First  Prev  1  2  3  4  Next  Last
Post Reply Hacked
13650 cr points
Send Message: Send PM GB Post
こ ~ じ ~ か
Offline
Posted 4/11/15

staphen wrote:


evilotakuneko wrote:


staphen wrote:
This guy would also only ever copy/paste his passwords so that they couldn't be picked up by a keylogger.


This guy also doesn't know very much about keyloggers.


I admit that my information about keyloggers comes from Wikipedia, but I see no reason why this method wouldn't work against your typical API-based keylogger, or even kernel-based keyloggers and maybe hypervisor-based keyloggers. You know, anything that actually monitors the keys entered by the keyboard. I'm honestly surprised that form grabbing and packet analysis can even be considered keylogging.

In case you're interested, I only read about this guy in an article. The purpose of the article was to describe the inevitability of "being hacked," what it means, and how to minimize the damage. The guy in question was an acquaintance of the author used as an extreme example of the lengths some people would go to.


I see you are using the literal definition of keylogger.

Sure, it might be effective against a hardware dongle, but these aren't commonly encountered by the average user. Software is a different story. Software can log a lot more than just keys, and still most would refer to it as a keylogger.

If you're a malware author and you've already gotten your malware onto a PC and successfully started capturing keystrokes, it's trivial to also capture clipboard data, so you might as well do it. Lots of users copy/paste logins, whether for perceived security benefit or just convenience, so it only makes sense to give your malware this ability. At that point, why not go for broke, and scrape the screen as well? Even though the return on this would be rather low (although with Windows tablets on the rise, that's changing), the satisfaction of pwning some smug little kiddie thinking he's safe using his on-screen keyboard would be worth it.

I've been there for the whingefest that ensues afterward, blaming everyone but themselves. Bottom line though, they got pwned.

Point is, it is dangerous to assume that any entry method can foil password-stealing malware. Sure, maybe the one that bites you is a weak one, but do you want to chance it? Stay safe, and keep your computer clean. Your 20 character password won't help if it's whisked away in the clear by a clever baddie.
60151 cr points
Send Message: Send PM GB Post
27 / M
Online
Posted 4/12/15 , edited 4/12/15

evilotakuneko wrote:


staphen wrote:

I admit that my information about keyloggers comes from Wikipedia, but I see no reason why this method wouldn't work against your typical API-based keylogger, or even kernel-based keyloggers and maybe hypervisor-based keyloggers. You know, anything that actually monitors the keys entered by the keyboard. I'm honestly surprised that form grabbing and packet analysis can even be considered keylogging.

In case you're interested, I only read about this guy in an article. The purpose of the article was to describe the inevitability of "being hacked," what it means, and how to minimize the damage. The guy in question was an acquaintance of the author used as an extreme example of the lengths some people would go to.


I see you are using the literal definition of keylogger.

Sure, it might be effective against a hardware dongle, but these aren't commonly encountered by the average user. Software is a different story. Software can log a lot more than just keys, and still most would refer to it as a keylogger.

If you're a malware author and you've already gotten your malware onto a PC and successfully started capturing keystrokes, it's trivial to also capture clipboard data, so you might as well do it. Lots of users copy/paste logins, whether for perceived security benefit or just convenience, so it only makes sense to give your malware this ability. At that point, why not go for broke, and scrape the screen as well? Even though the return on this would be rather low (although with Windows tablets on the rise, that's changing), the satisfaction of pwning some smug little kiddie thinking he's safe using his on-screen keyboard would be worth it.

I've been there for the whingefest that ensues afterward, blaming everyone but themselves. Bottom line though, they got pwned.

Point is, it is dangerous to assume that any entry method can foil password-stealing malware. Sure, maybe the one that bites you is a weak one, but do you want to chance it? Stay safe, and keep your computer clean. Your 20 character password won't help if it's whisked away in the clear by a clever baddie.


I am well aware how trivial it is to capture the clipboard, but the method by which the clipboard is captured is another matter. Using a timer to poll the clipboard and logging changes to the data might be difficult to circumvent. However, if you assume the attacker isn't sophisticated enough to go very far beyond an API-based keylogger, then it may also be safe to assume they'll only read the clipboard if the keylogger detects Ctrl-C or Ctrl-Ins. That's easily circumvented by copy/pasting with the mouse.

All this brings me to my next point. Computer security is not about protecting yourself from being pwned. Anyone who knows anything about computer security will tell you that you're fighting a losing battle. If the information is accessible, then it is not uncrackable. The whole idea behind computer security is to make it sufficiently difficult to access sensitive information that it is not worth anyone's time to go after it. So yes, the method I described before is not insurmountable if someone REALLY wants to get at your data and has the means by which to install malware on your system. However, it does decrease your attack surface as well as mitigate the fallout when some of your data is inevitably compromised.

As for keeping your computer clean, that's good advice. However, I will say that it's just as futile as following good password practices. One day, you may have to enter your password on someone else's computer - or even on your computer via someone else's insecure network. Also, it is not impossible for a very sophisticated and determined hacker to write a worm that frequently rewrites its own code to fool antivirus software. It is, however, so incredibly difficult that there were no documented cases of such software existing, last I heard. All this ties into my previous point. The best you can do is make things harder for an attacker. Dismissing good advice on the basis that it won't protect you from everything is the height of ignorance when it comes to computer security.

On the subject of keeping your computer clean, however, I have some more advice. This is just my personal opinion mind you, but the #1 most effective thing I've done to protect my computer against malware is to install an ad blocker. I highly recommend it to anyone who is concerned about computer security.
59711 cr points
Send Message: Send PM GB Post
27 / M / United States
Offline
Posted 4/12/15

TheOmegaForce70941 wrote:

You can check how long time it would take a PC to guess your password here https://howsecureismypassword.net/



I don't care what the site says, I don't trust it to give them my password.
46382 cr points
Send Message: Send PM GB Post
20 / M / Sweden
Offline
Posted 4/12/15

Assassinx89 wrote:


TheOmegaForce70941 wrote:

You can check how long time it would take a PC to guess your password here https://howsecureismypassword.net/



I don't care what the site says, I don't trust it to give them my password.


k
13650 cr points
Send Message: Send PM GB Post
こ ~ じ ~ か
Offline
Posted 4/12/15 , edited 4/12/15

staphen wrote:

On the subject of keeping your computer clean, however, I have some more advice. This is just my personal opinion mind you, but the #1 most effective thing I've done to protect my computer against malware is to install an ad blocker. I highly recommend it to anyone who is concerned about computer security.


Absolutely, totally, 100% completely agreed. I'd sooner go without antivirus than without comprehensive ad blocking. I prefer to have multiple layers--HOSTS file plus AdMuncher (which is free now) at a minimum. Although it does make viewing CR without Premium kinda difficult. :p

Anyway, I think we are talking past each other. Yes, copy/paste *might* help, but it's far from a silver bullet and I think that assuming it has any effectiveness at all is just dangerous. That's all.
17037 cr points
Send Message: Send PM GB Post
23 / M / Stuck in Edolas
Offline
Posted 4/12/15




Just wondering, if someone did go to the lengths of software to like was mentioned to steal a password would they be able to detect the copy and pasted along with manually entered keys, would it be possible for them to know the karat placement?

For example 1234 is copied from a file and inserted into a password field, with the mouse, the karat is placed between whatever characters and something is typed in manually and whatever it could end up as looks like
1x2x3x4
12xxx4
1x234xx
x123x4x

You get the idea.
With the examples in place, and the "x"s typed in by manually placing the karat with mouse clicks in the password field after the base was inserted in via copy an paste would it be possible for them to steal your password easily without trying to jumble a bunch of letters/numbers around?

Maybe even going deeper and using 2 copy and pasted with typed characters and some deleted for example
1234 and 4567 is copied and pasted onto a pw field individually and you get
12344567 (or 45671234) you then place your karat and delete a character making something like
1234467 then using method 1 I mentioned you get something like
1x234x467x Then again using the mouse to place the karat your final result would be
x234x467x.

My whole idea hinges on them not being able to detect karat placement as text is being entered into the password field.
Posted 4/12/15
What CR need to do is put in a 2 steps verification. Like Google or Facebook. Where you link your email and account to your phone. So every time you try to enter you need a special code send to your phone via text.
Posted 4/12/15
Nope.
13650 cr points
Send Message: Send PM GB Post
こ ~ じ ~ か
Offline
Posted 4/12/15

InterGalacticz wrote:





Just wondering, if someone did go to the lengths of software to like was mentioned to steal a password would they be able to detect the copy and pasted along with manually entered keys, would it be possible for them to know the karat placement?

-snip for brevity-


Definitely possible but improbable. Would I expect a password-stealing malware to actually go to the trouble of compensating for all that? No.

But

Given both keystroke logging and clipboard monitoring (which I presume all password stealers to do both) it's possible the human bean receiving the data might still get enough to re-assemble the correct password.

(Are you getting that I'm a little paranoid?)

This would greatly depend on the completeness of the data sent back by the malware (does it log or ignore arrow keys? does it pay attention to overtype/insert mode? etc.) and the mindset of the attacker.



It's worth noting that KeePass uses a similar technique when performing autotypes. To the paranoid in me, this means password stealers will necessarily evolve to compensate for this countermeasure. The key is in how difficult it is to implement.
22023 cr points
Send Message: Send PM GB Post
20 / M / California
Offline
Posted 4/12/15
I got hacked once, but not on CR. It was my entire computer. (Even worse...)

Luckily at that time, I didn't have a credit card so nothing important was stolen or deleted from me.
Posted 4/12/15
If you want to remember your overly complicated passwords, type them up several times and it will stick into your mind because you'll remember without even thinking about it as you type. I usually only need 3 times, 3's the charm.
60151 cr points
Send Message: Send PM GB Post
27 / M
Online
Posted 4/12/15

evilotakuneko wrote:


InterGalacticz wrote:





Just wondering, if someone did go to the lengths of software to like was mentioned to steal a password would they be able to detect the copy and pasted along with manually entered keys, would it be possible for them to know the karat placement?

-snip for brevity-


Definitely possible but improbable. Would I expect a password-stealing malware to actually go to the trouble of compensating for all that? No.

But

Given both keystroke logging and clipboard monitoring (which I presume all password stealers to do both) it's possible the human bean receiving the data might still get enough to re-assemble the correct password.

(Are you getting that I'm a little paranoid?)

This would greatly depend on the completeness of the data sent back by the malware (does it log or ignore arrow keys? does it pay attention to overtype/insert mode? etc.) and the mindset of the attacker.



It's worth noting that KeePass uses a similar technique when performing autotypes. To the paranoid in me, this means password stealers will necessarily evolve to compensate for this countermeasure. The key is in how difficult it is to implement.


I would only add that it wouldn't be necessary for the attacker to determine the position of the caret so long as he could narrow down the possibilities for the password. Knowing exactly what characters are used in the password is enough to greatly reduce the number of passwords you'd have to try with a brute force attack.
5064 cr points
Send Message: Send PM GB Post
19 / M / United States
Offline
Posted 4/28/15
No, if so I would find a way to find out who did it and pay them a visit...
11663 cr points
Send Message: Send PM GB Post
21 / M
Offline
Posted 4/28/15
Why would anyone wanna hack a CR account?
45489 cr points
Send Message: Send PM GB Post
22 / M
Offline
Posted 4/28/15 , edited 4/28/15

TheOmegaForce70941 wrote:

You can check how long time it would take a PC to guess your password here https://howsecureismypassword.net/



I put in a random password, then added numbers until it hit infinity years.
First  Prev  1  2  3  4  Next  Last
You must be logged in to post.