You can't secure what you don't acknowledge.SM

Friday, January 18, 2008

Neat tool to fight off keystroke loggers in web apps

I came across the XecureCK tool in Brien Posey's recent article. It's an application-specific program that's downloaded as an ActiveX control that must be installed on the user's browser (sort of ironic, eh?). It essentially creates an encrypted link between the Windows keyboard driver and the Web site to keep the user's credentials safe and least the credentials for that one Web site.

Thinking back to my days of assembly language programming, I suspect that there's a way for malware to hook into the keyboard interrupt to override this. Essentially sit "above" the driver and still grab the input from the keyboard. We'll see...

Still a pretty neat app that benefits the Web site owner as much as it does the user. Good way to stay out of trouble and minimize liabilities.

No comments:

Post a Comment