|
|
|
|
Windows Secrets Newsletter • Issue 215 • 2009-09-24 • Circulation: over 400,000 |
|
AD
|
|
Table of contents TOP STORY: More tricks to evade keyloggers on public PCs WACKY WEB WEEK: Oh, the sweet, sweet power of temptation LANGALIST PLUS: Driver update triggers Vista reactivation INSIDER TRICKS: Can Windows Mobile catch iPhone and BlackBerry? PATCH WATCH: Important security patches available for Firefox |
|
ADS
|
|
TOP STORY More tricks to evade keyloggers on public PCs
The Clipboard's no safer than the keyboard The revised Vesik method involves typing nonsense characters into a password input box when using a public PC and then rearranging some of the letters to form your actual password with the mouse. If the PC contains a hardware keylogger or is infected with a software keylogger, rearranging a password in this way will usually suffice to obscure your credentials. Most hackers will concentrate on the 99% of users who type in their passwords at Internet cafés in the usual way. One proposal sent in by many, many, many readers was a variation on a single theme. Namely, keep your sign-in information on a USB flash drive or memory stick, then copy and paste the info into the appropriate fields when you're required to use a public PC or other unsecured computer. Unfortunately, many keyloggers capture any information you place into the Windows Clipboard. I tested the copy-and-paste technique using the All In One Keylogger from RelyTec. (For more info, see the vendor's site.) The program easily captured the sign-in IDs and passwords entered, whether I used the standard menu options (Edit, Copy and Edit, Paste) or the keyboard shortcuts Ctrl+C and Ctrl+V. In my tests, the All In One Keylogger wasn't able to capture the information when I performed a copy-paste operation using a context (right-click) menu. But that's not much to rest one's hopes on. Other keyloggers do succeed at capturing data copied via context-menu options. Note that many password-manager products require you to copy and paste your passwords from their database to an input box. (See my Sept. 18, 2008, review of password managers.) Any product using the Clipboard in this manner is vulnerable to a keylogger that captures data from the Clipboard. Other strategies for blocking keyloggers Readers suggested various ways of carrying one's passwords on a flash drive. Jeff H. asked, for example:
To establish a master password in Firefox, pull down the Tools menu, click Options, select the Security tab, and turn on Use a master password. After doing this, you must enter your master password once per browser session. Another reader, Val Ingraham, proposed signing in using a tool such as the portable version of Siber Systems' free RoboForm password manager, available on the company's download page. Both of these approaches were able to evade the keylogger I tested them with and would likely confound other keyloggers as well. However, any method that permits automatic sign-in from a flash drive poses a risk of physical security. A flash drive is easy to lose. When you misplace one, you could be handing over your passwords to whoever finds the device — if you don't enable a master password. Can freeware provide the privacy you need? Several readers like products that are specifically designed to defeat keyloggers. Simon Bleasdale recommends Neo's SafeKeys 2008, available for free on the Alpin Software site. The program promises the same functionality as the Windows On-Screen Keyboard (OSK) utility described in the original tip — but without OSK's security risks. (OSK sends keystrokes in a way that keyloggers can see and record. To use OSK if you need it for entering something other than a password, open the software by clicking Start, All Programs, Accessories, Accessibility, On-Screen Keyboard.) Neo's SafeKeys 2008 displays a small window with a simulated keyboard on which you can type your sign-in, password, and other information — just as with OSK. But unlike the Microsoft utility, Neo's SafeKeys 2008 doesn't transmit information in a way that can be picked up by keyloggers. Nor does the program use the Clipboard. Instead, you type your info in the SafeKeys 2008 window and then drag the data to the appropriate text box in your browser. Neo's SafeKeys 2008 successfully evaded the All In One Keylogger product in my tests. Other options help you foil keyloggers that regularly take screen captures to record your PC activities. According to the Alpin Software site, however, the utility's drag-and-drop methods don't work with all products — including the Opera browser. No product will ever be able to guarantee your safety from snoops when you use a public computer. Fortunately, the techniques and products described here and in the previous article can reduce your risk substantially. You're the only person, however, who can decide what constitutes an acceptable risk level for your data. That may mean never signing in to Web sites using PCs at Internet cafés — or wherever you're not sure adequate security precautions have been taken.
Windows Secrets contributing editor Scott Dunn has been a contributing editor of PC World since 1992 and currently writes for the Here's How section of that magazine. |
|
ADS
|
|
WACKY WEB WEEK Oh, the sweet, sweet power of temptation
|
|
BONUS DOWNLOAD
|
|
PERMALINKS Use these permalinks to share info with friends We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.) The following link includes all articles this week: http://WindowsSecrets.com/comp/090924 Free content posted on Sept. 24, 2009:
You get all of the following in our paid content:
Thanks in advance for your support! |
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Program Director: Tony Johnston. Web Developers: Dan Engler, Damian Wadley. Research Director: Stephanie Small. Research Analyst: Allison Espiritu. Copyeditor: Roberta Scholz. Contributing Editors: Susan Bradley, Scott Dunn, Michael Lasky, Woody Leonhard, Ryan Russell, Robert Vamosi, Becky Waring. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
