LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 11-04-2009, 01:15 PM   #31
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291

Quote:
Originally Posted by Jim Bengtson View Post
From reading this thread, I get the impression that the only solution will be to encrypt the connection between the keyboard and the application (that is, encrypt the connection between the web browser (or logon screen or spreadsheet or ...) and the keyboard such neither Linux nor any other application or process running on Linux will be able to decrypt the characters being typed).

I wonder how much work it would take to do that?
oh come on, all you need to do is run rkhunter or chkrootkit regularly (which you should do anyway), and maybe check the 'lsof' list once in a while for suspicious activity. I think clamav may also come in handy.
 
Old 11-04-2009, 01:27 PM   #32
mase
LQ Newbie
 
Registered: Jul 2008
Posts: 22

Rep: Reputation: 15
No scanning program will ever detect everything and can potentially be bypassed.

Don't you know what is going on in the Windows world?
So many new viruses everyday that the antivirus firms have a
hard time coping with the masses.
 
Old 11-04-2009, 02:06 PM   #33
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Window$ is not Linux. I can imagine that there are ways to bypass it, but if you know of all the ways and cover them, then you'll be reasonably safe.

Trust me, you will NEVER be 100% secure and safe from malware, unless you don't use the internet, but even then, a simple USB stick could carry it. On Window$, malware is absolutely impossible to control. I have tried many times and failed every time. On Linux, it's much better.
 
Old 11-04-2009, 02:22 PM   #34
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
oh come on, all you need to do is run rkhunter or chkrootkit regularly (which you should do anyway), and maybe check the 'lsof' list once in a while for suspicious activity.
Isn't that closing the barn door after the cows have left? By the time you discover the keylogger is there, it could have sent the logon IDs and passwords of your admins (and god knows what else) to the hackers.

To expand on what I said, the only solution that will prevent the data loss from a keylogger is to encrypt the data flowing from the keyboard to the application. And it has to be application-specific, so that only the application you're using (be it a web browser or logon screen) can decrypt the characters you're sending from your keyboard to the application. It would do no good if the operating system or another application could decrypt the data, because that would potentially allow the keylogger to get the data.
 
Old 11-04-2009, 02:34 PM   #35
jgombos
Member
 
Registered: Jul 2003
Posts: 256

Rep: Reputation: 32
Quote:
Originally Posted by mase View Post
What do you mean making certain keys mouse insensitive?
The user intentionally clicks on keys that have no function?
Yes. If the Ing direct onscreen keyboard were insensitive (buttons unclickable), then users would have no choice but to use the keyboard to enter the randomly mapped keys for their password. In that case, the attacker would have to be both logging keys, and capturing the screen as well.

Quote:
Originally Posted by mase View Post
A way better counter measure against password spying malware
are one-time-passwords imho.
That's a countermeasure that requires every provider to make an expensive change. An RSA key is useless to a user when the provider doesn't support it. It may be more effective, but not *better*, because of the practicality. To be a better option, it has to be cheap, and not require millions of systems to make a change. OTOH, a tool that functions like the Ing tool could be implemented on the client side (I believe tinfoil hat linux does something like this). And ideally, it would incorporate Jim's suggestion and use crypto in cases where the application were wired for it.

Last edited by jgombos; 11-04-2009 at 02:38 PM.
 
Old 11-04-2009, 04:09 PM   #36
mase
LQ Newbie
 
Registered: Jul 2008
Posts: 22

Rep: Reputation: 15
Quote:
Originally Posted by jgombos View Post
Yes. If the Ing direct onscreen keyboard were insensitive (buttons unclickable), then users would have no choice but to use the keyboard to enter the randomly mapped keys for their password. In that case, the attacker would have to be both logging keys, and capturing the screen as well.
It's not hard to combine a keylogger with screenshot making abilitys.

Quote:
Originally Posted by jgombos View Post
That's a countermeasure that requires every provider to make an expensive change. An RSA key is useless to a user when the provider doesn't support it. It may be more effective, but not *better*, because of the practicality. To be a better option, it has to be cheap, and not require millions of systems to make a change. OTOH, a tool that functions like the Ing tool could be implemented on the client side (I believe tinfoil hat linux does something like this). And ideally, it would incorporate Jim's suggestion and use crypto in cases where the application were wired for it.
Well if a banking account is not valuable than I don't know anymore.
I've heard of people who have lost 100.000K $ through keyloggers.

