Prevent keyloggers from grabbing your passwords

Windows Secrets Newsletter • Issue 213 • 2009-09-10 • Circulation: over 400,000

Table of contents

Top Story: Prevent keyloggers from grabbing your passwords
Bonus: Keep your computer beyond the reach of hackers
Wacky Web Week: Trade in your hops for grapes … fun will follow
LangaList Plus: Reset your BIOS so USB keyboards work on boot-up
In the Wild: Hackers exploit FTP flaw in Microsoft’s IIS
Patch Watch: New Web-based attacks target Windows Media holes

Top Story

Prevent keyloggers from grabbing your passwords

By Scott Dunn

Strong passwords are important, but even the best password won’t keep you safe from keyloggers — hardware and software that’s designed to secretly record your keystrokes.

Fortunately, there’s a way you can enter sensitive data so it’s extremely difficult for snoops to extract your passwords from keylogger files.

In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google’s Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack.

The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file.

Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers.

UPDATE 2009-09-24: In his Sept. 24, 2009, Top Story, Scott Dunn provides more tips for avoiding keyloggers when using a public PC.

Windows’ On-Screen Keyboard app is also logged

If you’re using a computer you aren’t sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion:

“I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:WINDOWSsystem32 directory, but there’s no shortcut or link to it, so most people don’t know it exists! You can launch it by entering osk in the Run command.

“Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured.”

Kenneth’s suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows’ On-Screen Keyboard sends information to applications as keystrokes, just as though you’d pressed the keys on a keyboard.

The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor’s site.)

Holes in anti-keylogging software protection

Another alternative that’s often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can’t vouch for them.

Anti-keylogging software — even if it were effective in its stated mission — wouldn’t prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can’t detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter.

The universal defense against password snoops

Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.

Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the “revised Vesik method” for entering passwords:

Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.
Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)
Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.
Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.
Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.

This procedure clutters the keylogger’s log file with a series of click events and characters. There’s no easy way for the intruder to know which characters are your password and which are random.

The key is to select and gradually overtype gibberish characters with your actual password characters. Don’t simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can’t keep track of characters you select and overtype.

As Saxon points out, this method isn’t foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don’t use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.

However, most crooks are looking for “low-hanging fruit.” They’ll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.

Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don’t conceal their passwords in noise, so keyloggers don’t compensate for it.

If you have no choice but to sign in to a site on a PC you aren’t sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site.

Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend’s PC.

Contributing editor Scott Dunn is the co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Bonus

Keep your computer beyond the reach of hackers

This month’s free bonus download for all our subscribers is a two-chapter excerpt from Hacking Exposed: Computer Forensics by Aaron Philipp, David Cowen, and Chris Davis. The book provides valuable information about protecting everything on your computer out of the clutches of harmful hackers, be it important data or merely your IP address.

The printed volume isn’t in stores yet, but all subscribers can receive our exclusive excerpt of two full chapters through Sept. 30. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Wacky Web Week

Trade in your hops for grapes … fun will follow

By Stephanie Small

Sick of drinking beer at parties? Hate it when your buddies stick you with a warm brew? Nothing sucks the fun out of social occasions faster than the same old swill. Well, your lackluster beer-drinking days are about to be supplanted by the best of aged wines … cabernet sauvignon!

Pronounced just as it’s spelled, this high-class “fancy” beverage can turn any frown upside down — if the frowner is of legal drinking age, anyway. Aged since 2002, the grapes are at their peak of fermentation … and the beverage even comes in a light version for those watching their waistlines! So call for a cab at your next pool party or festive bash. And of course, there’s no better way to impress that special someone. Play the video

LangaList Plus

Reset your BIOS so USB keyboards work on boot-up

By Fred Langa

Just because your PC fails to recognize a USB keyboard at startup doesn’t mean you’re now the owner of the world’s largest paperweight.

