am i using sftp? how to make sure no keyloggers in computer?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
clydoris
Forum Newbie
Posts: 10
Joined: Wed Feb 17, 2010 8:59 pm

am i using sftp? how to make sure no keyloggers in computer?

Post by clydoris »

i am a newbie in web programming, and i am using shared computers in uploading files to a webhost.
i am using filezilla, and, my question is, is it using sftp? i'm afraid there are sniffers whenever i am uploading files.

and, how do i make sure that there's no keyloggers in the computer that i am using?

Thanks in advance.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: am i using sftp? how to make sure no keyloggers in computer?

Post by flying_circus »

clydoris wrote:i am a newbie in web programming, and i am using shared computers in uploading files to a webhost.
i am using filezilla, and, my question is, is it using sftp? i'm afraid there are sniffers whenever i am uploading files.
In Filezilla's connection manager, it gives you the option to select connection type (FTP, SFTP, FTPS, or FTPES)

I use SFTP which connects over SSH on port 22, but this depends on how your webhost is configured. You can google the others to find relevant information on how to set them up. Alternatively, you may use a web-based solution to upload files over HTTPS. It's much more of a PITA to do it that way though.
clydoris wrote:and, how do i make sure that there's no keyloggers in the computer that i am using?

Thanks in advance.
Unless this is a computer you trust exclusively, you can't be sure. If you're using a public computer, all bets are off. If you're super paranoid, download and use a reputable *nix Live CD image.
User avatar
clydoris
Forum Newbie
Posts: 10
Joined: Wed Feb 17, 2010 8:59 pm

Re: am i using sftp? how to make sure no keyloggers in computer?

Post by clydoris »

oh, thanks..
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: am i using sftp? how to make sure no keyloggers in computer?

Post by kaisellgren »

Don't ever use other people's computers for this kind of work. Use your own and make sure it has a some sort of system protection suite (antivirus, antispam, firewall) and use common sense and don't download anything unknown/illegal and don't visit websites or open files you don't trust.

I have a virtualized OS running where I have almost nothing installed besides a firewall and a few tools. It's pretty unlikely to contain any keyloggers.
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: am i using sftp? how to make sure no keyloggers in computer?

Post by arjan.top »

kaisellgren wrote:I have a virtualized OS running where I have almost nothing installed besides a firewall and a few tools. It's pretty unlikely to contain any keyloggers.
if the host is "infected" probably the virtual OS is too
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: am i using sftp? how to make sure no keyloggers in computer?

Post by kaisellgren »

arjan.top wrote:
kaisellgren wrote:I have a virtualized OS running where I have almost nothing installed besides a firewall and a few tools. It's pretty unlikely to contain any keyloggers.
if the host is "infected" probably the virtual OS is too
This topic is interesting. Using a VM is certainly more secure than not using one. With VM's like VirtualBox, anything typed on the guest without your keyboard can't be read on the host easily, but that's not the point. The point is to make as many key-loggers defect as possible.

Security and VM's is a topic I like a lot. If the guest is infected (I'm using Windows on the guest, Linux on the host), then can the host be infected? The answer is yes and no. There are two ways to infect the host from the guest that I'm aware of (dis-including vulnerabilities in the VM): bridged connections and shared folders. Infecting via shared folders is simple and I've achieved that with my own testing, but via bridged connections things get more tricky.

When it comes to key-logging, many people don't know that using on-screen keyboards like the one that is bundled with Microsoft Windows is insecure. Windows manages applications by sending them message codes that are interpreted by the programs. The on-screen keyboard sends these same messages just like your keyboard does. A key-logger will successfully capture your on-screen key-strokes. The same thing happens when you type with your keyboard on your guest. The host machine will receive the key-strokes before the guest, and a key-logger on the host will capture them. So, you are partly right there - if the host is infected with a key-logger, it can capture the key-strokes that go to the guest. However, if you don't type with your keyboard, if you use an on-screen keyboard on the guest, the message codes only appear in the VM and the only way to capture these key-strokes is to have the guest infected, access the RAM of the VM or some other way crack the VM. If you really want to avoid key-loggers, you can't trust on-screen keyboards. You need to use your arrow keys, mouse highlight, delete and copy/paste keys to construct your password, but that's not bulletproof either.
Post Reply