george Posted September 10, 2009 Share Posted September 10, 2009 Prevent keyloggers from grabbing your passwords Strong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes. Fortunately, there's a way you can enter sensitive data so it's extremely difficult for snoops to extract your passwords from keylogger files. In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google's Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack. The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file. Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers. Windows' On-Screen Keyboard app is also logged If you're using a computer you aren't sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion: * "I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:\WINDOWS\system32 directory, but there's no shortcut or link to it, so most people don't know it exists! You can launch it by entering osk in the Run command. "Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured." Kenneth's suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows' On-Screen Keyboard sends information to applications as keystrokes, just as though you'd pressed the keys on a keyboard. The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor's site.) Holes in anti-keylogging software protection Another alternative that's often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can't vouch for them. Anti-keylogging software — even if it were effective in its stated mission — wouldn't prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can't detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter. The universal defense against password snoops Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it. Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the "revised Vesik method" for entering passwords: * Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc. * Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.) * Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file. * Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters. * Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site. This procedure clutters the keylogger's log file with a series of click events and characters. There's no easy way for the intruder to know which characters are your password and which are random. The key is to select and gradually overtype gibberish characters with your actual password characters. Don't simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can't keep track of characters you select and overtype. As Saxon points out, this method isn't foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don't use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password. However, most crooks are looking for "low-hanging fruit." They'll move on to another victim rather than spend a lot of time trying to filter your password out of the noise. Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don't conceal their passwords in noise, so keyloggers don't compensate for it. If you have no choice but to sign in to a site on a PC you aren't sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site. Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend's PC. -- windowssecrets.com 2009-09-10 Link to comment Share on other sites More sharing options...
Namphonny Posted September 10, 2009 Share Posted September 10, 2009 Very interesting and useful. There is another way if you have to use a user name + password which is a bit simpler. Start on one and then switch to the other and keep doing that at random until you have filled in all the characters. Link to comment Share on other sites More sharing options...
zzdocxx Posted September 10, 2009 Share Posted September 10, 2009 How about if I am using my own laptop on a hotel or coffee shop wi-fi? Could my password be stolen from their server/router? Link to comment Share on other sites More sharing options...
lopburi3 Posted September 11, 2009 Share Posted September 11, 2009 It would depend on the sign on page. Believe a bank will use a secure server so encrypted end-to-end but a forum like this would not. Link to comment Share on other sites More sharing options...
zzdocxx Posted September 11, 2009 Share Posted September 11, 2009 Thank you, I know what you mean, where it says "https:" in the URL? How about if it is not secure. For example, my hotmail account, the log in is not secure, just curious as to whether they could then read my email -- the pages don't appear to be secure either. ? ? ? Thanks, not that big a deal really, but I always wondered about that when I was staying in a hotel. Link to comment Share on other sites More sharing options...
stumonster Posted September 11, 2009 Share Posted September 11, 2009 Thank you, I know what you mean, where it says "https:" in the URL?How about if it is not secure. For example, my hotmail account, the log in is not secure, just curious as to whether they could then read my email -- the pages don't appear to be secure either. ? ? ? Thanks, not that big a deal really, but I always wondered about that when I was staying in a hotel. if it is not HTTPS the router and also anyone in the area sniffing wireless data will see it all in plain text - if you use gmail I would suggest logging in via https://mail.google.com as for securely entering your password , you could open a page in another tab which has a lot of text , maybe a big wikipedia article and then copy and paste your password with letters obtained from it. Link to comment Share on other sites More sharing options...
Jingthing Posted September 11, 2009 Share Posted September 11, 2009 Keyloggers often pick up simple copy and paste, such just copying and pasting your password is not secure. Link to comment Share on other sites More sharing options...
Lopburi99 Posted September 11, 2009 Share Posted September 11, 2009 I reluctantly had to stoop to the level of installing a keylogger on my first Thai wife's pc in the states when I was sure she was up to no good. OMG, I'll never forget first reading those emails she had been sending, one of which invited a guy into our own home while I was at work to "get to know her better". The keyloggers definitely work. But think twice if you really want to use one. Link to comment Share on other sites More sharing options...
JAS21 Posted September 11, 2009 Share Posted September 11, 2009 Prevent keyloggers from grabbing your passwordsStrong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes. I use a programme called report..supplied free by the Royal Bank of Scotland...maybe worth a look... rbs.co.uk/repport ..I would welcome any comments on this programme Link to comment Share on other sites More sharing options...
Namphonny Posted September 11, 2009 Share Posted September 11, 2009 (edited) Prevent keyloggers from grabbing your passwordsStrong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes. I use a programme called report..supplied free by the Royal Bank of Scotland...maybe worth a look... rbs.co.uk/repport ..I would welcome any comments on this programme I started using this programme - it is called Rapport - but found that it is not what it claims to be. I first downloaded it and installed it and thought that was enough but no, it sits there doing nothing until you start to program it with each individual web-site which is not only a pain but also slows the computer down considerably. In the end I got fed up and uninstalled it. Edited September 11, 2009 by Namphonny Link to comment Share on other sites More sharing options...
mattcodes Posted September 11, 2009 Share Posted September 11, 2009 (edited) As to protecting yourself from keyloggers if you ever find yourself at a vunerable or possibly vunerable public PC at thailand there are couple of steps you can do to help: 1) use the cursor keys (these are known as control keys) to move around a bit (many keyloggers fail to capture control keys). so if password is hellOnEarth type Earth then five left then Type On then four left then type Hll then two left and then type e (even if it does it might be enough to throw them at bit) 2) Combine the above by going to Programs --> Accessories and [Forget] and On screen keyboard to use a mix of clicking and keyboard presses. Most keyloggers do one or the other and since most are sending to bots they wont bother with mouse co-ordingates. 3) If suspected of being on a keylogged PC, changed passwords immediately when at a clean PC 4) Most thailand PC are infected with spyware before anyway explicitly installs a keylogger so don't bother unless its an emergency! Edited September 11, 2009 by mattcodes Link to comment Share on other sites More sharing options...
zzdocxx Posted September 12, 2009 Share Posted September 12, 2009 Wow that's interesting, I didn't know about that onscreen keyboard. "Accessibility", that's where it's at. Link to comment Share on other sites More sharing options...
CrossBones Posted September 12, 2009 Share Posted September 12, 2009 (edited) Prevent keyloggers from grabbing your passwordsStrong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes. Fortunately, there's a way you can enter sensitive data so it's extremely difficult for snoops to extract your passwords from keylogger files. In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google's Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack. The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file. Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers. Windows' On-Screen Keyboard app is also logged If you're using a computer you aren't sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion: * "I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:\WINDOWS\system32 directory, but there's no shortcut or link to it, so most people don't know it exists! You can launch it by entering osk in the Run command. "Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured." Kenneth's suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows' On-Screen Keyboard sends information to applications as keystrokes, just as though you'd pressed the keys on a keyboard. The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor's site.) Holes in anti-keylogging software protection Another alternative that's often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can't vouch for them. Anti-keylogging software — even if it were effective in its stated mission — wouldn't prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can't detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter. The universal defense against password snoops Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it. Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the "revised Vesik method" for entering passwords: * Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc. * Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.) * Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file. * Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters. * Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site. This procedure clutters the keylogger's log file with a series of click events and characters. There's no easy way for the intruder to know which characters are your password and which are random. The key is to select and gradually overtype gibberish characters with your actual password characters. Don't simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can't keep track of characters you select and overtype. As Saxon points out, this method isn't foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don't use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password. However, most crooks are looking for "low-hanging fruit." They'll move on to another victim rather than spend a lot of time trying to filter your password out of the noise. Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don't conceal their passwords in noise, so keyloggers don't compensate for it. If you have no choice but to sign in to a site on a PC you aren't sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site. Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend's PC. -- windowssecrets.com 2009-09-10 Buy a MAC or use Linux... avoid windows. There are many windows trojans you can attach to a file like a picture or movie, send it to someone and it secretly installs a keylogger and that program will email the keystrokes to the "hacker" Dead easy to do, i used to wind my friends up when i was a kid using a program called subseven These programs can do more than just record keystrokes the "hacker" can go through all your files and download them or change them, can even delete your windows directory. These days there are "Bot Nets" which are like trojans but make your computer part of a network of infected computers. The hacker can do more or less what they want with your computer including it as a proxy server to commit fraud that looks like it was done by you. Your firewall wont puick them up because the infected computer initiated the TCPIP connection its not like someone is breaking INTO it. Typically the botnet will pretend to be a messenger program or skype or any other program that connects to the internet (there are many and you just wouldnt know you are infected) Many of the pirate software packages you buy, especially pirated operating systems bought from places like Pantip are infected with Bot Nets. AVOID USING WINDOWS Its the only way to be sure. Edited September 12, 2009 by CrossBones Link to comment Share on other sites More sharing options...
