Friday, May 11, 2007

Outsmarting Keyloggers

By David A. Smith

As the financial officer for my organization in Tanzania, I sometimes travel without my laptop and need to access password-protected Web sites from Internet caf├ęs or hotel business centers. I worry about whether these public computers have keyloggers installed.

By using the Windows On-Screen Keyboard accessibility utility, can I safely prevent keyloggers' recording my passwords?

If the On-Screen Keyboard simply creates key-press events that can still be intercepted by keyloggers, then can Copy/Paste be used to avoid the keylogger threat? Or do keyloggers also record the contents of the Windows clipboard? Do you have another suggestion for safely entering passwords at public computers?



The On-Screen Keyboard utility is designed to let mobility-impaired users enter small amounts of text, typically by using a specialized pointing device. For maximum compatibility, it works by sending simulated keystrokes to the active application. I tried it with a number of the commercial keyloggers that I use in antispyware testing, and it was no help at all: The simulated keystrokes were captured just as actual keystrokes would be.

You could conceivably launch the Character Map utility and build your password by double-clicking characters. Once you had built the whole password, you'd click the Copy button and paste it into the password-entry box. Unfortunately, keyloggers can do a lot more than merely log keystrokes. Most also record everything that gets copied to the clipboard, and many also snap screenshots of program activity. Character Map, then, is not a solution.

The one possibility that seems hopeful is this: Type your password with extra characters in it and then use the mouse to highlight and delete the extra characters. For example, you might type passFROGword and then highlight and delete the middle four dots. Or type p1a2s3s4w5o6r7d8 and delete every other dot. A keylogger would still record all of the keystrokes that make up your password, but they'll be mixed with other unrelated keystrokes.

If you need to use a public PC, your best option for entering passwords is to use a mobile password management/form filling application such as Siber Systems' Pass2Go ($39.95, www.roboform.com). Pass2Go runs off a USB memory key and protects your passwords behind a master password. Even if the master password is compromised, it's useless to the thief unless he has your USB key, too. It's not a foolproof solution, but it will evade hacking tools that rely on capturing keyboard events.

But really, you should do your best to avoid using nonsecure computers. Even if you keep a key­logger from snagging your password, it might still take screenshots of key financial info. Your best bet is to implement a high degree of security on your laptop and resign yourself to lugging the darn thing along.


Posts:

Re: Outsmarting Keyloggers
Reply Quote
The latest version of AIRoboform with the Mozilla Adapter actually includes a mouse-click button which then opens an on-screen clickable keyboard that avoids any keypresses at all. Smile [:)] Very nice - very slick!! (Way to go Siber Systems!) Be sure to get this latest version.

-Bob-



Re: Outsmarting Keyloggers
Reply Quote
You could also try carrying a Linux live boot CD. If the PC in the Internet cafe can be booted from CD you can run a complete GUI including Web browser and email program without involving the local hard disk or OS at all. You can even keep persistent data and settings on a USB memory key, although that's a bit harder. But if all you need is a Web browser that hasn't been corrupted by someone else's bad surfing habits, this is a way to go.

Check out Ubuntu and SUSE for good live boot CDs. Both will be easy to use for anyone familiar with Windows.





Re: Outsmarting Keyloggers
Reply Quote
I'm surprised you didn't mention rolling key systems such as secureID cards that generate new random password encryption keys every 60 seconds. The keys are in synch with a server who knows how to decrypt each new key.

You enter your password and the random key, and the server authenticates you. That combination is never good again.

Of course that only gets you in securely. You still have to watch what you type!





Re: Outsmarting Keyloggers
Reply Quote

rrawding wrote:
The latest version of AIRoboform with the Mozilla Adapter actually includes a mouse-click button which then opens an on-screen clickable keyboard that avoids any keypresses at all. Smile [:)] Very nice - very slick!! (Way to go Siber Systems!) Be sure to get this latest version.

-Bob-


I have the latest version - I just checked. But I'm not seeing this mouse-click button. Where, pray tell, will I find it??
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine





Re: Outsmarting Keyloggers
Reply Quote

Hello Neil,

How do you rate PrivacyKeyboard TM from Anti-Keyloggers.com for the purpose of entering passwords ?

Thanks, Pierre





Re: Outsmarting Keyloggers
Reply Quote
Sorry, the most contact I've had with it is to announce the release of version 3.1. But Product Announcements are not evaluations; I haven't used it.
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine






Re: Outsmarting Keyloggers
Reply Quote
Neil,

It comes into play when you secure RoboForm with a master password. Once you try to fill in any forms, the Master Password dialog box comes up with a smallish button on the right side of the dialog box. Left mouse-click that and the mouse keyboard pops up. My version is 6.7.3 Pro. Sorry I hadn't clarified the master password element. See http://www.roboform.com/ver6.html

-Bob-




Re: Outsmarting Keyloggers
Reply Quote
OK, I see it now. When I get a chance I'll check whether keyloggers can trap what it's sending.
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine





Re: Outsmarting Keyloggers
Reply Quote
Neil,

According to the Roboform web site, I do not think that any input goes through the keyboard buffer, so the keylogger shouldn't work there....right?

Just a guess.

Bob

P.S. ...always enjoy your column





Re: Outsmarting Keyloggers
Reply Quote
A Live Boot CD, that was exactly my thought. That should bypass everything except a physical keylog device.

Is anyone here going to test that out? Does onyone at PCmag like Linux?




Re: Outsmarting Keyloggers
Reply Quote

To outsmart keyloggers (both software and hardware ones), I prefer to use programs that bypass keyboard altogether - e.g. Mouse Only Keyboard (MOK) with anti Clipboard logger - find at

http://www.myplanetsoft.com/free/antikeylog.php#mok

or even better - a terrific program that I recently discovered and which beats also mouse-loggers, called HashPass - check at

http://www.kagi.com/fantasy/

which not only bypasses keyboard by using Clipboard with anti Clipboard logger but can even bypass also the Clipboard allowing to use drag-and-drop. Fortunately, practically all web sites' password edit boxes are drag-and-drop enabled. I've been using HashPass since I discovered it and it uses a well conceived and implemented concept that I have not seen applied anywhere else so far. It's a small standalone app, doesn't have to be installed, doesn't require admin rights and can be run from any removable medium. At this moment it's my top of the line.





How about doing it like a ransom note
Reply Quote
What if you opened a page full of text in a separate window, selected one letter (or chunk) at a time, and dragged each one directly into the form. The content of each drag never gets put into the clipboard.





Re: How about doing it like a ransom note
Reply Quote

wolfpack3 wrote:
What if you opened a page full of text in a separate window, selected one letter (or chunk) at a time, and dragged each one directly into the form. The content of each drag never gets put into the clipboard.


Hey, I kinda like that. Even if the monitoring software is snapping screenshots, it wouldn't do so often enough to catch more than a fraction of your ransom-note letters.

But wow, TEDIOUS to do it!
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine





Re: Outsmarting Keyloggers
Reply Quote

rrawding wrote:
Neil,
According to the Roboform web site, I do not think that any input goes through the keyboard buffer, so the keylogger shouldn't work there....right? Just a guess.
- Bob



//// NEIL, ////
Have you ever had a chance to test whether your sample key-loggers are outsmarted by RoboForm's method of filling in passwords as RoboForm claims?

Have you ever had a chance to test whether your sample key-loggers are outsmarted by RoboForm's clickable keyboard provided by the button to the right of the RoboForm Master Password prompt?

Thanks for all your great utilities over the years!

Thanks for your reply in advance,
- Hal Lane



Products:
*

Stealth Keylogger $24.95

Undetectable logger records e-mail, web pages, IM chats & passwords!

www.Gore-Research.com
*

Catch a Cheating Spouse

Yesterday, He Installed PC Pandora Today, She was Busted Online!

PCPandora.com
*

Keylogger Software

Monitor kids' Internet use easily. Simple to set up. Free download!

www.NetworkMagic.com
*

Keylogger Reviews & Guide

All keyloggers fully tested for you Unbiased reviews. Full comparisons.

WellResearchedReviews.com/Keylogger
*

AceSpy: Computer Spy

Record computer activity in total stealth including emails and chats.

www.retinaxstudios.com

Thursday, May 10, 2007

Report: Supply of IT Pros Down, Though Demand Is Up

By Deborah Perelman
May 10, 2007


The bad news is IT job growth is bad; the good news is because there aren't enough good workers to go around. Good news if you're in the workforce, that is.

IT employment posted a small increase in April, but has remained essentially flat for the last 11 months, finds the April 2007 IT employment report released on May 9 by the National Association of Computer Consultant Businesses, a trade association that represents IT staffing firms.

April saw an increase of 900 IT workers, leaving the total level of IT employment at 3.67 million, where it has rested since August 2006, found the report. Between May and July 2006, IT employment rested at 3.66 million.

"IT employment has remained essentially flat for the last 11 months because of limited supply of IT professionals, not lack of demand. To the contrary, demand for IT professionals remains very robust with unemployment below 1 percent in many IT skill sets," said Mark Roberts, CEO of NACCB.

The report stated that, while companies have always used IT staffing and solutions firms to address the flexible nature of their services, clients are increasingly turning to IT services firms because they are unable to fill their IT vacancies through internal channels.

Throughout the report, a shortage in supply of IT talent, and not a lack of demand for workers, was the reason given for the flat growth in IT employment.

"If you look at the unemployment data, so many computer professions have less than 1 percent unemployment. The H-1B allotment was gone in one day. The demand is there, but the supply is not," said Roberts.

