[lug] security of mindterm applet?

D. Stimits stimits at idcomm.com
Mon Oct 30 09:00:53 MST 2000 

"Ferdinand P. Schmid" wrote:
> 
> "Jeffrey B. Siegal" wrote:
> 
> > "Ferdinand P. Schmid" wrote:
> > > On Windows systems it would be fairly easy to listen for and record keystrokes.
> >
> > Yes, it is.  There are even off-the-shelf keystroke monitoring utilities
> > designed for employers to be able to spy on their employees (to detect
> > unauthorized computer/internet use).  I have heard of these being installed by
> > hackers on on public systems (cybercafes, etc.).
> >
> > > But that would mean
> > > somebody would need to also record the corresponding screens...
> >
> > No, they just need the keystrokes, and then they have your password.
> 
> Yes, they have the password if it was typed continuously - and right after the login
> was typed.  But I don't think those apps can find out what window on the PC you are
> typing in.  So you could play with the mouse and have two browser windows open and
> for example type one character of your login and some characters in the different
> window and then another one of your login...   You can find all kinds of games to
> play - but in general I wouldn't be too concerned.  After all you may have browsed
> the wrong site with your work PC (running Windows and IE) and that site has installed
> a little application sending all your browsing info including password... to a remote
> site.  This is generally known as the "perfect hack" - because it doesn't require
> dealing with firewalls and other well protected systems and it is very difficult to
> detect.  Such a thing happened to a friend of mine and it was only discovered because
> that malignant application tried to connect to the internet without entering the
> proxy password.
> Bottom line - nothing is safe and most of us (except for some extremely security
> savvy and concerned folks) will be vulnerable in one form or another.  Generally the
> more functionality you need or want the higher risk you need to take.

I didn't read it too closely, but the recent Microsoft breakin stories
mentioned that it was suspected a virus was entered into the inside via
email, which could somehow read passwords (possibly by keyboard
sniffing), then send it back out. Microsoft responded something to the
effect of "just because they saw our innermost secrets of our products
on our most highly protected system doesn't mean windows isn't secure".
It looks like any public windows machine that might have email read is
vulnerable to having some form of valuable info emailed to a kiddie
scripter.

> 
> Did you know that around 95% of all e-mail is downloaded using POP3 (or IMAP)
> protocols with plain text password transmission?  Using IMAP over SSL is still very
> uncommon!  Just to keep the greater picture in mind.
> 
> > Do not use public systems to log in if you are concerned about the security of
> > your password.  Use a laptop under your control instead.
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
> Ferdinand Schmid
> Architectural Energy Corporation
> http://www.archenergy.com
> (303) 444-4149
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list