Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I do not think that the suggestion to highlight using the mouse and retype is an effective solution. With a bit of homework, the mouse movement can be tracked just like the keyboard inputs and be automated to filter out what all has been highlighted and removed to get the secreat word!
As it was pointed out, the encryption method also can be hacked in the same way.
The only method to prevent it is to secure the keyboard entry using some secure hardcoded key unique(?) to each system. It is important that such coding does not produce the same code when the inputs are similar. Otherwise standard attacks in cryptography could again pause a threat.
Ing Direct (a bank) has a very simple login that counters keylogger attacks. They use an onscreen keyboard, each key displaying a random unique character next to it. You can click out your password, or you can use keyboard, but instead of typing your password you enter the randomly mapped characters instead.
Of course only your Ing password is safe. But I believe tinfoilhat linux has a similar feature for all password entry.
Ing Direct (a bank) has a very simple login that counters keylogger attacks. They use an onscreen keyboard, each key displaying a random unique character next to it. You can click out your password, or you can use keyboard, but instead of typing your password you enter the randomly mapped characters instead.
Of course only your Ing password is safe. But I believe tinfoilhat linux has a similar feature for all password entry.
Malware could make a screenshot everytime you click.
Malware could make a screenshot everytime you click.
But then that's not a keylogger attack either. Ing protects against the keylogger, not every possible attack. Shoulder surfing, for example, requires more countermeasures.
Moreover, screen captures on clicks would not be effective if a user hits backspace and clicks elsewhere a couple times, or if they use the keyboard to do the entry.
But then that's not a keylogger attack either. Ing protects against the keylogger, not every possible attack. Shoulder surfing, for example, requires more countermeasures.
Moreover, screen captures on clicks would not be effective if a user hits backspace and clicks elsewhere a couple times, or if they use the keyboard to do the entry.
Sure it's not a keylogger if you look at it like hat,
but you can rest assures that there is malware out there, at
least on windows, designed to steal user passwords by making screenshots, capturing keys and reading the clipboard.
So thinking that a screen keyboard can protect you against password stealing is a false sense of security imho.
Well, to test this theory out, I made a keylogger (using borrowed code) to do exactly what the OP says. I noticed that if you do this you can find it by simply running:
Code:
lsof | grep input
as root, X and hald-addo will be each using the /dev/input/event# (I assume that if X is not being used, then only hal will be using the events), and if there's a keylogger at work, the keyboard event (event#) will be open one more time by a different program, whatever the keylogger is named.
Well, to test this theory out, I made a keylogger (using borrowed code) to do exactly what the OP says. I noticed that if you do this you can find it by simply running:
Code:
lsof | grep input
as root, X and hald-addo will be each using the /dev/input/event# (I assume that if X is not being used, then only hal will be using the events), and if there's a keylogger at work, the keyboard event (event#) will be open one more time by a different program, whatever the keylogger is named.
Sure it's not a keylogger if you look at it like hat,
but you can rest assures that there is malware out there, at
least on windows, designed to steal user passwords by making screenshots, capturing keys and reading the clipboard.
So thinking that a screen keyboard can protect you against password stealing is a false sense of security imho.
You're looking for a one size fits all countermeasure. Countermeasures are tailored for specific attacks. It would be unreasonable to expect an anti-spyware tool to protect you from a DoS attack, for example.
Ing's approach effectively counters the keylogger - and more login screens should be following their lead. The screenshot attack you mention requires considerably more sophistication from the attacker, and it only works in the case of basic mouse entry, which is easily countered on the server side by simply making the onscreen keys mouse-insensitive.
You're looking for a one size fits all countermeasure. Countermeasures are tailored for specific attacks. It would be unreasonable to expect an anti-spyware tool to protect you from a DoS attack, for example.
Sure, but I don't believe that the casual user at the end of the day cares if his banking account has been hacked with a keylogger,
or a keylogger with screenshot abilitys. All he cares about is that
his money is now gone and he wants protection from that.
Quote:
Originally Posted by jgombos
Ing's approach effectively counters the keylogger - and more login screens should be following their lead. The screenshot attack you mention requires considerably more sophistication from the attacker, and it only works in the case of basic mouse entry, which is easily countered on the server side by simply making the onscreen keys mouse-insensitive.
I don't think a screenshot program is more complicated to program
then a keylogger. It might even be the other way round,
I do not know of a way to prevent a normal user to make screenshots
of all windows at the moment. So it might be harder to create a keylogger that can log keys of all windows.
What do you mean making certain keys mouse insensitive?
The user intentionally clicks on keys that have no function?
A way better counter measure against password spying malware
are one-time-passwords imho.
Because even if the program spys the password it would be useless if the user could still login, so you need a way of preventing the login from happening and that will be suspicious at least.
From reading this thread, I get the impression that the only solution will be to encrypt the connection between the keyboard and the application (that is, encrypt the connection between the web browser (or logon screen or spreadsheet or ...) and the keyboard such neither Linux nor any other application or process running on Linux will be able to decrypt the characters being typed).
Something like a smartcard reader with a keypad should be able to do that.
The smartcard would then take your PIN to encrypt / authenticate.
But that requires support on the other side as the USB key from RSA does.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.