Tuesday, February 28, 2006

Doug's Anti-Keylogger Software Requirements

I've had this idea for a while of an anti-keylogging technology. Keyloggers are malicious software packages that burrow into your machine, monitor your keystrokes, and can even perform screen-captures while you type. They are installed any number of ways -- usually through nefarious means like browser exploits -- and are used mostly by cyber-thieves to capture users' banking credentials.

They're so prevalent that even the New York Times devoted a major article to the topic yesterday.

I did some due diligence and have found a number of anti-keylogging software packages out there. Sure enough, every one I looked at tried to detect the presence of keylogger and then counteract it. For instance:

...[Product] doesn't depend on signature bases - just because it doesn't use them. The newly developed solutions and algorithms allow it to spot behavior of a spy program - and disable it instantly...

In other words, the majority of packages out there attempt to detect and then disable keyloggers. Given the onslaught of new keylogging technologies -- a recent article mentioned that there are over seventy different "species" of keylogger -- I contend that's difficult to do. And new keyloggers emerge all the time.

I have a different idea. Let the keyloggers go ahead and log. In fact, if you're on another party's machine (say, at a friend's house and need to logon to your bank's website), you may not want to risk doing surgery on their computer by running an intrusive anti-keylogger.

Instead, my hypothetical product says, "go ahead and log away... fat lot of good that'll do yaz!" (with a Boston accent). The idea being that you can't assume detection of every keylogging package in the world... there are way too many. Instead, defeat the very concept of keylogging.

So -- without giving away too much of the design that exists only in my head -- here are my basic requirements for an anti-keylogging software package:

[ ] Preferrably browser-based
[ ] If not browser-based, should allow execution without installation
[ ] Does not require any keystrokes or mouse-clicks to perform data-entry
[ ] Not susceptible to screen-captures, no matter how frequently they occur

Are there requirements that are definitely out of scope for this go-round? Yes. This type of anti-keylogger is not intended to defend "cheating spouses." That is, it's not designed to suppress logging of instant messaging, email, and other conventional programs. Put simply, it's designed to protect your passwords - specifically those used for online financial transactions.

More later.

1 comment:

Anonymous said...

Can anyone recommend the best Patch Management tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central it automation software
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!