{"id":747,"date":"2007-04-05T22:22:15","date_gmt":"2007-04-06T06:22:15","guid":{"rendered":"\/?p=747"},"modified":"2007-04-06T07:12:34","modified_gmt":"2007-04-06T15:12:34","slug":"6-year-old-installs-keylogger","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=747","title":{"rendered":"6 year old installs keylogger"},"content":{"rendered":"<p>Here is a <em>strange one <\/em>via Pamela Dingle&#39;s <a href=\"http:\/\/eternaloptimist.wordpress.com\/2007\/03\/25\/identity-x-file-0x01\/\">eternal optimist<\/a>:<\/p>\n<p style=\"margin-left: 30px\"><a href=\"http:\/\/www.thisishampshire.net\/display.var.1280820.0.how_girl_6_hacked_into_mps_commons_computer.php\" title=\"How girl, 6, hacked into MP&#039;s Commons computer\" class=\"broken_link\"><font color=\"#52759a\">How girl, 6, hacked into MP\u00e2\u20ac\u2122s Commons computer<\/font><\/a><\/p>\n<p style=\"margin-left: 30px\">I assume a physical keyboard logger like this could still be used to steal an IdP username &amp; password, even with all the secure desktop stuff that the CardSpace client has built in\u00e2\u20ac\u00a6<\/p>\n<p><a href=\"http:\/\/www.keyghost.com\/\">This kind of&nbsp;dongle<\/a>&nbsp;plugs in between the keyboard and the computer.&nbsp; So there is&nbsp;one simple solution:&nbsp; don&#39;t type in secrets that could allow someone to gain access to your accounts.&nbsp;<\/p>\n<p>My view:<\/p>\n<ol>\n<li>CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack &#8211; assuming no physical access to the computer itself.<\/li>\n<li>Normal Kerberos login would be vulnerable.<\/li>\n<li>Username \/ password IdP&#39;s could&nbsp;be protected from this attack&nbsp;through use of the additional per-card secret described <a href=\"\/?p=736\">here <\/a>&#8211; assuming non-InfoCard password access was not supported.<\/li>\n<li>One time password (OTP) systems would be unaffected.&nbsp;<\/li>\n<\/ol>\n<p>BTW, I now have OTP integrated with my own managed card demo code.&nbsp; When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Don&#39;t type in secrets that could allow someone to gain access to your accounts.  <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[21,24,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/747"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=747"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/747\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}