lopburi3 Posted September 12, 2009 Share Posted September 12, 2009 Kaspersky virtual keyboard comes with their anti-virus and is specifically designed to avoid key loggers and very simple to use - activate with icon in Firefox next to search window. Link to comment Share on other sites More sharing options...
Jingthing Posted September 12, 2009 Share Posted September 12, 2009 Kaspersky virtual keyboard comes with their anti-virus and is specifically designed to avoid key loggers and very simple to use - activate with icon in Firefox next to search window. How would that help you at an internet cafe? Link to comment Share on other sites More sharing options...
lopburi3 Posted September 12, 2009 Share Posted September 12, 2009 The OP subject was key loggers. Link to comment Share on other sites More sharing options...
Crushdepth Posted September 12, 2009 Share Posted September 12, 2009 AVOID USING WINDOWSIts the only way to be sure. Plenty of Linux keyloggers available as well. And hardware keyloggers don't care what OS you are running. Link to comment Share on other sites More sharing options...
Veazer Posted September 13, 2009 Share Posted September 13, 2009 Kaspersky virtual keyboard comes with their anti-virus and is specifically designed to avoid key loggers and very simple to use - activate with icon in Firefox next to search window. Virtual keyboards are pretty worthless, many of the keyloggers take a low quality jpg with each mouse click. Then it's just a matter of scanning the screen caps for OSKs and watching what was clicked. Link to comment Share on other sites More sharing options...
mattcodes Posted September 13, 2009 Share Posted September 13, 2009 Buy a MAC or use Linux... avoid windows. There are many windows trojans you can attach to a file like a picture or movie, send it to someone and it secretly installs a keylogger and that program will email the keystrokes to the "hacker" This a typical MS bashing attitude, MS has many viruses and trojans because it has the largest market share in the desktop OS space and thus is a primary target for script kiddies and virus developers. Linux has it fair share of security bulletins in both kernel and user space and I'd estimate that most Linux fanboys believe they are secure when infact they are highly vunerable due to their ignorance and fanboy adoption tactics. OS X situtation is a little better but still are vunerable as any. Avoid viruses by using a decent virus checker, if you dabble with pirate software at least ensure you have a verified and genuine OS base and virus checker installed. Link to comment Share on other sites More sharing options...
JetsetBkk Posted September 13, 2009 Share Posted September 13, 2009 This trick of replacing some random characters with some of your actual password characters a bit at a time is a bit difficult when all you see is asterisks. Link to comment Share on other sites More sharing options...
cdnvic Posted September 13, 2009 Share Posted September 13, 2009 The best antiviruses will keep the keyloggers off your machine. NOD32, Kaspersky, Avira, and even Symantec (the resource hog) have 99% and better detection rates. If you uses a lesser AV you are gambling. Link to comment Share on other sites More sharing options...
Edward17 Posted June 9, 2010 Share Posted June 9, 2010 What about me,i use ProteMac Keybag.It's keylogger can store your keystrokes.) Link to comment Share on other sites More sharing options...
rijb Posted June 9, 2010 Share Posted June 9, 2010 Freeware - Neo's SafeKeys - http://www.aplin.com.au/ Link to comment Share on other sites More sharing options...
welo Posted June 9, 2010 Share Posted June 9, 2010 (edited) Neo's SafeKeys implements various methods to confuse key loggers while 'typing'. It requires the user to drag'n'drop the resulting password to the input mask. I always thought drag'n'drop is basically a copy/paste operation and will be logged? But obviously it isn't, I don't think the developer has made such a simple mistake... welo EDIT: removed my original message because I hadn't read the article to the end Edited June 9, 2010 by welo Link to comment Share on other sites More sharing options...
bulka Posted August 11, 2010 Share Posted August 11, 2010 as for me I prefer to record with Protemac Keybag Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now