Friday, November 24, 2006

Foiling Keyloggers

A research group at Microsoft has come up with a simple method for defeating keystroke loggers. A keystroke logger is a software program or hardware device that captures all the keystrokes typed on the computer. The resulting collection of letters can then provide a hacker with your user name and password. It does not matter if you use encryption because the keystrokes are only encrypted after they have been received by the application you are using. The keystroke logging program captures the letters before they are encrypted. In the case of the hardware devices, they capture the characters before they even reach the computer. These devices often attach to the end of the keyboard cable just before it plugs into the computer.

This new method requires that you open up a second application, such as Notepad, and type in some characters in it between typing in characters in the password field. So, if your password is "safeenough" you would type "safe" in the password field and then type "dfafioiueeffda" into Notepad. After entering these extra characters into Notepad, return to the password field and complete the password. The application gets the correct password and yet any keystroke logger will see "safedfafioiueeffdaenough" as your password. Obviously, if you do this process a couple of times while entering the password, the effect will be even better.

You should use this security process anytime you are at an untrusted computer. And, of course, this system assumes that your password is being encrypted before it leaves your computer. You should always see the lock symbol on the browser anytime you're entering passwords or other sensitive information.

Remember, it's not just passwords you need to protect. If you have to type in anything else that needs protecting, such as social security numbers, use this system. Of course, if you can avoid untrusted computers, that would be great but often we do not have a choice.


No comments: