Virtual keyboards and monitoring software foil keystroke loggers

by billso on Thursday, 17 April 2008

From Life­hacker comes a link to a free vir­tual key­board called Neo’s SafeKeys. The key­board is dis­played on the com­puter screen, and lets a Win­dows user type their pass­word with­out access­ing the computer’s keyboard.

Desktop keyboard

It’s triv­ial to mon­i­tor key­strokes through soft­ware and hard­ware called key­stroke log­gers or key­log­gers. This New York Times describes a new phish­ing attack against exec­u­tives, involv­ing an email with a link to a fake sub­poena. Click the link and a Win­dows key­stroke log­ger gets installed.

Exec­u­tives are excel­lent tar­gets for such attacks. CXOs often want to bypass cor­po­rate secu­rity sys­tems for the sake of per­sonal con­ve­nience. When exec­u­tives insist on car­ry­ing con­fi­den­tial or valu­able cor­po­rate data on their laptop’s hard drive, they may as well paint a tar­get on their foreheads.

CXOs might also dis­able virus scan­ners and secu­rity soft­ware to make the com­put­ers run faster. This only makes their per­sonal com­put­ers much more vul­ner­a­ble. When exec­u­tives are reluc­tant to admit their mis­takes or ask for help, the dam­age is already done.

I’ve seen vir­tual key­board sys­tems deployed on bank­ing web sites, so that users can use a mouse to enter their passphrase. Of course, this can be very tedious if the user has a long passphrase. These vir­tual key­board sys­tems may become more com­mon as banks imple­ment mul­ti­fac­tor authen­ti­ca­tion schemes that address con­sumer, reg­u­la­tor and com­pli­ance issues.

Key­boards and keystrokes

It’s still pos­si­ble to use a key­board for mul­ti­fac­tor authen­ti­ca­tion, how­ever. This arti­cle from Win­dows in Finan­cial Sys­tems describes a sys­tem from BioPass­word that requires the user to enter their pass­word ten times in a sin­gle enroll­ment ses­sion. Soft­ware deter­mines the rhythm of their key­strokes, and stores that data along with the user’s account on a Microsoft Active Direc­tory server. Any­one who tries to access the account will have to sim­u­late that user’s typ­ing behav­ior for that spe­cific password.

Laptop keyboardIn this 15 May 2007 arti­cle, ha.ckers.org pointed out some poten­tial prob­lems with BitPassword’s sys­tem. The tim­ing needs to be loose enough to accom­mo­date dif­fer­ent key­board styles. A lap­top computer’s key­board often is laid out dif­fer­ently from a stan­dard desk­top key­board. oth­er­wise, the tim­ing checker might flag users who include numer­ics, inter­na­tional char­ac­ters (such as € £ ß Ω) and typo­graph­i­cal sym­bols (like % @ © ^#~) in their passphrase.

Dots and dashes

The con­cept dates back to the 19th cen­tury. Expe­ri­enced tele­graph oper­a­tors could iden­tify each other by through their fist, or their dis­tinc­tive pat­terns of key­ing Morse code. The same con­cept was also used dur­ing both World Wars to match radio oper­a­tors with their mes­sage content.

Some banks might have each user to enroll sev­eral dif­fer­ent passphrases, as many banks now require for their web-based cus­tomer portals.

BioPassword’s soft­ware is designed for busi­ness and enter­prise users. PC Mag­a­zine has an excel­lent review here, and the Lon­don Times and Base­line have good recent arti­cles. This Wired arti­cle from 2000 describes how the sys­tem was used by a Cana­dian com­pany, Musicrypt.com, as part of a user man­age­ment ser­vice for music web sites.

Related posts on billso.com

Share
  • http://billso.com billso
  • PatrickN

    A very inter­est­ing and use­ful arti­cle for all of us. I have heard a lit­tle bit about vir­tual key­board Neo’s SafeKeys. My good friend is using this soft­ware. I know that he uses it want­ing to pro­tect some very impor­tant infor­ma­tion from var­i­ous hack­ers. I am plan­ning to down­load this soft­ware too. Thanks for the great arti­cle and I will be wait­ing for other great ones from you.

    Sin­cerely,

    John Nick­ol­son from soft­ware appli­ca­tion development

  • PatrickN

    A very inter­est­ing and use­ful arti­cle for all of us. I have heard a lit­tle bit about vir­tual key­board Neo’s SafeKeys. My good friend is using this soft­ware. I know that he uses it want­ing to pro­tect some very impor­tant infor­ma­tion from var­i­ous hack­ers. I am plan­ning to down­load this soft­ware too. Thanks for the great arti­cle and I will be wait­ing for other great ones from you.

    Sin­cerely,

    John Nick­ol­son from soft­ware appli­ca­tion development

  • Pingback: Vicrypt malware holds hard drives for ransom

Previous post:

Next post:

Software developers for custom applications. Click to find. . monitoring keystrokes with Elite keylogger