“We tested five shareware or commercial keylogging programs: HomeKeylogger 1.70, GhostKeylogger, KG-BKeylogger, Spytector 1.2.8 and ProBot. None of them captured passwords entered using the trick we describe.”
Stop killing your Apps!
I feel obligated to share this with everyone I know again that has an iPhone, iPad or iPod Touch…again! Please stop using the app switcher to…
copy-paste also works.
But copy/paste from what? If you aren’t typing in any passwords on that system you would have to have them in an unencrypted file on a portable drive (USB or whatever). Then you have even bigger problems to worry about than keyloggers.
There are apps out there (similar to keyloggers but even easier to write and distribute) that will copy the contents of any files on such a portable drive and store them (or send them over the network) for later perusal. There are also ones that will dump the contents of the clipboard any time something new is added. That, especially in combination with a keylogger, would (I think) render the copy/paste technique insecure.
Even the technique described here has its issues. They basically recommend switching the focus to something else and typing random gibberish characters in between typing your password, and going back and forth. I think they need to test this on more keyloggers, though, because I’ve personally seen ones that (in addition to recording raw text) will record any time you switch focus to any other element on the screen, and identify it by name (which every text box, form field, etc. will have, as far as the OS is concerned).
Basically, the summary is that there is almost no good way to be safe on a system you don’t own. I have to get the kids breakfast right now, but I’ll come back later and write my proposal on a system which I think would work very well for public access like this. I’ll either comment here or post it on my blog and trackback.
But copy/paste from what? If you aren’t typing in any passwords on that system you would have to have them in an unencrypted file on a portable drive (USB or whatever). Then you have even bigger problems to worry about than keyloggers.
There are apps out there (similar to keyloggers but even easier to write and distribute) that will copy the contents of any files on such a portable drive and store them (or send them over the network) for later perusal. There are also ones that will dump the contents of the clipboard any time something new is added. That, especially in combination with a keylogger, would (I think) render the copy/paste technique insecure.
Even the technique described here has its issues. They basically recommend switching the focus to something else and typing random gibberish characters in between typing your password, and going back and forth. I think they need to test this on more keyloggers, though, because I’ve personally seen ones that (in addition to recording raw text) will record any time you switch focus to any other element on the screen, and identify it by name (which every text box, form field, etc. will have, as far as the OS is concerned).
Basically, the summary is that there is almost no good way to be safe on a system you don’t own. I have to get the kids breakfast right now, but I’ll come back later and write my proposal on a system which I think would work very well for public access like this. I’ll either comment here or post it on my blog and trackback.
i copy/paste letters/numbers/symbols from the test on various websites.
Safely Using Untrusted Computers…
Inspired by this post from Dan that links to a suggestion for keeping your passwords safe when using a computer that isn’t your own, I’ve decided to post on my idea for safe remote access, even though I haven’t actually implemented it…
Good point, I didn’t think about that, but it might be difficult to find some of the more obscure characters, unless I guess you have a page somewhere that just has every character already out there, copy/paste ready.
Safely Using Untrusted Computers…
Inspired by this post from Dan that links to a suggestion for keeping your passwords safe when using a computer that isn’t your own, I’ve decided to post on my idea for safe remote access, even though I haven’t actually implemented it…
[...] (Via Dan Cameron.) Tag: Security Related posts: Filipino Bible-Thumpers Dub Fag Antichrist for Reposting British Photos [...]
Will not work if the person who installed the keylogger is using a more sophisticated keylogger application.
I saw a couple of freeware and shareware keylogger apps that can track everything.
The simplest of these apps, I was able to figure out the password typed in 30 mins after reading the log file. One good way is to simply duplicate the process as is written in the log file.
Now it is up to the person if s/he will be patient enough to decode the numerous random and not random clicks, tabs, typing, etc.
Simply, keyloggers will log where and when you clicked and/or tabbed where and when, even if you clicked on another browser window, or tabbed to another browser-tab. If you scroll, typed in notepad, typed in command line, run, etc.
