Comments on: Vesik method revised

By: Joseph

Joseph — Sat, 16 Jan 2010 23:59:31 +0000

I’ve received a lot of visit from Las Pinas, Philippines which are coming in via two sites: the first one is called blackhatbootcamp_comslashblogslashscTOPSITES; the second one is besome1dotinfoslashTOPSITES. The moment I read “black hat” I became alarmed because I know that usually means the operator will use unscrupulous and even malicious methods to get visitors and money. I’d like to know more about them, and block their visits if possible. The last thing I need is some creep corrupting my site, and spamming my readers. I have hundreds of articles on my site, many from authors who have their url listed in the by-line of their articles. This could be why I’ve been getting trolled-the offenders maybe attempting to harvest the domain names. My site host has yet to even respond to my query about safety protocols they have in place to prevent scalping and harvesting, I do have anti-virus and anti-malware software protection on my computer but the more knowledge I have the better I am able to protect myself and my readers.

By: Natwest beats the keyloggers | Defending The Kingdom: Security and Privacy in Your Digital Life

Fri, 01 Jan 2010 16:29:29 +0000

[...] online bank account even on untrusted computers. The login page makes it impossible to employ the Revised Vesik Method that is ordinarily the best way to beat keyloggers, but it more than compensates with its clever [...]

By: Gerry

Gerry — Sat, 26 Sep 2009 03:35:56 +0000

Thanks Ian for clarifying that copy-and-paste is not secure.

In a recent article in the Windows Secrets Newsletter ( http://windowssecrets.com/2009/09/24/01-More-tricks-to-evade-keyloggers-on-public-PCs ), the following software was mentioned and worked well when I tested it with Firefox (supposedly it does not work with Opera): Alpin Software’s Neo’s SafeKeys 2008 ( http://www.aplin.com.au/?page_id=368 ). According to its description, it does not use copy and paste to transfer the password. Also note the feature (under Mouse Mode) which allows characters to be selected by just hovering over them and also turns the cursor into a small grey dot! Plus, there is no charge for this software, although a donation is asked for. Might this be another solution? Of course, even if it is, no technique can be counted on to be secure indefinitely.

By: Ian Saxon

Ian Saxon — Mon, 14 Sep 2009 01:23:53 +0000

@Trevor: Good point. Changing your password after you’ve entered it insecurely is a fine idea. That and the Vesik Method are ways to reduce, not eliminate, your vulnerability. But suppose you’re on the road for an extended period of time or you have to change your password while using an insecure PC - the Vesik Method could be the best option available.

By: Trevor H.

Trevor H. — Mon, 14 Sep 2009 00:59:37 +0000

An aspect I think you’re neglecting is to change passwords often, possibly by rotating them on various dates. This means the logged keys will have little if any value to the logger. The fear of logging is really about using the same old keys for too long. if one has to use a non-persoanl PC then changing the login data a.s.a.p after that event makes perfect sense, doesn’t it?

By: Und wieder was gelernt ;-)))) « winITPro

Und wieder was gelernt ;-)))) « winITPro — Sun, 13 Sep 2009 16:22:49 +0000

[...] Saxon mit dem schönen Namen „Defending the Kingdom“ umsehen. Dort wird auch die „Vesik-Methode“ vorgestellt, die deutlich mehr Sicherheit bieten kann — allerdings auch mit deutlich [...]

By: Austoon Daily » Vesik method revised

Austoon Daily » Vesik method revised — Fri, 11 Sep 2009 14:34:27 +0000

[...] Vesik method revised Old Defending the Kingdom article on How to Foil Keyloggers now considered out of date and unsafe for use. This article fixes the problem. Comments (0) [...]

By: Ian Saxon

Ian Saxon — Fri, 11 Sep 2009 04:07:30 +0000

@ Dave: Onscreen, online keyboards are reasonably secure, especially if the order that the numbers appear onscreen is random (it’s probably not necessary to change the order after each mouseclick, although it wouldn’t hurt). As you say, though, a screencapture program could probably defeat that if it’s set to capture the screen contents after every mouseclick. Some appear to be capable of such tactics.

Re your second idea: you have to trust the computer you’re on in order to set something like that up! And if you trust your computer, password entry is not much of a problem.

By: Dave

Dave — Fri, 11 Sep 2009 03:39:11 +0000

Ian,
Could the secure website just publish an on screen keybord and let you use mouse clicks? It could also randomly move the keyboard for each character to avoid recording the position of the mouse clicks and someone trying to figure out the pw by pattern. I am not sure if this would be effective if someone was using screen capture.

The other thought I had was to use DDNS to keep track of a home/company based PC for VPN connection. Use that PC to run a script or Master Password program that would enter the Username and Password for you to the website. After you are done you could disable the VPN or somehow have a program reset your VPN password to the next on a list you create. Or some variation of that method.

Man o Man how I hate black hats!

What are your thoughts?

By: Ian Saxon

Ian Saxon — Thu, 10 Sep 2009 23:51:55 +0000

Paul, I agree. It’s definitely a downside to using the method.