If you really want to believe that the onscreen keyboard is secure you can do so, just a matter of time before the bad side will adjust.
 
Old 11-05-2009, 03:21 AM   #37
jgombos
Member
 
Registered: Jul 2003
Posts: 256

Rep: Reputation: 32
Quote:
Originally Posted by mase View Post
It's not hard to combine a keylogger with screenshot making abilitys.
You seem to be thinking of a targeted threat. For the much less common case of a sophisticated and determined attacker targeting a specific individual, sure the countermeasures to mitigate that sort of attack would have to be substantial. The more common threat is distributed and untargeted, where malware would attempt to harvest passwords from a large number of machines, in which case grabbing screenshots is just not practical. An attacker could not stay under the radar with the kind of volume of data that would be involved. It just doesn't make any sense to get screenshots, when an attacker can easily go for the low hanging fruit and grab keystrokes. There are quite enough users who are not protected from keyloggers for attackers to not have to consider dealing with screenshots, which requires a good deal of manual effort. AFAIK, there are no tools that can sort through thousands of images and pick out the interesting ones.
Quote:
Originally Posted by mase View Post
Well if a banking account is not valuable than I don't know anymore.
I've heard of people who have lost 100.000K $ through keyloggers.
The OPs inquiry is not restricted to banks. I only brought up Ing because they have an effective means to counter the keylogger.

Moreover, when a bank account is attacked, the victim is the bank. Damage to the end user is incidental, and is more a matter of time and effort than lost assets. And sure, it's worth it to banks to spend money on security, even to the extent of issuing tokens/rsa keys and the like. It's common for European banks to do so. I'm not sure why it's not common in the US. But in any case that's the banks choice to make, not the consumers. At best, as consumers, we can only choose between banks, we can't walk up to our existing bank and expect to not get laughed at when we ask for special treatment - to have better security implemented on our account.
Quote:
Originally Posted by mase View Post
If you really want to believe that the onscreen keyboard is secure you can do so, just a matter of time before the bad side will adjust.
There are no absolutes. Being secure is largely a matter of being more secure than the masses.
 
Old 11-05-2009, 03:42 AM   #38
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
IMHO, if you have $100,000 in the bank, you should have a computer dedicated for only banking. A contractor had an account at a bank that used the RSA devices. He had malware on his computer that didn't log his password at all, it just waited for him to authenticate normally and open an https session. The malware then transferred $400,000 from his account.
 
Old 11-05-2009, 05:43 AM   #39
mase
LQ Newbie
 
Registered: Jul 2008
Posts: 22

Rep: Reputation: 15
Quote:
Originally Posted by jgombos View Post
You seem to be thinking of a targeted threat. For the much less common case of a sophisticated and determined attacker targeting a specific individual, sure the countermeasures to mitigate that sort of attack would have to be substantial. The more common threat is distributed and untargeted, where malware would attempt to harvest passwords from a large number of machines, in which case grabbing screenshots is just not practical. An attacker could not stay under the radar with the kind of volume of data that would be involved. It just doesn't make any sense to get screenshots, when an attacker can easily go for the low hanging fruit and grab keystrokes. There are quite enough users who are not protected from keyloggers for attackers to not have to consider dealing with screenshots, which requires a good deal of manual effort. AFAIK, there are no tools that can sort through thousands of images and pick out the interesting ones.
You don't need to target a specific individual, just for example all people who use a certain service. As soon as the programm is opened, or the website, you start making screenshots every click for a few minutes or so. Even if you use a keylogger alone you still have to go through all the data to find the passwords, I don't know of a automated way to do so.

Also you will be under the radar, because the user entered his password without knowing that he had malware running.

Quote:
Originally Posted by jgombos View Post
The OPs inquiry is not restricted to banks. I only brought up Ing because they have an effective means to counter the keylogger.

Moreover, when a bank account is attacked, the victim is the bank. Damage to the end user is incidental, and is more a matter of time and effort than lost assets. And sure, it's worth it to banks to spend money on security, even to the extent of issuing tokens/rsa keys and the like. It's common for European banks to do so. I'm not sure why it's not common in the US. But in any case that's the banks choice to make, not the consumers. At best, as consumers, we can only choose between banks, we can't walk up to our existing bank and expect to not get laughed at when we ask for special treatment - to have better security implemented on our account.

There are no absolutes. Being secure is largely a matter of being more secure than the masses.
Security is only as good as the weakest link in the chain, so if the
users computer is infected with malware then the security is mostly gone. And I don't see how it is the banks fault if the users computer gets infected.

It is just that banks normally give you your money back.

I'm pretty sure banks can't just do whatever they want, there are regulations / laws. Also you are paying them, so I don't see how you don't have any saying.


[QUOTE=jgombos;]
IMHO, if you have $100,000 in the bank, you should have a computer dedicated for only banking. A contractor had an account at a bank that used the RSA devices. He had malware on his computer that didn't log his password at all, it just waited for him to authenticate normally and open an https session. The malware then transferred $400,000 from his account.
/QUOTE]

A live cd should be enough to prevent most attacks from happening.

The problem of session hijacking is one where I don't know how to prevent it. One could for example install a vnc server, and then, as soon as the person is logged in and has typed his password, grab the window onto your own pc and transfer the money.
 
Old 11-05-2009, 08:30 AM   #40
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
IMHO, if you have $100,000 in the bank, you should have a computer dedicated for only banking.
There's an easier and cheaper solution...

Quote:
Avoid Windows Malware: Bank on a Live CD
http://voices.washingtonpost.com/sec...e_bank_on.html

An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.

I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.

But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.

Why is the operating system important? Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers. Also, the Windows-based malware employed in each of these recent online attacks against businesses was so sophisticated that it made it extremely difficult for banks to tell the difference between a transaction initiated by their customers and a transfer set in motion by hackers who had hijacked that customer's PC.
...
In direct response to this series reported and published by Security Fix, the SANS Technology Institute, a security research and education organization, challenged its students with creating a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. Their conclusion? While there are multiple layers that of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu. See the SANS report here (PDF).

Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.

More importantly, malware that is built to steal data from Windows-based systems won't load or work when the user is booting from LiveCD. Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs.
 
Old 11-05-2009, 08:43 AM   #41
jgombos
Member
 
Registered: Jul 2003
Posts: 256

Rep: Reputation: 32
[QUOTE=mase;3745524]You don't need to target a specific individual, just for example all people who use a certain service. As soon as the programm is opened, or the website, you start making screenshots every click for a few minutes or so.
...
Also you will be under the radar, because the user entered his password without knowing that he had malware running.
[/quotes]
That's not under the radar in the slightest. The kind of payloads you're talking about are several orders of magnitude more than any sort of stealthy exploit. It's just too much data to move around the net and expect no one to notice. Malware authors go to extremes build stealthy malware, to the extent of writing assembly code. What you're proposing is to raise absurdly overt flags to collect data that can be collected in a much more concealable fashion. It makes no sense at all to attack with such visibility when you can harvest passwords with footprint that's 1/1000th the size.
Quote:
Originally Posted by mase View Post
Even if you use a keylogger alone you still have to go through all the data to find the passwords, I don't know of a automated way to do so.
It doesn't take much sophistication to only record words that fall in the range of the size of a password, or to activate the logger after reading the string "username" or "password". But even you're sloppy and record all keystrokes for post-delivery analysis, we're still talking very small amounts of data - small enough to harvest from tens of thousands of machines.
Quote:
Originally Posted by mase View Post
Security is only as good as the weakest link in the chain, so if the
users computer is infected with malware then the security is mostly gone.
My point exactly. If your neighbors links are considerably weaker than yours, you have less to worry about. Most black hats are opportunists, like the car thief that simply checks for unlocked doors rather than bothering to deal with locks and alarms.
Quote:
Originally Posted by mase View Post
And I don't see how it is the banks fault if the users computer gets infected.
It's not a matter of fault. It's law, and liability. And liability is correctly placed on banks, because banks are better equipped to secure accounts, and they're (rightly) expected to be more knowledgeable and diligent about security than laypeople. They're also better equipped legally to prosecute an attacker (lawyers on retainer), and they're financially better equipped to take a loss. It's an incompetent bank that allows their clients accounts to be vulnerable to keyloggers.
 