Oh, basically, there is really no other way to be secured in a public terminal unless you can do a restore of the system from it’s very first state when it was first booted after a fresh reformat and installation.
That’s why I only trust a very few iCafes in the Metro Manila, and I don’t log in sensitive stuff at terminals that I can easily install and edit the startup system.
^_^
Btw, I forgot to mention. Don’t trust too much on “Copy & Paste”. There are keylogger applications than can log what you copied from what window, what site, when, and the exact order of your copy and pasting, as well as which window, tab, application, mouse move, clicks, etc. etc.
These apps are out there, these keylogger people just have to be persistent to find these apps we tested. They are few, but once you have it, keylogger galore. Freeware and Shareware.
Now for a serious person, there are professional grade keyloggers that will do much more than that, and sadly, these pro-keylogger apps can be easily cracked, so well…
Be-friend a public terminal owner (iCafe owner that is), like what I do, so you’ll gain access to its restore system (if they use one), or you’ll be allowed to touch and make changes to their whole system (provided you know where to look for and what stuff needs to be checked).
It’s hard. But so far, I haven’t been victimized by keyloggers.
Those are what I can share ^_^
Will not work if the person who installed the keylogger is using a more sophisticated keylogger application.
I saw a couple of freeware and shareware keylogger apps that can track everything.
The simplest of these apps, I was able to figure out the password typed in 30 mins after reading the log file. One good way is to simply duplicate the process as is written in the log file.
Now it is up to the person if s/he will be patient enough to decode the numerous random and not random clicks, tabs, typing, etc.
Simply, keyloggers will log where and when you clicked and/or tabbed where and when, even if you clicked on another browser window, or tabbed to another browser-tab. If you scroll, typed in notepad, typed in command line, run, etc.
Oh, basically, there is really no other way to be secured in a public terminal unless you can do a restore of the system from it’s very first state when it was first booted after a fresh reformat and installation.
That’s why I only trust a very few iCafes in the Metro Manila, and I don’t log in sensitive stuff at terminals that I can easily install and edit the startup system.
^_^
Btw, I forgot to mention. Don’t trust too much on “Copy & Paste”. There are keylogger applications than can log what you copied from what window, what site, when, and the exact order of your copy and pasting, as well as which window, tab, application, mouse move, clicks, etc. etc.
These apps are out there, these keylogger people just have to be persistent to find these apps we tested. They are few, but once you have it, keylogger galore. Freeware and Shareware.
Now for a serious person, there are professional grade keyloggers that will do much more than that, and sadly, these pro-keylogger apps can be easily cracked, so well…
Be-friend a public terminal owner (iCafe owner that is), like what I do, so you’ll gain access to its restore system (if they use one), or you’ll be allowed to touch and make changes to their whole system (provided you know where to look for and what stuff needs to be checked).
It’s hard. But so far, I haven’t been victimized by keyloggers.
Those are what I can share ^_^
You could just cut and paste characters from any website, one by one. You actually went and tested 8 apps to come to the conclusion that they only do what they are supposed to do (capture keystrokes)? It should have been obvious.
Copy/paste can be catched.
Go to a website with the alphabet and all chars and numbers.
Lets say your password is Maple.
Copy/paste the whole alphabet/nubmers/symbols and WITH YOUR MOUSE, delete all the symbols which aren’t ‘M’.
Do the same about ‘a’.
And about all other chars.
Copy/paste can be catched.
Go to a website with the alphabet and all chars and numbers.
Lets say your password is Maple.
Copy/paste the whole alphabet/nubmers/symbols and WITH YOUR MOUSE, delete all the symbols which aren’t ‘M’.
Do the same about ‘a’.
And about all other chars.
http://www.coachfactorystoresoutlet.com
Listen breathing like too long silence.
guys if u type really faster than keylogger will be unable to capture all keystroke technically but possibilities of being safe r less….
LOL
LOL