Here’s a product about to be announced that claims to really protect users against keylogging — when bad guys capture the keystrokes you make and then transmit it back to base: StrikeForce’s WebSecure (PDF file):
The basic idea, StrikeForce’s PR guy Adam Parken tells me, is that “keystrokes are encrypted at the hardware driver and delivered directly to the browser.” This, he says, “gets around the OS, messaging service, etc. where keyloggers normally hide.” It looks a bit like this (from a WebSecure presentation):
If that makes any sense. The grey boxes are the bits in between the keyboard and the network, and they’re all places that keyloggers hide. Anti-keylogging programs, as I understand them, are usually merely programs that try to guess what’s going on, and, if they see something sleazy, warn the user. Usually this is based on a prior knowledge, or library, of known keyloggers or known keylogging tricks.
WebSecure, instead, according to the press release, “automatically encrypts every keystroke at the keyboard level, then reroutes those encrypted keystrokes directly to the Web browser, bypassing the multiple communication areas that are vulnerable to keylogging attacks.”
WebSecure is going to be demoed at DEMO here sometime in the next 24 hours or so. If they do the job seamlessly and as promised, WebSecure could be quite a useful tool for companies and end users. But it’s an area long tackled and never conquered by security software developers, so I’m not holding my breath.