Old 11-05-2009, 09:25 AM   #42
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
From the point of view of a bank customer, the deal is that you give them money and they store it until you want it back (to yourself, pay bills or something else that requires transferring the money off). The point of storing is to keep the money available so you can today access it in a variety of places, for example using a credit card, and to take care of it -- no customer would give their money to a bank that states that they couldn't care less if somebody stole the money. Typically customers also pay some (smallish) amount of money for the banking service, and for that money I personally would expect, at the very least, that they make sure the money is not stolen and if it is, it's not me who pays it (because my only way of making sure it's not stolen from the bank is not to have the money in that bank at all). For this reason banks have insurances and so on.

The banks here use typically a two-stage login procedure to prevent password stealing. First there's the normal id-and-password combination over a https connection, which grants one to enter the "private" part of the site. Then, to view account details or take any actions like transfer money, one is presented with a key, and to continue one must search for a pair for that key from a list of one-time keys (i.e. one keypair is used only once). The session ends if too much time passes without any actions (quite a short time really) or if the page is closed. The customer keys are sent as a paper copy, a couple dozen keys at a time, and when there are only a few left, new list is ordered. The old list is used until the new one arrives, and switching the list then requires a key (if I remember it right, one needs a key from the old list to log in, and a key from the new list to activate it, so both lists are needed at the same time). This makes the life of keyloggers difficult, because in addition to watching the keys they would need to see the (paper) keylist to know what the next key would be. In the past the keys were sorted on the list, but at some point they moved on to random keys, meaning that it's unpredictable which keypair is asked before it is asked.

One bank went even further and spent quite a honorable sum of money to develop a piece of software (in Java) that the client must install in order to authenticate. The point of the software was to collect information from the client computer (it wasn't specified what information, though) and form a sort of fingerprint of it that told the bank the connection was coming from the same computer as before, and not from a neighbour who loaned the keys. I sort of never catched what this was for, because the installation of the software was said to be not as easy as it should, and because people didn't like the bank collecting information about their computer that way. Plus they of course were tied to using that one computer; I guess modifying the computer could also result in the app rejecting the connection, if those parts were modified that the program collected information from. I don't even think it's too effective, because one would still need the keypairs, and if they can be obtained, I don't think a physical access to the machine is so far away anymore.

All in all, I know of and have heard of a horde of ways to prevent stealing passwords, mostly so that the victim didn't know about it before it was too late (stealing the paper containing keys, for example, would trigger the victim to inform the bank of it, which would cause the keys to be changed). Still none of them is good when you start thinking about it, and most of them cause extra work for the end user. It's good security tech evolves, but so does the opposite, and in the end the only one still winning is a company who provides insurances -- everybody pays for them, but most don't get hit and thus insurance gets more than has to pay. Nice.

Last edited by b0uncer; 11-05-2009 at 09:29 AM.
 
Old 11-05-2009, 11:20 AM   #43
mase
LQ Newbie
 
Registered: Jul 2008
Posts: 22

Rep: Reputation: 15
[QUOTE=jgombos;3745718]
Quote:
Originally Posted by mase View Post
You don't need to target a specific individual, just for example all people who use a certain service. As soon as the programm is opened, or the website, you start making screenshots every click for a few minutes or so.
...
Also you will be under the radar, because the user entered his password without knowing that he had malware running.
[/quotes]
That's not under the radar in the slightest. The kind of payloads you're talking about are several orders of magnitude more than any sort of stealthy exploit. It's just too much data to move around the net and expect no one to notice. Malware authors go to extremes build stealthy malware, to the extent of writing assembly code. What you're proposing is to raise absurdly overt flags to collect data that can be collected in a much more concealable fashion. It makes no sense at all to attack with such visibility when you can harvest passwords with footprint that's 1/1000th the size.
And what will be the radar you are talking about? iptables?
How do you configure iptables to differentiate between good and bad
traffic? And since when is it suspicious to move data around on the internet?

