68. Knowing how to be fully
secure:
Foiling keyboard loggers
By Mark Alberstat
Dear Mousepad,
I run Windows XP with firewall and antivirus protection, and scan once in
awhile for spyware. The only security concern I have is the possibility
of hidden keystroke loggers catching a password. The question is, how can
I protect myself against these?
Name Withheld
In this age of spam, viruses, malware and spyware, one of the more
insidious traps lurking on the Internet are keyboard loggers.
In short, keyboard loggers are small programs that get loaded onto your
machine, without your knowledge, and log every keystroke you make. When
you go online, the program secretly sends the log file to its creator, who
then has a file that may contain your user name, passwords and other vital
but confidential information. Mac users are relatively safe, as the vast
majority of these programs exploit holes in Microsoft Windows security and
the large number of Windows-based machines connected to the Internet.
There are a few preventative steps against this type of malicious
software. The first is to always have a virus scanner running on your
machine and keep it updated. This is always your first line of defense.
It is also a good practice to have the virus scanner scan your computer
once a week to double-check for any problems. The same can be said for
anti-spyware software. Up-to-date and regular scans are a necessity in
today's wired world.
If you are concerned about keyboard loggers grabbing your password or even
your PIN, one way to fool them is to type your password with a few extra
letters or numbers and then backspace over those characters not in your
password. The logger will catch the entire password, false characters
included, but will not be able to tell what characters you backspaced
over. All that will be logged is that you hit the backspace, or delete
key and the number of times.
Another way around keyboard loggers is to keep a document on hand that has
a list of all of your passwords and usernames. This file could be
encrypted or just kept on your computer or a floppy drive. When you are
at a site that needs a login, simply open the file, copy the needed
information into memory and paste it into the required form field.
The problem with this method is that some websites could have a javascript
running that can easily read what is in your Windows clipboard and copy
it, with all of that happening completely without your knowledge or
approval.
To see this in action, copy a bit of text and then go to:
http://www.friendlycanadian.com/applications/clipboard.htm
If you are using Internet Explorer just as Microsoft delivers it to you,
you will see the contents of your clipboard displayed in a textbox. If
you are using Firefox or (thanks to a reader's help) a Mac with Safari or
the Mac version of IE, you will not see anything in the box as these
browsers do not allow the javascript to grab text from your computer's
memory. Imagine your surprise if you do this exercise and see your
password or bank account number in that box.
If you want to continue using Internet Explorer but turn off this access
point to your information, you will have to open Internet Explorer, click
on the Tools menu then the Internet Options sub-menu. In the window that
opens click the Security tab. Under web content zones, select Internet
and then the Custom Level button. Scroll down until you see Scripting and
Disable "Allow paste operations via script." Click Ok out of these menus
and your computer will be a safer place.
It is important to note that anything you copy into your computer's memory
is in there until you copy something else in, thus erasing what was there,
or by restarting or shutting off your computer.
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca. If we use your question in
a column, we'll send you a free mousepad.
Originally published 18 September 2005