Roberts argued that the supply issue is rooted in the loss of technology recruits after the 2001 economic downturn, and also in the lack of effort in luring students back now that the economy has improved.

"The problem starts way before the university level. Among a host of other problems, tech just ain't cool. Parents aren't encouraging their kids to go into technology. At one point, with all the IPOs and the options, tech had great appeal, but it's lost its allure since the bust," said Roberts.

H-1B temporary worker visas and offshore outsourcing were considered inevitable effects of a short supply of IT workers, and not something that further diminished IT's appeal.

"If we don't have the people, the work will get pushed offshore. One way or another, companies will get their projects done," said Roberts.

In January 2006, the NACCB's IT Index found that employment of IT professionals had essentially returned to the pre-downturn levels.

"You'll see variations in the demand. When the economy has a downturn, the companies will reign in their expenses. But the long term is that we're going to need more of these people to fill IT jobs," said Roberts.

Check out eWEEK.com's Careers Center for the latest news, analysis and commentary on careers for IT professionals.

Tuesday, May 1, 2007

Tech CEOs Predict Swelled Use of Offshore Talent

By Deborah Perelman
May 1, 2007



Admitting that finding, hiring and retaining qualified employees is their biggest operational challenge, nearly half of fast-growth technology CEOs said they are tapping overseas markets for talent.

This is a trend they expect to only increase over the next five years, according to 2007 CEO Survey released by Deloitte, a Swiss Verein, May 1.

However, these CEOs also said that they were shying away from doing business outside North America.

"It's not unexpected that CEOs of fast-growth companies would look offshore for the talent they need to continue growing in a tight market," said Tony Kern, managing principal of Deloitte's Technology Fast 500 program.

"What is counter-intuitive is that CEOs' interest in selling to overseas markets is waning, with more than three-quarters of CEOs saying North America represents the best opportunity for significant growth over the next five years. Their interest in Asia Pacific dropped by half to 10 percent from last year—possibly due to intellectual property protection issues."


Sixty-seven percent of the technology CEOs surveyed, consistent with the 66 percent in the 2006 survey, said high-quality employees are the biggest contributors to company growth. Finding, hiring and retaining the best employees, however, is continually their biggest operation challenge, cited by nearly half (48 percent) of CEOs, and up from 41 percent in 2006.

This talent shortage has caused tech-company CEOs to increasingly pull out all of the stops to lure in new hires. Sixty-nine percent said they relied on equity compensation and stock options, though down from 71 percent in 2006; 51 percent offered flexible hours, up from 29 percent in the prior study; and 38 percent offered training programs and educational opportunities, up from 35 percent in 2006. Only 31 percent of CEOs said they offered workers a career path, up from a previous 28 percent.

"When it comes to talent, supply and demand are out of balance, making employees more like consumers," explains Jeff Alderton, a principal of Deloitte Consulting.

"And like consumers, if employees with those in-demand skill sets are not receiving the satisfaction they seek from their work place, they will find it elsewhere—with the competition. This will put an even greater strain on employers for available talent."

Technology CEOs said they are increasingly turning to overseas talent to compensate for this shortage of qualified workers, with nearly half (45 percent) stating they are currently offshoring. This percentage will only increase, as 55 percent of respondents said they are planning to offshore in the next five years, so much so that in five years, 30 percent of these tech-company CEOs planned to have one-tenth (10 percent) of their workers offshore. Twenty-seven percent planned to have up to one-fifth of their work force (20 percent), 19 percent expected to have almost one-third (30 percent) and 15 percent expected to have up to 40 percent of their work force situated in other countries.



Yet, even the technology CEOs who saw a partially offshore work force as the most promising expect that the vast majority of their companies will remain onshore in 2012.

The Deloitte survey also found that CEOs are fairly confident about the continued growth of their companies. Eighty-two percent of respondents said they were very or extremely confident about their business developments.

Virtually all (98 percent) said they will be hiring over the next 12 months. Thirty-seven percent said they will grow their work force 26 percent to 50 percent over the next 12 months, up from 30 percent last year. Half the CEOs said they planned to grow their head count by up to 25 percent, a percentage unchanged from 2006. Eleven percent of tech-company CEOs said they planned to grow their head count more than 50 percent, down from 17 percent from the previous year's survey.

The biggest gripe of technology CEOs was not access to capital, but government regulation and terrorism. Thirty-four percent felt their biggest threat to growth was excessive government regulation, followed by increased competition from emerging powers like China and India (19 percent) and terrorism (18 percent). Access to capital was chosen by only 9 percent of respondents as their biggest concern.

The Deloitte survey is the result of an annual poll administered to CEOs of companies ranked in Deloitte's Technology Fast 500, a ranking of the fastest-growing technology companies in North America.

Check out eWEEK.com's Careers Center for the latest news, analysis and commentary on careers for IT professionals.