The size of the malware itself won't be bigger and it only really matters if you write a trojan, because a text editor that is 10 MB in size is suspicious. And then again you only need a little piece of software that is able to download the actual malware of the net which is what is happening a lot in the windows world.
Once you are in though you can practically do whatever you want.

Quote:
Originally Posted by jgombos View Post
It doesn't take much sophistication to only record words that fall in the range of the size of a password, or to activate the logger after reading the string "username" or "password". But even you're sloppy and record all keystrokes for post-delivery analysis, we're still talking very small amounts of data - small enough to harvest from tens of thousands of machines.
Just as it doesn't take much sophistication to do the same with a screenshot program. Even if the amount of data in terms of MB is higher,
the actual manual analysis of the data by the attacker will take about as long if you don't record everything.

Quote:
Originally Posted by jgombos View Post
My point exactly. If your neighbors links are considerably weaker than yours, you have less to worry about. Most black hats are opportunists, like the car thief that simply checks for unlocked doors rather than bothering to deal with locks and alarms.
Malware is getting better and better using even more advanced techniques, and they have to keep producing new malware because otherwise antivirus companys would catchup soon.

Quote:
Originally Posted by jgombos View Post
It's not a matter of fault. It's law, and liability. And liability is correctly placed on banks, because banks are better equipped to secure accounts, and they're (rightly) expected to be more knowledgeable and diligent about security than laypeople. They're also better equipped legally to prosecute an attacker (lawyers on retainer), and they're financially better equipped to take a loss. It's an incompetent bank that allows their clients accounts to be vulnerable to keyloggers.
The law might protect them which is good, but it likely still was their fault. The bank has no control whatsoever about their customers computers.

I don't think it's a competent bank if it lets its customers vulnerable to the screenshot programs I mentioned. If a bank didn't use one-time password, ideally in combination with some hardware device, I wouldn't trust it for a second. The use of one-time passwords has long been standard in the banking sector at least in germany.
 
Old 11-05-2009, 01:53 PM   #44
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,577
Blog Entries: 31

Rep: Reputation: 1196Reputation: 1196Reputation: 1196Reputation: 1196Reputation: 1196Reputation: 1196Reputation: 1196Reputation: 1196Reputation: 1196
FYI my bank requires three pieces of information to log on, one of which is a 6-digit number which has to be entered via a drop down list for each digit.

Apparently that is not enough because around a year ago they issued an electronic device which requires 3 inputs: a "smart" bank card, a 4-digit PIN and a transaction amount; given these it generates a ?-digit code which must be entered on the site to validate the transaction.

It is an ordinary "high street" bank.

Last edited by catkin; 11-05-2009 at 01:55 PM. Reason: Hiffenation (it's a phantasmagorical relative of the Gryphon)
 
Old 11-05-2009, 02:07 PM   #45
mase
LQ Newbie
 
Registered: Jul 2008
Posts: 22

Rep: Reputation: 15
Quote:
Originally Posted by catkin View Post
FYI my bank requires three pieces of information to log on, one of which is a 6-digit number which has to be entered via a drop down list for each digit.

Apparently that is not enough because around a year ago they issued an electronic device which requires 3 inputs: a "smart" bank card, a 4-digit PIN and a transaction amount; given these it generates a ?-digit code which must be entered on the site to validate the transaction.

It is an ordinary "high street" bank.
That sounds like a good idea actually, make the transaction key
depend on details of the transaction.

Ideally in a way that it could only be used for this exact transaction.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent un-blanking due to input events RuchiS Linux - Software 1 09-26-2009 09:07 PM
Repeated "input: AT Translated Set 2 keyboard as /class/input/input" messages AcerKev Mandriva 2 09-16-2007 08:35 AM
No keyboard input under gnome. gatdrydock Linux - Software 1 07-10-2005 03:15 PM
my mouse input is takes as keyboard input in BASH e1000 Slackware 5 12-08-2003 03:00 PM
No keyboard input seen neo77777 Linux - General 5 07-12-2002 09:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration