How to prevent spying keyboard input
Hi,
I just made a script to read out /dev/input/event3 into a file (My keyboard is identified here [ Machine is a laptop which runs on slax-atma distro ]). Then used a hexdump to convert the binary into hex. After that used a gwak script to print out the keys corresponding to each keyboard input. So now when I put this in my rc.local , It is taking down all the keys I press. Including login passwords (In short, each and every keys I press). Isn't this a big security risk, because intruder who has a physical access to my machine or has root password can put this file in rc.local and run a script to mail him all the details like my passwords, account and PIN numbers. How can I prevent anyone from doing that? Thanking you in advance. Joe |
Most interesting, I didn't know this was possible, but it seems like it is possible.
Well, to prevent this you have to prevent anyone else from gaining root access, because you need root access to be able to do this. Once someone has rooted your system, you're pretty much screwed anyway. So, use a strong root password, disable remote login if possible, use a firewall, run chrootkit and rkhunter regularly, etc. |
Is locking up the only solution?
Hi,
Thanks a lot for the tips. So does it mean that only our locked up computer which we are sure that nobody other than us have access is secure for banking and other purposes? Because otherwise anybody can boot any machine with a live linux cd, and put this keyboard spy script as root in my rc.local. Then the intruder will get everything including my root password... Any way to prevent such root access by booting from live cds? I mean some way of encrypting the linux OS files in my hardisk so that they cannot change anything? Thanking you, -Joe |
It is alarming!! Attention!!
Quote:
|
Yet another example of how it is game over when a knowledgable user has physical access.
|
Quote:
A sturdy lockable computer case wouldn't hurt either. |
1. if someone has physical access, only strong encryption can save you (assuming you DON'T save the key on there).
2. for internet banking, try booting off a LiveCD/usb-drive, that you keep under lock+key Never do anything confidential on a public system, or anyone else's imho. |
BIOS passwords and disk encryption will not stop a determined attacker.
http://theinvisiblethings.blogspot.c...truecrypt.html |
Quote:
http://www.schneier.com/blog/archive...aid_attac.html EDIT: How did I miss allend's post? |
Quote:
Quote:
Quote:
|
I saw a suggestion about a way to prevent this. You type in some random characters, highlight them, overtype with more random characters, highlight them, overtype with more random characters + the first letter of your password, highlight everything except this first character, overtype randomly + the second character and continue doing this until you have built up the whole password. Because you don't delete anything, the keylogger will end up with a very long random character string. Obviously, if you do this regularly, a determined cracker will be able to figure out your password from the repeated entries. As well, the practicality of doing this is somewhat questionable.
|
Quote:
Quote:
I suppose if they hacked the BIOS they could boot a USB stick image then DD the hard drive. All the attacks mentioned require running an image not on the hard drive and getting unbridled access to the hard drive. |
Selecting password problem
The method XaviourP suggested works wonderfully well when I use it in Firefox and other internet browsers.
So I think it is an excellent way to prevent spying while using internet on others machine. But selection and over typing is not working when I try it on my password to login as user in my machine and other instances where we give root password to run some applications as root. The password simply won't get replaced when we type. I am using KDE . I guess it is a security measure to prevent people spying on the buffer which stores selection. -Cheers indiajoe |
Quote:
Quote:
Quote:
|
Simple solution: don't leave your laptop unattended.
|
Mouse Highlighting not effective
I do not think that the suggestion to highlight using the mouse and retype is an effective solution. With a bit of homework, the mouse movement can be tracked just like the keyboard inputs and be automated to filter out what all has been highlighted and removed to get the secreat word!
As it was pointed out, the encryption method also can be hacked in the same way. The only method to prevent it is to secure the keyboard entry using some secure hardcoded key unique(?) to each system. It is important that such coding does not produce the same code when the inputs are similar. Otherwise standard attacks in cryptography could again pause a threat. |
Ing Direct (a bank) has a very simple login that counters keylogger attacks. They use an onscreen keyboard, each key displaying a random unique character next to it. You can click out your password, or you can use keyboard, but instead of typing your password you enter the randomly mapped characters instead.
Of course only your Ing password is safe. But I believe tinfoilhat linux has a similar feature for all password entry. |
[QUOTE=scourge99;3737280]How are they going to copy the hard drive when they can't access anything on the case but USB, firewire, Ethernet?
seriously? ... thats like saying how can they turn the computer on when they only have access to the power button. lol |
Quote:
|
Quote:
|
Quote:
Moreover, screen captures on clicks would not be effective if a user hits backspace and clicks elsewhere a couple times, or if they use the keyboard to do the entry. |
Quote:
but you can rest assures that there is malware out there, at least on windows, designed to steal user passwords by making screenshots, capturing keys and reading the clipboard. So thinking that a screen keyboard can protect you against password stealing is a false sense of security imho. |
Well, to test this theory out, I made a keylogger (using borrowed code) to do exactly what the OP says. I noticed that if you do this you can find it by simply running:
Code:
lsof | grep input For example: no keylogger working: Code:
bash-3.1# lsof | grep input Code:
bash-3.1# lsof | grep input |
Quote:
The rootkit would replace the lsof binary in a way that it doesn't display the keylogger anymore. |
Ah, well in that case, use chrootkit and rkhunter ...
|
Quote:
Ing's approach effectively counters the keylogger - and more login screens should be following their lead. The screenshot attack you mention requires considerably more sophistication from the attacker, and it only works in the case of basic mouse entry, which is easily countered on the server side by simply making the onscreen keys mouse-insensitive. |
Quote:
or a keylogger with screenshot abilitys. All he cares about is that his money is now gone and he wants protection from that. Quote:
then a keylogger. It might even be the other way round, I do not know of a way to prevent a normal user to make screenshots of all windows at the moment. So it might be harder to create a keylogger that can log keys of all windows. What do you mean making certain keys mouse insensitive? The user intentionally clicks on keys that have no function? A way better counter measure against password spying malware are one-time-passwords imho. Because even if the program spys the password it would be useless if the user could still login, so you need a way of preventing the login from happening and that will be suspicious at least. |
Quote:
Problem is that getting one to every single user doesn't seem practical. Especially with our less than tech-savvy population. |
From reading this thread, I get the impression that the only solution will be to encrypt the connection between the keyboard and the application (that is, encrypt the connection between the web browser (or logon screen or spreadsheet or ...) and the keyboard such neither Linux nor any other application or process running on Linux will be able to decrypt the characters being typed).
I wonder how much work it would take to do that?:scratch: |
Something like a smartcard reader with a keypad should be able to do that.
The smartcard would then take your PIN to encrypt / authenticate. But that requires support on the other side as the USB key from RSA does. |
Quote:
|
No scanning program will ever detect everything and can potentially be bypassed.
Don't you know what is going on in the Windows world? So many new viruses everyday that the antivirus firms have a hard time coping with the masses. |
Window$ is not Linux. I can imagine that there are ways to bypass it, but if you know of all the ways and cover them, then you'll be reasonably safe.
Trust me, you will NEVER be 100% secure and safe from malware, unless you don't use the internet, but even then, a simple USB stick could carry it. On Window$, malware is absolutely impossible to control. I have tried many times and failed every time. On Linux, it's much better. |
Quote:
To expand on what I said, the only solution that will prevent the data loss from a keylogger is to encrypt the data flowing from the keyboard to the application. And it has to be application-specific, so that only the application you're using (be it a web browser or logon screen) can decrypt the characters you're sending from your keyboard to the application. It would do no good if the operating system or another application could decrypt the data, because that would potentially allow the keylogger to get the data. |
Quote:
Quote:
|
Quote:
Quote:
I've heard of people who have lost 100.000K $ through keyloggers. If you really want to believe that the onscreen keyboard is secure you can do so, just a matter of time before the bad side will adjust. |
Quote:
Quote:
Moreover, when a bank account is attacked, the victim is the bank. Damage to the end user is incidental, and is more a matter of time and effort than lost assets. And sure, it's worth it to banks to spend money on security, even to the extent of issuing tokens/rsa keys and the like. It's common for European banks to do so. I'm not sure why it's not common in the US. But in any case that's the banks choice to make, not the consumers. At best, as consumers, we can only choose between banks, we can't walk up to our existing bank and expect to not get laughed at when we ask for special treatment - to have better security implemented on our account. Quote:
|
IMHO, if you have $100,000 in the bank, you should have a computer dedicated for only banking. A contractor had an account at a bank that used the RSA devices. He had malware on his computer that didn't log his password at all, it just waited for him to authenticate normally and open an https session. The malware then transferred $400,000 from his account.
|
Quote:
Also you will be under the radar, because the user entered his password without knowing that he had malware running. Quote:
users computer is infected with malware then the security is mostly gone. And I don't see how it is the banks fault if the users computer gets infected. It is just that banks normally give you your money back. I'm pretty sure banks can't just do whatever they want, there are regulations / laws. Also you are paying them, so I don't see how you don't have any saying. [QUOTE=jgombos;] IMHO, if you have $100,000 in the bank, you should have a computer dedicated for only banking. A contractor had an account at a bank that used the RSA devices. He had malware on his computer that didn't log his password at all, it just waited for him to authenticate normally and open an https session. The malware then transferred $400,000 from his account. /QUOTE] A live cd should be enough to prevent most attacks from happening. The problem of session hijacking is one where I don't know how to prevent it. One could for example install a vnc server, and then, as soon as the person is logged in and has typed his password, grab the window onto your own pc and transfer the money. |
Quote:
Quote:
|
[QUOTE=mase;3745524]You don't need to target a specific individual, just for example all people who use a certain service. As soon as the programm is opened, or the website, you start making screenshots every click for a few minutes or so.
... Also you will be under the radar, because the user entered his password without knowing that he had malware running. [/quotes] That's not under the radar in the slightest. The kind of payloads you're talking about are several orders of magnitude more than any sort of stealthy exploit. It's just too much data to move around the net and expect no one to notice. Malware authors go to extremes build stealthy malware, to the extent of writing assembly code. What you're proposing is to raise absurdly overt flags to collect data that can be collected in a much more concealable fashion. It makes no sense at all to attack with such visibility when you can harvest passwords with footprint that's 1/1000th the size. Quote:
Quote:
Quote:
|
From the point of view of a bank customer, the deal is that you give them money and they store it until you want it back (to yourself, pay bills or something else that requires transferring the money off). The point of storing is to keep the money available so you can today access it in a variety of places, for example using a credit card, and to take care of it -- no customer would give their money to a bank that states that they couldn't care less if somebody stole the money. Typically customers also pay some (smallish) amount of money for the banking service, and for that money I personally would expect, at the very least, that they make sure the money is not stolen and if it is, it's not me who pays it (because my only way of making sure it's not stolen from the bank is not to have the money in that bank at all). For this reason banks have insurances and so on.
The banks here use typically a two-stage login procedure to prevent password stealing. First there's the normal id-and-password combination over a https connection, which grants one to enter the "private" part of the site. Then, to view account details or take any actions like transfer money, one is presented with a key, and to continue one must search for a pair for that key from a list of one-time keys (i.e. one keypair is used only once). The session ends if too much time passes without any actions (quite a short time really) or if the page is closed. The customer keys are sent as a paper copy, a couple dozen keys at a time, and when there are only a few left, new list is ordered. The old list is used until the new one arrives, and switching the list then requires a key (if I remember it right, one needs a key from the old list to log in, and a key from the new list to activate it, so both lists are needed at the same time). This makes the life of keyloggers difficult, because in addition to watching the keys they would need to see the (paper) keylist to know what the next key would be. In the past the keys were sorted on the list, but at some point they moved on to random keys, meaning that it's unpredictable which keypair is asked before it is asked. One bank went even further and spent quite a honorable sum of money to develop a piece of software (in Java) that the client must install in order to authenticate. The point of the software was to collect information from the client computer (it wasn't specified what information, though) and form a sort of fingerprint of it that told the bank the connection was coming from the same computer as before, and not from a neighbour who loaned the keys. I sort of never catched what this was for, because the installation of the software was said to be not as easy as it should, and because people didn't like the bank collecting information about their computer that way. Plus they of course were tied to using that one computer; I guess modifying the computer could also result in the app rejecting the connection, if those parts were modified that the program collected information from. I don't even think it's too effective, because one would still need the keypairs, and if they can be obtained, I don't think a physical access to the machine is so far away anymore. All in all, I know of and have heard of a horde of ways to prevent stealing passwords, mostly so that the victim didn't know about it before it was too late (stealing the paper containing keys, for example, would trigger the victim to inform the bank of it, which would cause the keys to be changed). Still none of them is good when you start thinking about it, and most of them cause extra work for the end user. It's good security tech evolves, but so does the opposite, and in the end the only one still winning is a company who provides insurances -- everybody pays for them, but most don't get hit and thus insurance gets more than has to pay. Nice. |
[QUOTE=jgombos;3745718]
Quote:
How do you configure iptables to differentiate between good and bad traffic? And since when is it suspicious to move data around on the internet? The size of the malware itself won't be bigger and it only really matters if you write a trojan, because a text editor that is 10 MB in size is suspicious. And then again you only need a little piece of software that is able to download the actual malware of the net which is what is happening a lot in the windows world. Once you are in though you can practically do whatever you want. Quote:
the actual manual analysis of the data by the attacker will take about as long if you don't record everything. Quote:
Quote:
I don't think it's a competent bank if it lets its customers vulnerable to the screenshot programs I mentioned. If a bank didn't use one-time password, ideally in combination with some hardware device, I wouldn't trust it for a second. The use of one-time passwords has long been standard in the banking sector at least in germany. |
FYI my bank requires three pieces of information to log on, one of which is a 6-digit number which has to be entered via a drop down list for each digit.
Apparently that is not enough because around a year ago they issued an electronic device which requires 3 inputs: a "smart" bank card, a 4-digit PIN and a transaction amount; given these it generates a ?-digit code which must be entered on the site to validate the transaction. It is an ordinary "high street" bank. |
Quote:
depend on details of the transaction. Ideally in a way that it could only be used for this exact transaction. |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
So, after all this discussion I feel that a live cd would be the solution but....
1. the live cd should be in position to interact with the bank's site without any changes in the programs installed by default 2. the live cd should not allow any changes to the system (not even RAM after boot) ,not even an installation of a cookie I don't know if my suggestions are applicable to a system but I like the idea. P.S World's changes come from small ideas :) |
I wonder if anyone's put together a live CD with a version of Linux that is pared down to the bare bones necessary to support a browser (TCP/IP, Firefox, javascript, and Java(?)), and is hardened. It's purpose would be a bootable, secure browser and nothing else, so you could use it for banking, secure transactions, and for venturing where the malware is thick.
Being Linux, most malware won't work anyways. Being a live CD, any virus infections disappear when you reboot, so it wouldn't matter. The logo would be Tux in an enviro-suit. |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 10:07 AM. |