Friday, May 11, 2007

Outsmarting Keyloggers

By David A. Smith

As the financial officer for my organization in Tanzania, I sometimes travel without my laptop and need to access password-protected Web sites from Internet caf├ęs or hotel business centers. I worry about whether these public computers have keyloggers installed.

By using the Windows On-Screen Keyboard accessibility utility, can I safely prevent keyloggers' recording my passwords?

If the On-Screen Keyboard simply creates key-press events that can still be intercepted by keyloggers, then can Copy/Paste be used to avoid the keylogger threat? Or do keyloggers also record the contents of the Windows clipboard? Do you have another suggestion for safely entering passwords at public computers?



The On-Screen Keyboard utility is designed to let mobility-impaired users enter small amounts of text, typically by using a specialized pointing device. For maximum compatibility, it works by sending simulated keystrokes to the active application. I tried it with a number of the commercial keyloggers that I use in antispyware testing, and it was no help at all: The simulated keystrokes were captured just as actual keystrokes would be.

You could conceivably launch the Character Map utility and build your password by double-clicking characters. Once you had built the whole password, you'd click the Copy button and paste it into the password-entry box. Unfortunately, keyloggers can do a lot more than merely log keystrokes. Most also record everything that gets copied to the clipboard, and many also snap screenshots of program activity. Character Map, then, is not a solution.

The one possibility that seems hopeful is this: Type your password with extra characters in it and then use the mouse to highlight and delete the extra characters. For example, you might type passFROGword and then highlight and delete the middle four dots. Or type p1a2s3s4w5o6r7d8 and delete every other dot. A keylogger would still record all of the keystrokes that make up your password, but they'll be mixed with other unrelated keystrokes.

If you need to use a public PC, your best option for entering passwords is to use a mobile password management/form filling application such as Siber Systems' Pass2Go ($39.95, www.roboform.com). Pass2Go runs off a USB memory key and protects your passwords behind a master password. Even if the master password is compromised, it's useless to the thief unless he has your USB key, too. It's not a foolproof solution, but it will evade hacking tools that rely on capturing keyboard events.

But really, you should do your best to avoid using nonsecure computers. Even if you keep a key­logger from snagging your password, it might still take screenshots of key financial info. Your best bet is to implement a high degree of security on your laptop and resign yourself to lugging the darn thing along.


Posts:

Re: Outsmarting Keyloggers
Reply Quote
The latest version of AIRoboform with the Mozilla Adapter actually includes a mouse-click button which then opens an on-screen clickable keyboard that avoids any keypresses at all. Smile [:)] Very nice - very slick!! (Way to go Siber Systems!) Be sure to get this latest version.

-Bob-



Re: Outsmarting Keyloggers
Reply Quote
You could also try carrying a Linux live boot CD. If the PC in the Internet cafe can be booted from CD you can run a complete GUI including Web browser and email program without involving the local hard disk or OS at all. You can even keep persistent data and settings on a USB memory key, although that's a bit harder. But if all you need is a Web browser that hasn't been corrupted by someone else's bad surfing habits, this is a way to go.

Check out Ubuntu and SUSE for good live boot CDs. Both will be easy to use for anyone familiar with Windows.





Re: Outsmarting Keyloggers
Reply Quote
I'm surprised you didn't mention rolling key systems such as secureID cards that generate new random password encryption keys every 60 seconds. The keys are in synch with a server who knows how to decrypt each new key.

You enter your password and the random key, and the server authenticates you. That combination is never good again.

Of course that only gets you in securely. You still have to watch what you type!





Re: Outsmarting Keyloggers
Reply Quote

rrawding wrote:
The latest version of AIRoboform with the Mozilla Adapter actually includes a mouse-click button which then opens an on-screen clickable keyboard that avoids any keypresses at all. Smile [:)] Very nice - very slick!! (Way to go Siber Systems!) Be sure to get this latest version.

-Bob-


I have the latest version - I just checked. But I'm not seeing this mouse-click button. Where, pray tell, will I find it??
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine





Re: Outsmarting Keyloggers
Reply Quote

Hello Neil,

How do you rate PrivacyKeyboard TM from Anti-Keyloggers.com for the purpose of entering passwords ?

Thanks, Pierre





Re: Outsmarting Keyloggers
Reply Quote
Sorry, the most contact I've had with it is to announce the release of version 3.1. But Product Announcements are not evaluations; I haven't used it.
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine






Re: Outsmarting Keyloggers
Reply Quote
Neil,

It comes into play when you secure RoboForm with a master password. Once you try to fill in any forms, the Master Password dialog box comes up with a smallish button on the right side of the dialog box. Left mouse-click that and the mouse keyboard pops up. My version is 6.7.3 Pro. Sorry I hadn't clarified the master password element. See http://www.roboform.com/ver6.html

-Bob-




Re: Outsmarting Keyloggers
Reply Quote
OK, I see it now. When I get a chance I'll check whether keyloggers can trap what it's sending.
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine





Re: Outsmarting Keyloggers
Reply Quote
Neil,

According to the Roboform web site, I do not think that any input goes through the keyboard buffer, so the keylogger shouldn't work there....right?

Just a guess.

Bob

P.S. ...always enjoy your column





Re: Outsmarting Keyloggers
Reply Quote
A Live Boot CD, that was exactly my thought. That should bypass everything except a physical keylog device.

Is anyone here going to test that out? Does onyone at PCmag like Linux?




Re: Outsmarting Keyloggers
Reply Quote

To outsmart keyloggers (both software and hardware ones), I prefer to use programs that bypass keyboard altogether - e.g. Mouse Only Keyboard (MOK) with anti Clipboard logger - find at

http://www.myplanetsoft.com/free/antikeylog.php#mok

or even better - a terrific program that I recently discovered and which beats also mouse-loggers, called HashPass - check at

http://www.kagi.com/fantasy/

which not only bypasses keyboard by using Clipboard with anti Clipboard logger but can even bypass also the Clipboard allowing to use drag-and-drop. Fortunately, practically all web sites' password edit boxes are drag-and-drop enabled. I've been using HashPass since I discovered it and it uses a well conceived and implemented concept that I have not seen applied anywhere else so far. It's a small standalone app, doesn't have to be installed, doesn't require admin rights and can be run from any removable medium. At this moment it's my top of the line.





How about doing it like a ransom note
Reply Quote
What if you opened a page full of text in a separate window, selected one letter (or chunk) at a time, and dragged each one directly into the form. The content of each drag never gets put into the clipboard.





Re: How about doing it like a ransom note
Reply Quote

wolfpack3 wrote:
What if you opened a page full of text in a separate window, selected one letter (or chunk) at a time, and dragged each one directly into the form. The content of each drag never gets put into the clipboard.


Hey, I kinda like that. Even if the monitoring software is snapping screenshots, it wouldn't do so often enough to catch more than a fraction of your ransom-note letters.

But wow, TEDIOUS to do it!
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine





Re: Outsmarting Keyloggers
Reply Quote

rrawding wrote:
Neil,
According to the Roboform web site, I do not think that any input goes through the keyboard buffer, so the keylogger shouldn't work there....right? Just a guess.
- Bob



//// NEIL, ////
Have you ever had a chance to test whether your sample key-loggers are outsmarted by RoboForm's method of filling in passwords as RoboForm claims?

Have you ever had a chance to test whether your sample key-loggers are outsmarted by RoboForm's clickable keyboard provided by the button to the right of the RoboForm Master Password prompt?

Thanks for all your great utilities over the years!

Thanks for your reply in advance,
- Hal Lane



Products:
*

Stealth Keylogger $24.95

Undetectable logger records e-mail, web pages, IM chats & passwords!

www.Gore-Research.com
*

Catch a Cheating Spouse

Yesterday, He Installed PC Pandora Today, She was Busted Online!

PCPandora.com
*

Keylogger Software

Monitor kids' Internet use easily. Simple to set up. Free download!

www.NetworkMagic.com
*

Keylogger Reviews & Guide

All keyloggers fully tested for you Unbiased reviews. Full comparisons.

WellResearchedReviews.com/Keylogger
*

AceSpy: Computer Spy

Record computer activity in total stealth including emails and chats.

www.retinaxstudios.com