Naked Science Forum
Non Life Sciences => Geek Speak => Topic started by: RD on 29/08/2009 16:07:15
-
Will this mouse-operated "virtual" keyboard circumvent keylogging ?
Just found out that Vista has a mouse-operated "on screen keyboard" ...
[ Invalid Attachment ]
Would this “virtual” mouse-operated keyboard circumvent key logging ?
i.e. avoid the data from actual keyboard keystrokes, including bank account numbers and passwords,
being secretly recorded and transmitted.
-
I doubt it - in order for the computer to understand the input it must be in the same format as any other key input.
-
I doubt it too.
Unless the keylogger software is part of the keyboard driver it will sit downstream of the keyboard driver. For the virtual kb to be able to replace the h/w kb, it must feed the keystroke data into the same stream as the real kb, and probably at the same point that the real kb driver does as there's no obvious reason why it shouldn't and it would require more code to do otherwise. If so, keylogging software is likely to work as well with the virtual kb as it it with the hw kb.
-
There are legitimate keylogging programmes: e.g. to check employees are working, not surfing the net on company time.
If anyone has used those legit keyloggers perhaps they can tell us if they can be defeated by this virtual keyboard.
Of course that would not prove that illegitimate keylogging code would be defeated in this way e.g.
Form Grabber is an advanced (Crimeware based) keylogging method of capturing web form data. Often confused with traditional keylogging (recording individual keystrokes or hook based keyloggers). This type of keylogger intercepts the on submit API in browsers and collects web form data before it passes over the internet. This type of method is very effective in recording online banking passwords and other sensitive data because it only records login, password, IP, URL and other form fields. Traditional hook based keyloggers record all keystrokes pressed and creates bulky logs for attackers.
http://en.wikipedia.org/wiki/Form_Grabber
-
I agree, even with JimBob. It's not going to look any different downstream.
However, (and I realize I'm answering a different question [:D]) if the virtual keyboard was part of the webpage, it would defeat loggers. And the webpage could do things like shuffle the keys around, move the location of the keyboard and make each page sent out unique to make it even more secure. The OS and drivers would be completely out of the picture. The only way to hack it would be to capture and analyse the datastreams in both directions, which would defeat most crooks.
Unfortunately, I'm pretty sure the idea is well known!
-
(Looks down at keyboard and has a second thought.)
I suppose, if the web application had direct access to the actual keyboard (MS would not like this idea BTW) and the actual keyboard had a programmable look-up table built into it, you could do a similar security system with an actual keyboard.
The web app would keep downloading new tables into the keyboard, so, even if the keystrokes were logged, they would be very difficult to decipher. Only the web app would know what the keystrokes represented.
-
if the virtual keyboard was part of the webpage, it would defeat loggers ... The only way to hack it would be to capture and analyse the datastreams in both directions
An excellent idea, but it could be defeated by a screen recorder on the users computer.
However if you've ever run a screen recorder you'll know it consumes a very conspicuous amount of CPU and memory,
particularly if used at a frame rate high enough to capture "virtual" keystrokes.
-
Ah! Good point. I didn't know they existed. I suppose they would also produce a huge amount of data. It would all be bitmap I think, although it could be compressed I suppose.
It's also possible for the "virtual keyboard which is actually hardware" to connect only through the screen and mouse (and possibly the audio connection instead of the screen).
Imagine you have a second keyboard that is only connected to the audio out and mouse in.
Audio out sends a signal that tells the keyboard which look-up to use (it could have an enormous number in of them preloaded in memory)
As you type, the keyboard generates pseudo mouse movements that select certain fields in the screen. I'm not sure of this, but I suspect they could be virtually invisible, even to a screen capture program.
-
Forgot to mention - Obviously, you don't really need a second keyboard. Just a special mode in your standard keyboard.
-
I suppose, if the web application had direct access to the actual keyboard
If the keylogging programme was incorporated onto the keyboard driver it would have access to the keystroke information before any legitimate process, i.e. before any encryption had been applied to the keyboard data.
-
OK - No, I'm proposing that the encryption is done in the actual keyboard hardware. I think that's the only way to make it secure. It's not a big deal to make such a keyboard.
-
I was thinking a separate little numeric keypad which plugs into the usb port with its own unique encryption.
Provided the numerals are not displayed on screen it would defeat a screen recorder too,
(BTW screen recorders can also record sound (http://www.deskshare.com/msr.aspx)).
-
Let me try to recap.
The virtual keyboard idea seems to be fairly secure as long as it is an extension of the web app.
This might be fine for many situations, but it's not so good when there are a lot of keystrokes to input.
I'm suggesting an actual piece of hardware (a keyboard) that is completely unknown to the OS and drivers. From the OS and driver perspective, they are only aware of some strange audio from the app and a series of incredibly fast mouse operations.
-
The audio to the keyboard could be replaced by a video pattern that the app flashed on the screen. This would require some slightly fancy means of reading the screen, but it's not out of the question.
-
You certainly could go the USB port route as you suggest. The only thing is that you have to rely on some driver, and that's always a weaker point. I was trying to eliminate the driver completely.
I suspect it will all boil down to how much people are willing to pay for security.
I had a great idea once for a pen with accelerometers in it to authenticate users. The idea was that the application would ask you to write a random word. You could not know what the word was going to be in advance. Then the pen would transmit all the acceleration info to the app as you wrote the word. A "magic" piece of software would then analyse the dynamics of the writing, and decide if you were authentic or not.
Unfortunately, when I searched, I found a patent that described exactly the same idea! Bummer.
-
... I found a patent that described exactly the same idea! Bummer.
I suspect my idea of a separate numeric keypad has been done before.
The person who solves this security problem will become as rich as Bill Gate$...
[ Invalid Attachment ]
http://www.thesmokinggun.com/mugshots/gatesmug1.html
here booked for possession of an offensive floral shirt & impersonating John Denver [:)]
-
Don't be so sure about that. If you can find a useful combination of hardware and software processes, it's quite likely you can patent it. It's not hard to search patents either. I can provide more info if you need it.
I think the most secure approach needs to stay as far away from the OS and drivers as possible. The flexibility and interoperability that they provide comes at a great price - lousy security. The trick is to allow the user and the application to interact without the OS having the faintest idea what is going on. As I mentioned, MS may not like that too much, because it could be a threat to their business model.
-
Great minds think alike (http://www.thenakedscientists.com/forum/index.php?topic=25273.msg272732#msg272732) ...
KeyScrambler Personal is a free plug-in for your Web browser that protects your username and password from keyloggers. It defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable.
http://download.cnet.com/KeyScrambler-Personal/3000-2144_4-10722575.html
1. I'm suspicious of anything that's free.
2. I still think a keylogger could get to the keyboard data before encryption.
3. Even if this works (and is not malware in disguise) a form grabber (http://en.wikipedia.org/wiki/Form_Grabber) could still harvest the data.
-
Great? [:I]
Anyway, yes. As soon as you rely on some other component that you don't control, there is a weak point.
'twer it up to me, I would blow up the current paradigm. For most internet transactions that need to be secure, all you need is a "fancy teletype" (I'll get heat for that). Basically, an internet browser with a human interface. Such a thing needs no intimate connection with as OS, File System, Program Execution, drivers, etc etc. A "fancy teletype" can be made very secure, but it will only be able to perform a limited set of functions.
All the "other stuff" should live behind a firewall, or be on a completely independent machine.
Perhaps we should move to Channel D?
-
Perhaps we should move to Channel D?
Either that or tattoo messages on heads ...
Histiaeus did not like living in Susa, and made plans to restore his power in Miletus by instigating a revolt in Ionia. In 499 BC, he shaved the head of his most trusted slave, tattooed a message on his head, and then waited for his hair to grow back. The slave was then sent to Aristagoras, who was instructed to shave the slave's head again and read the message, which told him to revolt against the Persians.
http://en.wikipedia.org/wiki/Histiaeus
-
Re: original question about the Windows on screen keyboard ...
Keylogger Note: While on-screen keyboards offer protection against hardware keyloggers,
they do not offer protection against software keyloggers (which are far more common).
http://portableapps.com/apps/accessibility/on-screen_keyboard_portable