LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to prevent spying keyboard input (https://www.linuxquestions.org/questions/linux-security-4/how-to-prevent-spying-keyboard-input-762366/)

indiajoe 10-16-2009 07:55 AM

How to prevent spying keyboard input
 
Hi,
I just made a script to read out /dev/input/event3 into a file (My keyboard is identified here [ Machine is a laptop which runs on slax-atma distro ]).
Then used a hexdump to convert the binary into hex.
After that used a gwak script to print out the keys corresponding to each keyboard input.
So now when I put this in my rc.local , It is taking down all the keys I press. Including login passwords (In short, each and every keys I press).
Isn't this a big security risk, because intruder who has a physical access to my machine or has root password can put this file in rc.local and run a script to mail him all the details like my passwords, account and PIN numbers.
How can I prevent anyone from doing that?
Thanking you in advance.
Joe

H_TeXMeX_H 10-16-2009 08:56 AM

Most interesting, I didn't know this was possible, but it seems like it is possible.

Well, to prevent this you have to prevent anyone else from gaining root access, because you need root access to be able to do this. Once someone has rooted your system, you're pretty much screwed anyway. So, use a strong root password, disable remote login if possible, use a firewall, run chrootkit and rkhunter regularly, etc.

indiajoe 10-16-2009 09:19 AM

Is locking up the only solution?
 
Hi,
Thanks a lot for the tips.
So does it mean that only our locked up computer which we are sure that nobody other than us have access is secure for banking and other purposes?
Because otherwise anybody can boot any machine with a live linux cd, and put this keyboard spy script as root in my rc.local. Then the intruder will get everything including my root password...
Any way to prevent such root access by booting from live cds?
I mean some way of encrypting the linux OS files in my hardisk so that they cannot change anything?
Thanking you,
-Joe

SajeethPhilip 10-16-2009 09:25 AM

It is alarming!! Attention!!
 
Quote:

Originally Posted by indiajoe (Post 3721617)
Hi,
I just made a script to read out /dev/input/event3 into a file (My keyboard is identified here [ Machine is a laptop which runs on slax-atma distro ]).
Then used a hexdump to convert the binary into hex.
After that used a gwak script to print out the keys corresponding to each keyboard input.
So now when I put this in my rc.local , It is taking down all the keys I press. Including login passwords (In short, each and every keys I press).
Isn't this a big security risk, because intruder who has a physical access to my machine or has root password can put this file in rc.local and run a script to mail him all the details like my passwords, account and PIN numbers.
How can I prevent anyone from doing that?
Thanking you in advance.
Joe

Hey, I think Indiajoe has a a point. It is not personal laptop (as in case) that we use. In many public places we have to login perhaps to check e-mail or any such. If it is so easy to squeeze out private information when I type my pin or account number on the grocery store computer, it is alarming me! That is a major security threat than perhaps the virus or spams in Windows machines! The Gurus must certainly look into it and suggest an OS level fix for it.

allend 10-16-2009 09:34 AM

Yet another example of how it is game over when a knowledgable user has physical access.

scourge99 10-27-2009 07:26 PM

Quote:

Originally Posted by indiajoe (Post 3721711)
Hi,
Thanks a lot for the tips.
So does it mean that only our locked up computer which we are sure that nobody other than us have access is secure for banking and other purposes?
Because otherwise anybody can boot any machine with a live linux cd, and put this keyboard spy script as root in my rc.local. Then the intruder will get everything including my root password...
Any way to prevent such root access by booting from live cds?
I mean some way of encrypting the linux OS files in my hardisk so that they cannot change anything?
Thanking you,
-Joe

How about an encrypted hard drive and a BIOS password?

A sturdy lockable computer case wouldn't hurt either.

chrism01 10-27-2009 08:30 PM

1. if someone has physical access, only strong encryption can save you (assuming you DON'T save the key on there).
2. for internet banking, try booting off a LiveCD/usb-drive, that you keep under lock+key

Never do anything confidential on a public system, or anyone else's imho.

allend 10-29-2009 08:19 AM

BIOS passwords and disk encryption will not stop a determined attacker.
http://theinvisiblethings.blogspot.c...truecrypt.html

Lordandmaker 10-29-2009 08:27 AM

Quote:

Originally Posted by chrism01 (Post 3734741)
1. if someone has physical access, only strong encryption can save you (assuming you DON'T save the key on there).

