Protect Password From KeyloggerFollow

The only surefire defense form having your password stolen by a keylogger is to not get a keylogger on your system.

They don't just record keypresses anymore.

How about if the game had all the letters and numbers you could use as your password in little boxes, floating around the screen and you had to click your mouse on them?

screencap and/or cache from saved password. Bam stolen password.

Its also been done before. Fast CPU+fast net connection and the victim may not even notice any lag from it. If the vic is on dialup they may complain of lag.


Ever used radmin or anything similar? Over dialup? I've seen Trojans that then download apps with nearly the same capabilities. Full real time display of the vics desktop in a resizable window.

Edited, Jun 5th 2008 9:40pm by thatdamnelf

Why not just use a firewall restricting all unknown outbound traffic?

And antivirus software to catch the pest before it even sends as well. Or lands on your hard drive for that matter.

There exsist more ways to snatch password than I can list.

Edited, Jun 4th 2008 3:19pm by thatdamnelf

A lot of people lump everything together under the name "keylogger" now. As someone else pointed out, some don't even bother watching keys now. A lot of them are all-in-one. I don't see the naming convention as all that different from AV programs calling spyware a virus. Bad is bad is bad.

Method of input still won't matter on a compromised machine.

So still being in denial that keyloggers don't just log keystrokes these days?

Can a password still be stolen if you never type it in? >.> Mine is saved and already entered when I log on POL so all a keylogger would show is me clicking the log in button right?

Oh yes, most definitely. I believe it is encrypted, but this accomplishes very little. In theory, you could skim through POL.exe and figure out the key, and decrypt the file yourself. In practice, this isn't necessary.

somewhere they have (something very roughtly like) :

if (saved_password) {
loadPassword(ID, password);
} else {
showLoginForm(ID,password);
}
loginToPol(ID,password);

loadPassword, I imagine, decrypts your saved file. loginToPol encrypts everything and sends it all to POL using whatever protocol it is they use.

But password is a variable. That means something with sufficient access can ask Windows what it's value is, if they know it's memory location, and the Windows kernel will TELL THEM. (This is also how most bots read from FFXI). So a FFXI specific password sniffer will sit there, watching the tasklist for POL.exe. Then it'll start watching that memory location. When it sees POL.exe starting to talk to the server, it KNOWS the contents of that memory location are your password. And it doesn't matter if you saved it, or typed it in, they have it.


I can think of one way around this: Have POL not store the password encrypted via symmetric encryption, but either one-way-hashed, or have it encrypted via a public key. Either way, this means the client given your password, can create a practically unique identifier based on your password, and the POL servers can confirm that it is your password, but the client never knows what your password is after it's been saved, it's for all intents and purposes, irretrievable. If it was hashed, it truly is irretrievable. If it's public key encrypted, only SE can decrypt it unless somebody steals or cracks their private key. In either case you'd need a key to use for the hashing/encrypting. The best way, to avoid them throwing a bot net at it and cracking in fairly short order, and also to avoid a known text attack (which all good schemes are secure against but which still weakens them somewhat), POL would use a unique key per POL ID. So the RMT would have to take your public key (which they can steal from your computer while they steal your encrypted password) and crack it individually, and repeat this intensive year-long process for every person, using a huge distributed botnet!

Like I said earlier, you are still boned in the sense that they can still steal your password and use it to log in as you, and send your **** to themselves. All this prevents is them knowing your password, and therefore, changing your password. It DOESN'T prevent them from changing your bank info for some reason, as when I just went to change my info it didn't ask me for a password! So SE has to fix that or they can just change your bank info, then call up SE and say they forgot their password, and here is their bank info! <.<

The only other thing I can think of, which isn't a unique idea at all, is IP whitelists. Have it completely optional so people won't complain, sure, but still have it. Let us set it sort of like you can do for any other server. For me:

Allow *.dsl.myisp.ca
Allow *.university.ca

There, that's me all set. If I'm ever logging in not from home, and not from a laptop at the university, I'll know about it ahead of time and update my allow list ;) If somebody tries to log in and they don't match the host mask, they can't connect period. Maybe I'm a rebel, I harshly violate the TOS and allow a friend to use my system. No problem, I can just add a hostmask for his ISP too, no sweat, but still am safe, nobody not on our ISPs can hack us. I guess this isn't fool proof...if they have this botnet, they can easily try to find somebody infected on your ISP (possibly you!) and use their worm as a proxy for their connection. But that's the only way.

Yes, you can spoof an IP address. Just like you can spoof a real address when you mail in an order form that says "Local Deliveries Only", but the package won't get to you!

It doesn't matter how POL stores the password. No matter what sort of encryption or hashing are used, and no matter how many hoops you jump through, if POL can use that secret to log in, a hacker* can steal it and have his POL log in as you. And if POL doesn't store the password, or requires some sort of user input to decode before logging in, a hacker* can always intercept your input and use that to log in as you.

The only way around this would be to have single use passwords. You'd essentially need to have a book of passwords that would all be usable one time. The RSA key fobs you see people carry around to log into VPNs with are a variant of this concept. It wouldn't matter if a hacker could intercept your password then** because it wouldn't be any good once it was used or otherwise expired. This entire scheme depends, however, on the user having to enter a password every time. If you store the whole "book" of passwords on your machine so POL can log in automatically, you're right back at square one (hacker steals book, user is screwed).

Anyhow, as amusing as it is to see many people scream and speculate about ways to prevent these repeat hacking sprees, I'll tell everyone (and probably get flamed for it) that it's not as easy as you think. Yes, SE should fix sh*t. And yes, there are ways. But even professionals who have designed and implemented secure systems can and do make mistakes or leave unintentional holes. Amateurs basically have zero chance of getting it right, and that includes damn near everyone who visits alla.

*In these cases, I'm specifically referring to a hacker who is able to run the code of his choice on your machine.
**Unless he got it in real time and managed to log in before you. That would be another problem to solve, but not impossible.

Edited, Jun 5th 2008 5:23pm by VxSote