Sunday, May 4, 2008

Online Security - Keyloggers

Outsmarting Keyloggers

As the financial officer for my organization in Tanzania, I sometimes travel without my laptop and need to access password-protected Web sites from Internet cafés or hotel business centers. I worry about whether these public computers have keyloggers installed.

By using the Windows On-Screen Keyboard accessibility utility, can I safely prevent keyloggers' recording my passwords?

If the On-Screen Keyboard simply creates key-press events that can still be intercepted by keyloggers, then can Copy/Paste be used to avoid the keylogger threat? Or do keyloggers also record the contents of the Windows clipboard? Do you have another suggestion for safely entering passwords at public computers?

David A. Smith

The On-Screen Keyboard utility is designed to let mobility-impaired users enter small amounts of text, typically by using a specialized pointing device. For maximum compatibility, it works by sending simulated keystrokes to the active application. I tried it with a number of the commercial keyloggers that I use in antispyware testing, and it was no help at all: The simulated keystrokes were captured just as actual keystrokes would be.

You could conceivably launch the Character Map utility and build your password by double-clicking characters. Once you had built the whole password, you'd click the Copy button and paste it into the password-entry box. Unfortunately, keyloggers can do a lot more than merely log keystrokes. Most also record everything that gets copied to the clipboard, and many also snap screenshots of program activity. Character Map, then, is not a solution.

The one possibility that seems hopeful is this: Type your password with extra characters in it and then use the mouse to highlight and delete the extra characters. For example, you might type passFROGword and then highlight and delete the middle four dots. Or type p1a2s3s4w5o6r7d8 and delete every other dot. A keylogger would still record all of the keystrokes that make up your password, but they'll be mixed with other unrelated keystrokes.

If you need to use a public PC, your best option for entering passwords is to use a mobile password management/form filling application such as Siber Systems ' Pass2Go ($39.95, www.roboform.com). Pass2Go runs off a USB memory key and protects your passwords behind a master password. Even if the master password is compromised, it's useless to the thief unless he has your USB key, too. It's not a foolproof solution, but it will evade hacking tools that rely on capturing keyboard events.

But really, you should do your best to avoid using nonsecure computers. Even if you keep a key­logger from snagging your password, it might still take screenshots of key financial info. Your best bet is to implement a high degree of security on your laptop and resign yourself to lugging the darn thing along.

No comments: