Re: [Full-disclosure] Most common keystroke loggers?

---

• From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
• Date: Fri, 02 Dec 2005 12:07:00 +1300

---

php0t wrote:

[top-posting-itis corrected]
> > I agree but what about the second random password and challenge
> > authentification? Both should be unique and usage once.
>
> How'bout adding direct printing on lpt of new one-time usage passwords? :)

So you will limit access to your services to only those that happen to
have a printer with them? Note to self -- buy larger laptop carry bag
and "protable" printer so can keep using online banking... 8-)

> In order to get the passwords, they'd have to hook the printing, too. Not
> too common, yet.

In fact, so uncommon I've not heard of it.

Irrelevant though -- it is far too easily broken and if the OP is
trying to protect anything sufficiently "valuable" you can bet it will
be broken, as doing so is just too easy...

(And I won't even get started on the need of such a web-based system to
require ActiveX and/or system-access privileged Java applets to work at
all "properly", but will note that, as a general rule, if you need your
users to lower or weaken the security of their machines to improve the
security of your system, then there is something fundamentally borked
in _your_ design!)


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] Most common keystroke loggers?
    • From: php0t

• References:
  • Re: [Full-disclosure] Most common keystroke loggers?
    • From: php0t

• Prev by Date: [Full-disclosure] Cisco Security Advisory: IOS HTTP Server Command Injection Vulnerability
• Next by Date: RE: [Full-disclosure] Most common keystroke loggers?
• Previous by thread: Re: [Full-disclosure] Most common keystroke loggers?
• Next by thread: Re: [Full-disclosure] Most common keystroke loggers?
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: passwords in asp pages ... and using integrated security for connecting to the database- this will ... remove cleartext passwords from the files. ... grab the raw asp source from the server. ... to facilitate one-on-one interaction with one of our expert instructors. ... (Security-Basics) Re: Oh Dear, Where to start?! ... > sort of security solution? ... > use, passwords, physical security, backup/disaster ... > admin, network admin, tech support, programming, and ... Theres lots of software out there for backups. ... (Security-Basics) [NT] Webserver 4D Weak Password Preservation Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... complete Web Server environment written entirely on top of 4th Dimension, ... WS4D web server saves the passwords somewhere insecure. ... (Securiteam) Re: Electronic Storage of Class 1/ 2 Medical forms... "Best Practice"? ... This has proven to be more of a security ... it will be as secure as most of the stuff at the NSA (National ... the user is taken to the server directory where the form is stored. ... Are the passwords sufficiently ... (rec.scouting.usa) Re: Solution to mIRC and Secedit Virus Networking Problems ... have determined that it was a Trojan, ... restored the security policy by running "secedit.exe ... passwords), and firewall, and possibly a backdoor. ... (microsoft.public.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2005-12