever you type with it.
meBigGuy, on 10/12/2007, -1/+3lame lame lame --- so many words for so little information.

1. Click focus to different places while typing to try and fool the keylogger.

Not even smart enough to tell you to do your password out of sequence with extra chars and delete out of sequence to finally get it correct.

(I admit I couldn't stomach reading the whole article -- just scanned --- so maybe I missed something)
TheCod, on 10/12/2007, -2/+4Why would they even bother with keyloggers? If they really want your password, they will just set up a packet sniffer and sit for a few hours while they surf the web and do other things. You can get programs that are basically "packet sniffing for dummies".

And yes, hardware key loggers work on any operating system. They go between the keyboard and computer so they are OS independent.
jackhodgson, on 10/12/2007, -0/+2Ah, just for the record...

This is an interesting article, which normally I would have dugg. But as a consequence for it being a PDF (and with basically no warning): no digg.

PDFs make bad web pages!
crashflow, on 10/12/2007, -0/+2it would have to be a hardware keylogger
crackedsaint, on 10/12/2007, -0/+2They forgot to mention virtual keyboard HOVERING, it evades screen captures upon click events.
superkendall, on 10/12/2007, -0/+2Here's what I do on really insecure terminals (like when I was logging into web mail from a cybercafe in Zimbabwe):

Type half the password, something along the lines of every otehr letter.

Copy and paste word fragments with the proper letters in-between the chaarcters you typed before.

Delete the characters not a part of your password.

Of course the really silly thing is, if something has hooks into your browser it would simply catch the form submit before it was sent off. So the real thing to do would be to have a proxy web site set up on your own server that required some special changing input to authenticate after which it would pass mail traffic back and forth - something like the time of day - two hours (with a large margin of error) would be good enough to mystify someone capturing keylogger data.
Show 51 - 100 of 116 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

Site Links: Home; Take a Tour; Search Digg; Digg Mobile; RSS Feeds; Popular Archive

Help: Frequent Questions; How Digg Works; Report a Website Bug

All About Digg: About Us; Contact Us; Community Guidelines; The Digg Blog; Digg Townhalls & Meetups; Jobs at Digg; Advertise on Digg; Diggnation Podcast

Digg Store: Get hats, shirts, hoodies, stickers, and more at the Digg Store.

Digg Tools & API: All Digg Tools; DiggBar Tools; Firefox Toolbar; Twitter Feeds; Add Digg to Google; Netvibes Widget; Integrate Digg Buttons; Digg Badges; Make a Digg Widget; API for Developers

Digg Dialogg!: Digg Dialogg lets you choose the questions.

Digg Labs: Get a real-time view beneath the surface of Digg.; Digg Labs Home; Arc, Swarm, Stack, Bigspy, Pics

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.