[SEC] How to protect ourselves against keyloggers?

[Wai_Wai]

How to protect ourselves against keyloggers (or anything similar)?

Hey.

Apart from the obvious method of installing a anti-virus OR anti-keylogger program, what lese could we do to stop keyloggers (or anything similar) from stealing our important data/passwords etc. ?

Thank you.

Gouki: Title edited. Rules.

[Gouki]

First, PLEASE read this forum rules.

As for your 'problem' ...

Physical access to machines (no need to Operating System access), is a pretty good problem. Big part of Keyloggers can be connected between the keyboard and the computer. Invisable to the 'distracted' eye, since they are really small 'gadgets'.

As for software based keyloggers, I think the best idea is to instruct users (in a company scenario) to be carefull with eMails and IM. Other than that, maybe keeping an eye open on the services running.

Take care.

P.S: Please try and follow the rules the next time.

[LLXX]

Firewall will alert you if anything is trying to send keylogs out through the network.

You also have to be careful of what you download and run.

[Wai_Wai]

Thanks for your reply.

I wonder if there're some other preventive methods (apart from security-software-based help like Firewall/anti-keyloggers) could be done to prevent keyloggers to record our keyboard activities.

How about if a user type the password via a visual keyboard (by clicking keys on the screen)?

Does it help?

[Gouki]

Yes. That would help, allot. However, that would not make it completly secure (Well, *nothing* is totally secure).

Implementing an on screen keyboard would help allot, however, there are 'keyloggers' for mouse movements. Randomly changing the buttons from the on screen keyboard, every time it starts, would be a solution to this.

My bank has it and it works like a charm.

[Wai_Wai]

Yes. That would help, allot. However, that would not make it completly secure (Well, *nothing* is totally secure).

Implementing an on screen keyboard would help allot, however, there are 'keyloggers' for mouse movements. Randomly changing the buttons from the on screen keyboard, every time it starts, would be a solution to this.

My bank has it and it works like a charm.

Thanks.

Does it matter what onscreen keyboards I use?

Any recommendation?

Is it possible for hackers to record my monitor?

Other than the abovementioned, any other precautions?

[Gouki]

It is possible to record your monitor, however, they would need a server side application running at your system. This can be preventedd by carefully choosing what you download and install.

As for suggestions to the OSK ... Sorry, but I have no idea of wich one is best.

Better than all of this? Buy a blackbox (firewall)

[HyperHacker]

When I enter a password on a public computer, I enter the letters in random order. Like instead of entering "password" I might enter "ord", then click before the first character and type "asw", then click after the "a" and type another "s", and so on. By clicking rather than using the arrow keys, it comes out garbled in a key log.

[Wai_Wai]

When I enter a password on a public computer, I enter the letters in random order. Like instead of entering "password" I might enter "ord", then click before the first character and type "asw", then click after the "a" and type another "s", and so on. By clicking rather than using the arrow keys, it comes out garbled in a key log.

This trick sounds interesting.

Tease the hyperhacker

Edited April 8, 2006 by Wai_Wai

[Delprat]

When I enter a password on a public computer, I enter the letters in random order. Like instead of entering "password" I might enter "ord", then click before the first character and type "asw", then click after the "a" and type another "s", and so on. By clicking rather than using the arrow keys, it comes out garbled in a key log.

This trick sounds interesting.

Tease the hyperhacker

Too bad, it's easy to work around :

1/ brute force cracking is far easier when you had "keylogged" the right characters

2/ mouse clicks and/or time between key presses allows to know "words" to permit into the password

In fact the only good password is the one which changes randomly after each use

++

Edited April 8, 2006 by Delprat

[LLXX]

When I enter a password on a public computer, I enter the letters in random order. Like instead of entering "password" I might enter "ord", then click before the first character and type "asw", then click after the "a" and type another "s", and so on. By clicking rather than using the arrow keys, it comes out garbled in a key log.

Also won't work if the keylogger doesn't log keys in-order, but just hooks editboxes and retrieves their contents. A few of them do this. However, it's still a little extra security at little cost.

[Wai_Wai]

When I enter a password on a public computer, I enter the letters in random order. Like instead of entering "password" I might enter "ord", then click before the first character and type "asw", then click after the "a" and type another "s", and so on. By clicking rather than using the arrow keys, it comes out garbled in a key log.

Also won't work if the keylogger doesn't log keys in-order, but just hooks editboxes and retrieves their contents. A few of them do this. However, it's still a little extra security at little cost.

So a visual keyboard is a solution to "Delprat & LLXX problems", right?

No one has any idea what visual keyboard should I use?

[Delprat]

So a visual keyboard is a solution to "Delprat & LLXX problems", right?

No one has any idea what visual keyboard should I use?

Hit <Win>+U on your keyboard, click on the "visual keyboard" line, then press the "start" button...

About "editboxes hooking", that's for "badly" written apps... some doesn't use "masked editboxes", but "editboxes with real *" (bad explanation, but i hope you'll understand).

I've also seen a "password safe" app whith a masked editbox, but with a false password behind the mask (not the one typed in)