RE: [Full-disclosure] Re: Most common keystroke loggers?
> How about one-time passwords? Just go ahead and *let* them > keylog it all > they like; by the time they've snarfed a pw, it's no use any > more. (See S/Key for more details.) Please no one time passwords: they are a nightmare to manage Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Most common keystroke loggers?
Dave Korn wrote: > How about one-time passwords? Just go ahead and *let* them keylog it all > they like; by the time they've snarfed a pw, it's no use any more. (See > S/Key for more details.) Ignoring the silliness of pre-printed lists of of OTP (such as some European banking systems' TANs) and the ease of extracting a few from gullible users, even dynamically generated OTPs are still vulnerable to man-in-the-middling _if_ the bad guy has code running on the device by which the user interacts with whatever service the OP is hoping to "protect". I know the OP said "keylogger compromised", but if the machine _is_ compromised (and you can't tell from your remote web server) as the folk running the server you have no control over how it was compromised, so that is a chronically arbitrary condition (which suggests to me that the OP doesn't understand his actual problem set). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Most common keystroke loggers?
If the user is passed to a phishing site that ask for the OTP, the user enters it, the phishing site can return a error and instruct the user to use the next OTP password, hence giving the attacker any number of OTPthe OTP ones that are list based anyways. Social Darwinism : Try to make something idiot-proof, nature will provide you with a better idiot. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Most common keystroke loggers?
If the user is passed to a phishing site that ask for the OTP, the user enters it, the phishing site can return a error and instruct the user to use the next OTP password, hence giving the attacker any number of OTPthe OTP ones that are list based anyways. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Thierry Zoller > Sent: Thursday, December 01, 2005 2:21 PM > To: Dave Korn > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Re: Most common keystroke loggers? > > Dear Dave Korn, > > DK> How about one-time passwords? Just go ahead and *let* > them keylog > DK> it all they like; by the time they've snarfed a pw, it's > no use any > DK> more. (See S/Key for more details.) > ITAN I hear you scream. Oh yes.. keylogger fakes that the OTP > is not accepted, user enters a new one. Thief has a working OTP. > > -- > http://secdev.zoller.lu > Thierry Zoller > Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Most common keystroke loggers?
Dear Dave Korn, DK> How about one-time passwords? Just go ahead and *let* them keylog it all DK> they like; by the time they've snarfed a pw, it's no use any more. (See DK> S/Key for more details.) ITAN I hear you scream. Oh yes.. keylogger fakes that the OTP is not accepted, user enters a new one. Thief has a working OTP. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/