How To Login From an Internet Cafe Without Worrying About Keyloggers

“We tested five shareware or commercial keylogging programs: HomeKeylogger 1.70, GhostKeylogger, KG-BKeylogger, Spytector 1.2.8 and ProBot. None of them captured passwords entered using the trick we describe.”

read more | digg story

Asides

November 23

Comments

 

About the Author, Dan Cameron:

I'm the owner and solution engineer at Sprout Venture, a web solutions company that specializes in web development including WordPress.

I started my first blog in 2003 and transitioned to WordPress in 2004. Since moving to WordPress I've written a few plugins and themes for public consumption. Lately I'm busy engineering/building/coding and have only been able to share a few code snippets.

If you're in need of some web development, web design or custom WordPress plugins and/or themes contact me, I'll be happy to discuss it with you.

Read More »

  • Copy/paste can be catched.
    Go to a website with the alphabet and all chars and numbers.
    Lets say your password is Maple.
    Copy/paste the whole alphabet/nubmers/symbols and WITH YOUR MOUSE, delete all the symbols which aren't 'M'.
    Do the same about 'a'.
    And about all other chars.
  • You could just cut and paste characters from any website, one by one. You actually went and tested 8 apps to come to the conclusion that they only do what they are supposed to do (capture keystrokes)? It should have been obvious.
  • Btw, I forgot to mention. Don't trust too much on "Copy & Paste". There are keylogger applications than can log what you copied from what window, what site, when, and the exact order of your copy and pasting, as well as which window, tab, application, mouse move, clicks, etc. etc.

    These apps are out there, these keylogger people just have to be persistent to find these apps we tested. They are few, but once you have it, keylogger galore. Freeware and Shareware.

    Now for a serious person, there are professional grade keyloggers that will do much more than that, and sadly, these pro-keylogger apps can be easily cracked, so well... ;) Be-friend a public terminal owner (iCafe owner that is), like what I do, so you'll gain access to its restore system (if they use one), or you'll be allowed to touch and make changes to their whole system (provided you know where to look for and what stuff needs to be checked).

    It's hard. But so far, I haven't been victimized by keyloggers.

    Those are what I can share ^_^
  • Will not work if the person who installed the keylogger is using a more sophisticated keylogger application.

    I saw a couple of freeware and shareware keylogger apps that can track everything.

    The simplest of these apps, I was able to figure out the password typed in 30 mins after reading the log file. One good way is to simply duplicate the process as is written in the log file.

    Now it is up to the person if s/he will be patient enough to decode the numerous random and not random clicks, tabs, typing, etc.

    Simply, keyloggers will log where and when you clicked and/or tabbed where and when, even if you clicked on another browser window, or tabbed to another browser-tab. If you scroll, typed in notepad, typed in command line, run, etc.

    Oh, basically, there is really no other way to be secured in a public terminal unless you can do a restore of the system from it's very first state when it was first booted after a fresh reformat and installation.

    That's why I only trust a very few iCafes in the Metro Manila, and I don't log in sensitive stuff at terminals that I can easily install and edit the startup system.

    ^_^
  • JaredB
    Good point, I didn't think about that, but it might be difficult to find some of the more obscure characters, unless I guess you have a page somewhere that just has every character already out there, copy/paste ready.
  • nstryker
    i copy/paste letters/numbers/symbols from the test on various websites.
  • But copy/paste from what? If you aren't typing in any passwords on that system you would have to have them in an unencrypted file on a portable drive (USB or whatever). Then you have even bigger problems to worry about than keyloggers.

    There are apps out there (similar to keyloggers but even easier to write and distribute) that will copy the contents of any files on such a portable drive and store them (or send them over the network) for later perusal. There are also ones that will dump the contents of the clipboard any time something new is added. That, especially in combination with a keylogger, would (I think) render the copy/paste technique insecure.

    Even the technique described here has its issues. They basically recommend switching the focus to something else and typing random gibberish characters in between typing your password, and going back and forth. I think they need to test this on more keyloggers, though, because I've personally seen ones that (in addition to recording raw text) will record any time you switch focus to any other element on the screen, and identify it by name (which every text box, form field, etc. will have, as far as the OS is concerned).

    Basically, the summary is that there is almost no good way to be safe on a system you don't own. I have to get the kids breakfast right now, but I'll come back later and write my proposal on a system which I think would work very well for public access like this. I'll either comment here or post it on my blog and trackback.
  • nstryker
    copy-paste also works.
blog comments powered by Disqus