Even this is dubious. Physical access generally moots any logical security.

http://www.schneier.com/blog/archive...aid_attac.html

EDIT: How did I miss allend's post?

win32sux 10-29-2009 10:26 AM

Quote:

Originally Posted by allend (Post 3736601)
BIOS passwords and disk encryption will not stop a determined attacker.
http://theinvisiblethings.blogspot.c...truecrypt.html

Quote:

Originally Posted by Lordandmaker (Post 3736608)
Even this is dubious. Physical access generally moots any logical security.

http://www.schneier.com/blog/archive...aid_attac.html

EDIT: How did I miss allend's post?

I remember reading about this kind of attack almost five years ago:
Quote:

So, can you trust your computer? Unless you carry it with you everywhere, you really can't. This is true even if the disks have been encrypted. Consider this scenario: someone steals your computer as you sleep. The thief makes a copy of the encrypted contents of the computer, even though they are useless to him without their encryption key. He then replaces the encrypted laptop contents with something a little more diabolical and puts the computer back. When you wake up the next day, the computer prompts for an encryption password as it does every morning. But this time when you provide the key it electronically transmits the key to the thief. Because he now has a copy of your data and key, he can read your files.
Still, the additional insight provided by Bruce Schneier and Joanna Rutkowska was quite refreshing. It was weird to see Ms. Rutkowska doing the kind of stuff that us ordinary people do. Weird in a good way, though. :)

XavierP 10-29-2009 10:35 AM

I saw a suggestion about a way to prevent this. You type in some random characters, highlight them, overtype with more random characters, highlight them, overtype with more random characters + the first letter of your password, highlight everything except this first character, overtype randomly + the second character and continue doing this until you have built up the whole password. Because you don't delete anything, the keylogger will end up with a very long random character string. Obviously, if you do this regularly, a determined cracker will be able to figure out your password from the repeated entries. As well, the practicality of doing this is somewhat questionable.

scourge99 10-29-2009 06:31 PM

Quote:

Originally Posted by win32sux (Post 3736755)
I remember reading about this kind of attack almost five years ago:Still, the additional insight provided by Bruce Schneier and Joanna Rutkowska was quite refreshing. It was weird to see Ms. Rutkowska doing the kind of stuff that us ordinary people do. Weird in a good way, though. :)

Quote:

So, can you trust your computer? Unless you carry it with you everywhere, you really can't. This is true even if the disks have been encrypted. Consider this scenario: someone steals your computer as you sleep. The thief makes a copy of the encrypted contents of the computer, even though they are useless to him without their encryption key. He then replaces the encrypted laptop contents with something a little more diabolical and puts the computer back. When you wake up the next day, the computer prompts for an encryption password as it does every morning. But this time when you provide the key it electronically transmits the key to the thief. Because he now has a copy of your data and key, he can read your files.
How are they going to copy the hard drive when they can't access anything on the case but USB, firewire, Ethernet?

I suppose if they hacked the BIOS they could boot a USB stick image then DD the hard drive.

All the attacks mentioned require running an image not on the hard drive and getting unbridled access to the hard drive.

indiajoe 10-29-2009 11:38 PM

Selecting password problem
 
The method XaviourP suggested works wonderfully well when I use it in Firefox and other internet browsers.
So I think it is an excellent way to prevent spying while using internet on others machine.
But selection and over typing is not working when I try it on my password to login as user in my machine and other instances where we give root password to run some applications as root. The password simply won't get replaced when we type. I am using KDE . I guess it is a security measure to prevent people spying on the buffer which stores selection.
-Cheers
indiajoe

win32sux 10-30-2009 03:23 AM

Quote:

Originally Posted by scourge99 (Post 3737280)
How are they going to copy the hard drive when they can't access anything on the case but USB, firewire, Ethernet?

By removing the hard drive and connecting it to another computer.

Quote:

I suppose if they hacked the BIOS they could boot a USB stick image then DD the hard drive.
That's a possibility, yes.

Quote:

All the attacks mentioned require running an image not on the hard drive and getting unbridled access to the hard drive.
Yes, the type of physical access which is given to maids/janitors across the world every single day.

H_TeXMeX_H 10-30-2009 05:36 AM

Simple solution: don't leave your laptop unattended.


All times are GMT -5. The time now is 06:05 AM.