Defeating Virtual Keyboards

To deal with the threat of keyloggers -- or to win time during te process of implementing two factor authentication and one-time-passwords-in-everything -- E-banking providers started introducing virtual keyboards as a pragmatic solution to the threat. Malicious attackers are anything but old-fashioned and this is a great example that insecurities are only a matter of perspective. To the E-banking providers who were aware that a static virtual keyboard would be much more easier to defeat, a randomized characters appearance came into play and so attackers adapted by first taking video sessions of the login process, and now turning each mouse click into a screenshot to come up with the accounting data in a PoC on Defeating Citibank Virtual Keyboard:

"Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it."

From a malicious economies of scale perspective, these rather amateur techniques mean lack of efficiency compared to advanced tools suh as the Nuclear Grabber which I intend to cover in-depth in a future post from the Malicious Wild West series.

International Cryptography Regulations Map

Regulations on importing, exporting and using encryption greatly vary across the world. Bert-Jaap Koops came up with some informative maps highlighting the big picture :

"This is a graphic summary of the pertaining cryptography laws and regulations worldwide as outlined in the most recent version of my Crypto Law Survey. It shows the import controls, export controls, and domestic controls, according to the information available to me. Consult the corresponding entry in the Crypto Law Survey for the contents of the pertaining regulation in a particular country."

And here's a related post on a bureaucratic utopia, another one on bureaucracy vs reality when it comes to security, as well as famous cases related to criminals using encryption.

Disintermediating the Major Defense Contractors

Innovative and cost-effective altogether? Think SpaceShipOne, a commercial space ship that didn't come from a major defense contractor, not even NASA but from a competition won by a privately run company. How to disintermediate yet innovate? Become a venture capitalist, or an angel investor and optimistically hope the academic-to-commercialization process would happen with one of your investments. The DeVenCI project aims to connect sellers with buyers and seems like a sound short-term objectives oriented idea compared with In-Q-Tel the CIA's VC fund emphasizing on long-term R&D :

"Some companies have already profited from the program. In 2003, when DeVenCI was in its experimental phase, the Defense Information Systems Agency was looking for ways to protect computer networks. After speaking to several companies through DeVenCI and evaluating their technology, the agency wound up working with ArcSight, a software company based in Cupertino, Calif., which won $3.6 million in related contracts over the next few years, DeVenCI officials said. Mr. Novak of Novak Biddle said he brought with him to the March DeVenCI meeting two executives from a small start-up developing biometric technology that could be used for things like advanced fingerprinting or eye scans. Mr. Novak said the chief executive and chief technology officer from the Virginia company, which he declined to name for competitive reasons, gave a presentation to the roughly 50 assembled procurement agents."

Here's In-Q-Tel's investment portfolio so far -- Google used to be among them.

Related posts:
Insider Competition in the Defense Industry
Aha, a Backdoor!
Overachieving Technology Companies