Wednesday, November 29, 2006

Combating Keyloggers

Ever found your self in an Internet Cafe checking your e-mail or a forum you are registered in? Did you stop for a moment to assess your security? Is someone looking over your shoulder? Is someone watching you in any way? Is the computer you are logged in infected with programs recording every keystroke? (You can't really check that one) No? Well, you should!

Ideally your presence in a public Internet access place should be entirely transparent. This means you should not type in at any time any personal information (no form filling, no logging in).

Anyway, I've come across a very interesting paper (PDF) which describes a simple yet effective technique in entering secure credentials in a compromised computer. It all begins with the basic principle in security: always assume someone is listening. So let's say you are sitting in a public computer. Always assume there's a keylogger installed which records every keystroke therefore is able to record your username and password as you type them.

For every valid username or password character you type, click somewhere outside the form and hit a long string of random characters. Then go back inside the form and continue with the second character, etc. That way while you'll have entered "ABC" as you password, the malicious software will have recorded "AasdsalklkblB9rbvmdsaCdg9tmbafff" (capital letters are used to distinguish the actual token).

This works because the keylogger may know that you are inside an internet Browser and what keys you press but cannot figure out the exact location of the keyboard cursor.

Sounds like a good trick huh? Well, I agree. It is pretty good. But let's be smart about using it.


[ Debugging... ]

Improper use of any security technique is all it takes to render it useless.

In the above method you should not type the same password twice in the same computer because, as you can understand, patterns emerge. So if I type:
AasdsalklkblB9rbvmdsaCdg9tmbafff
AlkfdlgmkmbkdasB324kfdlklCkfkbba
dmfdlkdsAmmkdgfg552BdfdffdCcba

we have three strings of characters all containing, for sure, the actual password.

Now all we have to do is use a known algorithm which uses certain known characteristics to crack the system. For starters if a certain letter or number or symbol is not present in all three tokens, it is excluded since it can't be part of the password (which exists in all three). Next, there's the sequence of characters. If for example we encounter the sequence "mb" (and not the sequence "bm") in only one or two of the tokens then either "m" or "b" have to excluded. The algorithm goes on so that only a few characters are left and then we start with possible combinations. If we take into account that most users use 5-8 character-long passwords, a brute force won't be too hard.

Of course there's always the smart way called Longest Common Subsequence problem.


Let's sum up...

what we have here is a very practical technique in protecting our sensitive information from a keylogger. But we must use it wisely and only once since patterns emerge which can bring the whole thing down.

P.S.: Also please consider the majority of users, when asked to type in a random string, will go for "asdf..." due to their fingers' position on the keyboard. Not so random :P
So here you have another characteristic which can make the cracker's life a lot easier.

No comments: