LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 10-16-2009, 07:55 AM   #1
indiajoe
Member
 
Registered: Jan 2009
Location: India
Distribution: Porteus atma
Posts: 84

Rep: Reputation: 21
Lightbulb How to prevent spying keyboard input


Hi,
I just made a script to read out /dev/input/event3 into a file (My keyboard is identified here [ Machine is a laptop which runs on slax-atma distro ]).
Then used a hexdump to convert the binary into hex.
After that used a gwak script to print out the keys corresponding to each keyboard input.
So now when I put this in my rc.local , It is taking down all the keys I press. Including login passwords (In short, each and every keys I press).
Isn't this a big security risk, because intruder who has a physical access to my machine or has root password can put this file in rc.local and run a script to mail him all the details like my passwords, account and PIN numbers.
How can I prevent anyone from doing that?
Thanking you in advance.
Joe
 
Old 10-16-2009, 08:56 AM   #2
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Most interesting, I didn't know this was possible, but it seems like it is possible.

Well, to prevent this you have to prevent anyone else from gaining root access, because you need root access to be able to do this. Once someone has rooted your system, you're pretty much screwed anyway. So, use a strong root password, disable remote login if possible, use a firewall, run chrootkit and rkhunter regularly, etc.
 
Old 10-16-2009, 09:19 AM   #3
indiajoe
Member
 
Registered: Jan 2009
Location: India
Distribution: Porteus atma
Posts: 84

Original Poster
Rep: Reputation: 21
Is locking up the only solution?

Hi,
Thanks a lot for the tips.
So does it mean that only our locked up computer which we are sure that nobody other than us have access is secure for banking and other purposes?
Because otherwise anybody can boot any machine with a live linux cd, and put this keyboard spy script as root in my rc.local. Then the intruder will get everything including my root password...
Any way to prevent such root access by booting from live cds?
I mean some way of encrypting the linux OS files in my hardisk so that they cannot change anything?
Thanking you,
-Joe
 
Old 10-16-2009, 09:25 AM   #4
SajeethPhilip
LQ Newbie
 
Registered: Oct 2009
Posts: 2

Rep: Reputation: 0
Angry It is alarming!! Attention!!

Quote:
Originally Posted by indiajoe View Post
Hi,
I just made a script to read out /dev/input/event3 into a file (My keyboard is identified here [ Machine is a laptop which runs on slax-atma distro ]).
Then used a hexdump to convert the binary into hex.
After that used a gwak script to print out the keys corresponding to each keyboard input.
So now when I put this in my rc.local , It is taking down all the keys I press. Including login passwords (In short, each and every keys I press).
Isn't this a big security risk, because intruder who has a physical access to my machine or has root password can put this file in rc.local and run a script to mail him all the details like my passwords, account and PIN numbers.
How can I prevent anyone from doing that?
Thanking you in advance.
Joe
Hey, I think Indiajoe has a a point. It is not personal laptop (as in case) that we use. In many public places we have to login perhaps to check e-mail or any such. If it is so easy to squeeze out private information when I type my pin or account number on the grocery store computer, it is alarming me! That is a major security threat than perhaps the virus or spams in Windows machines! The Gurus must certainly look into it and suggest an OS level fix for it.
 
Old 10-16-2009, 09:34 AM   #5
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,282

Rep: Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924
Yet another example of how it is game over when a knowledgable user has physical access.
 
Old 10-27-2009, 07:26 PM   #6
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Rep: Reputation: 16
Quote:
Originally Posted by indiajoe View Post
Hi,
Thanks a lot for the tips.
So does it mean that only our locked up computer which we are sure that nobody other than us have access is secure for banking and other purposes?
Because otherwise anybody can boot any machine with a live linux cd, and put this keyboard spy script as root in my rc.local. Then the intruder will get everything including my root password...
Any way to prevent such root access by booting from live cds?
I mean some way of encrypting the linux OS files in my hardisk so that they cannot change anything?
Thanking you,
-Joe
How about an encrypted hard drive and a BIOS password?

A sturdy lockable computer case wouldn't hurt either.

Last edited by scourge99; 10-27-2009 at 07:33 PM.
 
Old 10-27-2009, 08:30 PM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,670

Rep: Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487
1. if someone has physical access, only strong encryption can save you (assuming you DON'T save the key on there).
2. for internet banking, try booting off a LiveCD/usb-drive, that you keep under lock+key

Never do anything confidential on a public system, or anyone else's imho.
 
Old 10-29-2009, 08:19 AM   #8
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,282

Rep: Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924Reputation: 1924
BIOS passwords and disk encryption will not stop a determined attacker.
http://theinvisiblethings.blogspot.c...truecrypt.html
 
Old 10-29-2009, 08:27 AM   #9
Lordandmaker
Member
 
Registered: Sep 2005
Location: London, UK
Distribution: Debian
Posts: 258

Rep: Reputation: 39
Quote:
Originally Posted by chrism01 View Post
1. if someone has physical access, only strong encryption can save you (assuming you DON'T save the key on there).
Even this is dubious. Physical access generally moots any logical security.

http://www.schneier.com/blog/archive...aid_attac.html

EDIT: How did I miss allend's post?
 
Old 10-29-2009, 10:26 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by allend View Post
BIOS passwords and disk encryption will not stop a determined attacker.
http://theinvisiblethings.blogspot.c...truecrypt.html
Quote:
Originally Posted by Lordandmaker View Post
Even this is dubious. Physical access generally moots any logical security.

http://www.schneier.com/blog/archive...aid_attac.html

EDIT: How did I miss allend's post?
I remember reading about this kind of attack almost five years ago:
Quote:
So, can you trust your computer? Unless you carry it with you everywhere, you really can't. This is true even if the disks have been encrypted. Consider this scenario: someone steals your computer as you sleep. The thief makes a copy of the encrypted contents of the computer, even though they are useless to him without their encryption key. He then replaces the encrypted laptop contents with something a little more diabolical and puts the computer back. When you wake up the next day, the computer prompts for an encryption password as it does every morning. But this time when you provide the key it electronically transmits the key to the thief. Because he now has a copy of your data and key, he can read your files.
Still, the additional insight provided by Bruce Schneier and Joanna Rutkowska was quite refreshing. It was weird to see Ms. Rutkowska doing the kind of stuff that us ordinary people do. Weird in a good way, though.

Last edited by win32sux; 10-29-2009 at 10:31 AM.
 
Old 10-29-2009, 10:35 AM   #11
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 475Reputation: 475Reputation: 475Reputation: 475Reputation: 475
I saw a suggestion about a way to prevent this. You type in some random characters, highlight them, overtype with more random characters, highlight them, overtype with more random characters + the first letter of your password, highlight everything except this first character, overtype randomly + the second character and continue doing this until you have built up the whole password. Because you don't delete anything, the keylogger will end up with a very long random character string. Obviously, if you do this regularly, a determined cracker will be able to figure out your password from the repeated entries. As well, the practicality of doing this is somewhat questionable.
 
Old 10-29-2009, 06:31 PM   #12
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Rep: Reputation: 16
Quote:
Originally Posted by win32sux View Post
I remember reading about this kind of attack almost five years ago:Still, the additional insight provided by Bruce Schneier and Joanna Rutkowska was quite refreshing. It was weird to see Ms. Rutkowska doing the kind of stuff that us ordinary people do. Weird in a good way, though.
Quote:
So, can you trust your computer? Unless you carry it with you everywhere, you really can't. This is true even if the disks have been encrypted. Consider this scenario: someone steals your computer as you sleep. The thief makes a copy of the encrypted contents of the computer, even though they are useless to him without their encryption key. He then replaces the encrypted laptop contents with something a little more diabolical and puts the computer back. When you wake up the next day, the computer prompts for an encryption password as it does every morning. But this time when you provide the key it electronically transmits the key to the thief. Because he now has a copy of your data and key, he can read your files.
How are they going to copy the hard drive when they can't access anything on the case but USB, firewire, Ethernet?

I suppose if they hacked the BIOS they could boot a USB stick image then DD the hard drive.

All the attacks mentioned require running an image not on the hard drive and getting unbridled access to the hard drive.
 
Old 10-29-2009, 11:38 PM   #13
indiajoe
Member
 
Registered: Jan 2009
Location: India
Distribution: Porteus atma
Posts: 84

Original Poster
Rep: Reputation: 21
Selecting password problem

The method XaviourP suggested works wonderfully well when I use it in Firefox and other internet browsers.
So I think it is an excellent way to prevent spying while using internet on others machine.
But selection and over typing is not working when I try it on my password to login as user in my machine and other instances where we give root password to run some applications as root. The password simply won't get replaced when we type. I am using KDE . I guess it is a security measure to prevent people spying on the buffer which stores selection.
-Cheers
indiajoe
 
Old 10-30-2009, 03:23 AM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by scourge99 View Post
How are they going to copy the hard drive when they can't access anything on the case but USB, firewire, Ethernet?
By removing the hard drive and connecting it to another computer.

Quote:
I suppose if they hacked the BIOS they could boot a USB stick image then DD the hard drive.
That's a possibility, yes.

Quote:
All the attacks mentioned require running an image not on the hard drive and getting unbridled access to the hard drive.
Yes, the type of physical access which is given to maids/janitors across the world every single day.
 
Old 10-30-2009, 05:36 AM   #15
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Simple solution: don't leave your laptop unattended.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent un-blanking due to input events RuchiS Linux - Software 1 09-26-2009 09:07 PM
Repeated "input: AT Translated Set 2 keyboard as /class/input/input" messages AcerKev Mandriva 2 09-16-2007 08:35 AM
No keyboard input under gnome. gatdrydock Linux - Software 1 07-10-2005 03:15 PM
my mouse input is takes as keyboard input in BASH e1000 Slackware 5 12-08-2003 03:00 PM
No keyboard input seen neo77777 Linux - General 5 07-12-2002 09:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration