Thursday, May 1, 2008

a tip on laptop security - outsmarting keyloggers

one area of security i'm always worried about are keylogger programs:

by using the windows on-screen keyboard accessibility utility, can one safely prevent keyloggers' recording passwords? if the on-screen keyboard simply creates key-press events that can still be intercepted by keyloggers, then can copy/paste be used to avoid the keylogger threat? or do keyloggers also record the contents of the windows clipboard?

good questions. the on-screen keyboard utility is designed to let mobility-impaired users enter small amounts of text, typically by using a specialized pointing device. for maximum compatibility, it works by sending simulated keystrokes to the active application. however, i think it's no help at all - it appears the simulated keystrokes are being captured just as actual keystrokes would be.

one could conceivably launch the character map utility and build your password by double-clicking characters. once the entire password has been built, click the copy button and paste it into the password-entry box. unfortunately, keyloggers can do a lot more than merely log keystrokes. most also record everything that gets copied to the clipboard, and many also snap screenshots of program activity. character map, therefore, is not a solution.

one possibility seems hopeful: type the password with extra characters in it and then use the mouse to highlight and delete the extra characters. for example, by typing "passFROGword" and then highlighting and deleting the middle four dots; seems like that might work. or, by typing "p1a2s3s4w5o6r7d8" and by deleting every other dot; also might work. a keylogger would still record all of the keystrokes that make up the password, but they'll be mixed with other unrelated keystrokes.

using a public PC, a good option for entering passwords is to use a mobile password management/form filling application such as Siber Systems' Pass2Go ($39.95, Pass2Go runs off a usb memory key and protects passwords behind a master password. even if the master password is compromised, it's useless to the thief unless he has your usb key, too. it's not a foolproof solution, but it will evade hacking tools that rely on capturing keyboard events.

really though, the best thing is to avoid using nonsecure computers. even if keyloggers are kept from snagging passwords, they might still take screenshots of key financial info. implement a high degree of security on the laptop and resign oneself to lugging the darn thing along...

No comments: