Saturday, November 25, 2006

Internet Cafe Security

This PDF discusses a simple (and free) way to foil keyloggers on public terminals such as those found in Internet Cafes. It's common for thieves to install malicious software such as keyloggers in an effort to steal personal information, passwords and so forth from those who use the systems.

Since I hate reading PDFs in web browsers, I copy the relevant bits here:

Rather than hide the password our approach is to embed it in a sequence of random characters. So we seek a way of entering random keys so that they will be seen by the keylogger, but will not affect normal login. The trick lies in the fact that keyloggers employ very low level OS calls. The keylogger sees everything, but it doesn’t understand what it sees. The browser also sees everything, but it doesn’t use everything that it sees: it does not know what to do with keys that are typed anywhere other than the text entry fields, and lets them fall on the floor. The keylogger has no easy way to determine which keys are used by the browser and which fall on the floor. It is very easy to record all of the keys or mouse events (this is true both for Windows and Linux based systems). It is also very easy to determine which application had focus at the time of the event (e.g. this key went to the browser). But it is very hard to determine what the application did with those events. Between successive keys of the password we will enter random keys. In the spirit of chaffing and winnowing, the string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible. Observe that we are not exploiting a particular feature of any particular browser: this trick works with all versions of Internet Explorer, Netscape Navigator and Mozilla Firefox. We are exploiting the difficulty from the OS layer of determining how the GUI of an an application handles events. It involves typing random characters between successive characters of the password, and changing focus to and from the password field using the mouse. Instead of the password snoopy2 the keylogger now gets:
Here a total of 26 random characters have been inserted among the 7 characters of the actual password. In general a total of n extra characters in a length k password will yield so many possible passwords that attack is infeasible (recall the password that can only be tested by attempting login). There are various attacks on this method as we explain below. However, none of the keyloggers reviewed ... appear to have to functionality to defeat this simple trick.
Simple, neat trick.