Defeating Key Loggers with Common Sense


I read an interesting story in one article of 2600: The Hacker Quarterly a while ago. The author, who goes by the name Xyzzy narrated his experience about the security holes he came across at Time Warner Cable.

Nature of the Hack

Key LoggingIt all began when a schedule was set to fix intermittent downtime on Xyzzy’s cable Internet connection. To his amazement, the technician sat down at his laptop and started checking if his connection is already fixed. Apparently, the technician used a Web browser and opened a URL that’s exclusively used by his company. He then logged on to the page (using his username and password) to check his customer’s status. Afterwards, he closed the browser window and confirmed that the connection was already fixed.

What the Technician Didn’t Know

A ninja always carries with him some handy tools. Being a type of ninja that he is, Xyzzy runs a key logger on his laptop 24/7. So there you go- instant login credentials! But it doesn’t stop there. As mentioned earlier, the browser wasn’t closed entirely, so authorization session was still cached. Xyzzy then pulled up a packet sniffer, ran the telnet command, used the login credentials he previously captured, and voila! Some sort of customer database shows up. What can he do with that? Well, what can you do with a customer name, account number, address, phone number, IP address, MAC address, and a Web server’s name and version? What if you knew the data needed to verify an account on telephone support? Xyzzy can actually do a lot of things if he was a bad ninja.

Moral of the Story

Whether using someone’s computer, a computer at work, or a computer in a public place, it’s difficult to know if big brother’s lookin’. Who knows what other programs are installed in there? There are quite a few things that you can do to detect hidden programs like key loggers, but nothing beats common sense. Here’s a tip featured in BBC’s Click from an e-mail sender (Dr. John from Kuala Lumpur, Malaysia):

When entering a username or password, deliberately miss out one letter or number, then click with the mouse at the position of the missed letter and type it.

The key logger then gets the wrong sequence…

Now why haven’t I thought of that? From now on, when you’re checking e-mails or browsing future purchases on eBay, or even logging in to instant messaging accounts or in social networking Web sites in computers other than yours, make it a habit to intentionally miss out on a certain character and then use your mouse to highlight it and type the correct character over it. You’ll definitely be more at peace after your Internet session. Remember, an ounce of prevention is better than a pound of cure. Stolen identities and credit cards will be minimized as long as this simple, common sense thing is kept in mind. Happy surfing!

Other Sources

  1. Keystroke Logging @ Wikipedia
  2. BBC Click video archive - March 1, 2007

Related Posts

  • No related posts.

This entry was posted on Saturday, June 9th, 2007 at 23:19 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

6 Responses to “Defeating Key Loggers with Common Sense”

  1. ~willow~ Says:
    June 12th, 2007 at 23:20

    what a great tip! I’ll certainly keep it in mind :-)
    [thanks for reviewing my blog at BlogCatalog, btw!]
    Cheers,
    ~willow~

  2. John Says:
    June 13th, 2007 at 12:00

    You may also checkout slightly different approach in the article below
    How to cheat Keylogger software

  3. Gabriel Says:
    June 13th, 2007 at 13:00

    Hi ~willow~,

    Sure! No problem.

    Hello John,

    That article is similar indeed. Thanks for letting me check it out.

  4. nop Says:
    June 17th, 2007 at 16:59

    Yeah, but… Yeah, but this is a very good idea, but if, from your keylogger, you have a short list of the characters that might be used and a short maximum length of the password string, it wouldn’t take too much hacking to get the password, if you can make multiple log in attempts with ‘anagrams’ of the given letters.

    So it might be an excellent protection for a computer which slows down log in attempt/logs bad log in attempts, but isn’t going to help as much with, say, a web e-mail site, or maybe your online bank.

  5. Gabriel Says:
    June 17th, 2007 at 17:42

    I agree. Though many Web sites like Google Accounts already give a visual measurement of how secure a password is. I think 8 characters (alpha-numeric, punctuations, ascii) are enough to be considered a secure password.

    Webmail sites seem to give users unlimited log in attempts. I don’t know if this is for convenience, but I guess e-mail accounts aren’t really a target as compared to bank accounts or any account that involves currencies. One bank I use is pretty secure. 3 failed attempts will block that particular account from online access. You’ll have to go over through a series of phone verifications to enable it again. This bank also implements a forced password change after about 45 days. Log-in and transaction passwords are different.

    But then again, it will be a matter of security versus convenience. When it comes to transactions that involve money, I’d rather choose the former.

  6. Ledokin » Defeating Key Loggers with Common Sense Says:
    November 12th, 2007 at 6:46

    [...] read more | digg story [...]