When Windows works perfectly, but your PC’s underlying hardware goes south, a slightly geeky hardware trick might just get the crippled machine going again!

A dead keyboard can spell big trouble

George Molzahn is caught in a Catch-22 situation:

“I have Vista Home Premium on an Intel-based system. All of a sudden, my PS/2 keyboard stopped working, period. I checked connections, rebooted, etc., but my keyboard still won’t work. I figured it had died, so I bought an inexpensive USB keyboard, hooked it up, and it operated just fine — except it was dead during boot-up.
“As the boot proceeded and Vista started, the keyboard came alive and worked great. Hmmmm …. I got a USB-PS/2 adapter and plugged the new keyboard into the PS/2 port in the back of the computer and guess what? The keyboard is ‘dead,’ just like before.”

Sounds like two things are going on. First, your PS/2 keyboard port clearly has failed. Sometimes, accumulated stress can cause a physical port’s solder connections to break; a tiny hairline crack is all it takes for the electrical connection to be severed.

While resoldering is technically possible, it’s a deep-geek fix to do by yourself and an expensive job to farm out to a repair shop. For me, a dead port is a clear sign that it’s time for a new PC — or at least a new motherboard.

The second thing going on is that your USB ports aren’t set up to work at boot time. Windows is doing its job because your ports work fine once Vista is in control of the system. But to fully use your PC, you need a way to get the USB ports to work at initial boot, before the operating system loads.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

In the Wild

Hackers exploit FTP flaw in Microsoft’s IIS

By Robert Vamosi

Sites running the FTP service on Microsoft’s Internet Information Services (IIS) Web software may be vulnerable to attacks.

The company says FTP service versions 5 and 6 are affected, but claims version 7.5 is unaffected on Vista and Windows Server 2008.

Beware of anonymous FTP users bearing gifts

Webmasters take note: if you use Microsoft’s FTP service, attackers could plant code on your servers or launch a denial-of-service (DoS) attack against your site.

According to Microsoft, a newly discovered set of FTP flaws allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or to crash the box.

The vulnerable versions of the FTP service shipped on several flavors of Windows and Windows Server over the years. The company says the latest version of the FTP service, 7.5, is safe on Vista and Windows Server 2008.

The remote-execution vulnerability, which was first described on the Milw0rm security site on Aug. 31, could allow an attacker to run malicious code. Modern versions of Windows have a feature called /GS (a buffer security check) that protects them from remote-code execution, but earlier versions do not.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Patch Watch

New Web-based attacks target Windows Media holes

By Susan Bradley

Three separate browser vulnerabilities make you susceptible to drive-by exploits from otherwise-trustworthy Web sites.

These threats affect you even if you never use Windows Media Player or Internet Explorer, so you should definitely apply this week’s Windows patches.

MS09-047 (973812)
Browsing without new patch could be hazardous

This month’s security patches for Windows are a reminder that even the sites we trust can be sources of malware infections. Microsoft security bulletin MS09-047 (973812) patches a hole that allows infected, downloaded media files to gain complete control of your system.

More and more sites — even popular ones such as Facebook — have unknowingly hosted malicious banner ads, which is one way these media files can infect you. Microsoft’s Security Research & Defense blog predicts that this vulnerability will likely be targeted by such exploits within the next 30 days.

Vista and Windows 7 have some protection against these attacks, but you should download and install MS09-047 immediately to stymie them completely, especially if you use XP.

If, for some reason, you can’t install this patch, remember that even sites you think of as trustworthy might serve a malicious banner ad from a third-party ad host. The safest course of action is for you to apply this patch and use a browser other than IE, such as Firefox, Chrome, or Opera.

MS09-045 (971961)
JScript scripting engine susceptible to malware

MS09-045 (971961) fixes a problem with the JScript scripting engine. Many sites use JScript to change messages and other site elements dynamically.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents

Top-scoring articles in the past 12 months

Internet Services

Web Development

Digital Marketing

Consumer Tech