When I was in high school, I was exploited … twice. But not in that way sickos! My first time was ironically from one of my best friends. He always liked to test these gray-hat programs. One day after I used his laptop, he said, “Allan, I know the password to your AIM account!” To say the least, I was furious!

That was nothing in comparison to the emotion I was experiencing during my second exploitation, terror. At the time, my computer was unprotected from any viruses, spyware, and adware. I decided to install an all-in-one security suite, which promptly caught a virus. Basically, I monitored what it was doing to my computer. I discovered a file of everything I typed the past couple of weeks from emails, essays, and search queries to (gasp!) passwords and credit card numbers! Needless to say, I changed my passwords and credit card number.

Ever since these two incidents, I’ve come to realize how vulnerable I really was by using a computer that was not mine or even my own.

Better-safe-than-sorry Attitude

Part of being a good hacker is to recognize signs of when you’re being cracked or at least to observe best practices to circumvent exploitation. This definitely applies to using public computers … even just plain computers that are not your own. To all the hackers reading this, how many of you would feel comfortable entering your credit card or social security number on your grandma’s computer, which is a slow, spyware-filled, adware-loaded, and Limewire-installed machine. Basically, her typical screen looks like this:

No, right? That’s what I thought! There’s no telling what may pick up your sensitive information. I don’t know. Maybe its just my overly sensitive paranoia that my sister continues to bring up but I think I have a point.

Dealing with the Paranoia

What caused the two tragedies I mentioned in the beginning? Keylogger programs. How do you prevent them from being installed? An all-in-one security arsenal or at least a planned computer defense regimen entailing anti-spyware, anti-adware, and anti-virus. Don’t do something stupid like open an email from Nigeria. Use FireFox. Don’t P2P unless you are absolutely sure that you are using the right program. But, what if you’re using a computer that belongs to somebody who does not obey these sacred rules?

You can’t trust a computer that you don’t manage. Luckily, there is a way to avoid any typical keyloggers that reside on your grandma’s computer. Its kind of low tech, but – still – its better than nothing.

How Keyloggers Work

First you need to understand how a basic keylogger works. It installs itself as a hidden service or a daemon that monitors the events passed in Windows. The bulk of these events includes keystrokes and mouse changes. With these event handlers, you can easily swipe someone’s login. In the keylogger … log, it may have something like this

“myspace.comusername@domain.com[tab]pa$$w0rd[tab][enter]”

for logins

“123-45-6789”

for socials security numbers or

“John Doe[tab]123 Easy Street[tab]Beverly Hills[tab]c[tab]90210[tab]1234567890123456[tab]345[tab]10[tab]2008”

for credit card billing information

See how easy it is for a cracker to parse your sensitive information from the log?

Exploiting a Flaw in the Exploiter

One flaw in most keyloggers is that they don’t record mouse clicks or the time of input. Most can also only determine which program is receiving the input. They cannot detect what element in the program is receiving the input or even if the program is actually using the input!

So, to scramble the logs, you enter random characters between sensitive information. At the same time, you don’t want the random characters to alter what you are actually trying to type in the form field. So, you would periodically remove focus from the desired field.

For example, imagine that your password is “pa$$w0rd.”

1. Click the password field.
2. Type ‘p’
3. Click the background. Type some random characters. Click the password field again.
4. Type ‘a’
5. Click the background. Type some random characters. Click the password field again.
6. Type ‘$’
7. Click the background. Type some random characters. Click the password field again.
8. Type ‘$’
9. Click the background. Type some random characters. Click the password field again.
10. Type ‘w’
11. Click the background. Type some random characters. Click the password field again.
12. Type ‘0’
13. Click the background. Type some random characters. Click the password field again.
14. Type ‘r’
15. Click the background. Type some random characters. Click the password field again.
16. Type ‘d’
17. Click the background. Type some random characters.

If you performed this method correctly, the keyboard capture log would look something like this (without all the bolding).

p467gjaj,d7g$45fdj$dfhsdw5gndc0hgdnfrgh7kodsgreb

Works Most of the Time

Cracking this simple workaround would require more sophistication from the keylogger. At least you’ll be safe from most implementations. That sophistication would entail something with screen captures, mouse logs, and/or browser injection. However, all of these factors are very unlikely, as they would make the keylogger more conspicuous.

Next time you are on a public computer, remember this technique and don’t let them (whoever “they” are) get a hold of your information.

For more information on where I learned this technique read How To Login From an Internet Cafe Without Worrying About Keyloggers from the Carnegie Mellon University.

If you enjoyed this post, make sure you subscribe to hacker not cracker via RSS feed or email update!

---