What can one do against Keylogger Attacks?

Discussion in 'Computer Security' started by Yoy G0, Jun 20, 2005.

  1. Yoy G0

    pclogger Guest

    Maybe a combination of biometrics scanners - including smart card
    readers (the latter should be more stringent in its encryption). Having
    said this, the suggested solution has a hint of over paranoid and has
    definitely gone overboard.

    Since this topic is "what can one do against keylogger attacks", my
    guess is that to be sure,
    1) we have to make sure our environment are scanned to make sure there
    is no keyboard logger,
    2) every time we install a new software, we check that we are
    installing good software.
    3) we monitor all outgoing IP traffic (to detect suspicious IP
    activities)
    4) we do not key in any password when we enter our password
    5) we do not allow the keyboard logger to capture any screen that would
    show our password

    1 is probably achieved by using a good AV program and constant O/S
    security upgrades.
    2 is probably achieved by adoptaion of good common sense practice
    3 is probably achieved by a non intrusive IP activity monitor (e.g.
    ipTicker or Ethereal. ipTicker is easier though)
    4 is probably achieved by a good password manager (one that reads in
    encryption data that translates the data internally and then injects
    the password internally i.e. not simulating the keyboard AND not using
    cut and paste technology).
    5 is ??? (not sure) ???.


    My 2 cents worth
     
    pclogger, Jul 24, 2005
    #81
    1. Advertisements


  2. LOL
     
    Luc The Perverse, Jul 24, 2005
    #82
    1. Advertisements

  3. Yoy G0

    nemo_outis Guest


    All of those are sensible precautions and will work reasonably well
    against garden-variety spies.

    However, they are grotesquely deficient against skilled adversaries. For
    instance, if one has uninterrupted access to the machine for a short
    while, it is child's play to install (i.e., substitute) a modified driver
    such that it is also a software keylogger (in addition to whatever else
    it is supposed to do). Drivers will (usually) be invoked at kernel level
    and can log whatever they wish (even simpler if all that is required is
    outside input during system initiation - passwords and such - rather than
    all user input during a session.)

    Similar actions can be done (more conveniently but not quite as robustly)
    with dlls. And it goes on and on.

    Thwarting such methods is possible but usually too inconvenient (e.g.,
    regularly sweep for the SHA256 of all files and check agaionst known-good
    list - and this presumes that third party software is not compromised by
    design in the first place!).

    In short, if you do not have continuous control and custody of the
    machine you are extremely vulnerable. And ANY network connection
    (especially internet) counts as shared custody and control!

    Regards,
     
    nemo_outis, Jul 24, 2005
    #83
  4. Yoy G0

    pclogger Guest

    Good one! To counteract this, besides good sensible precautions, one
    should also have a good pc audit trail logger; an install and forget
    utility that captures normal and unsolicited installation changes
    including
    1) important directory changes (this would capture dll changes as well)
    2) changes to nt services
    3) changes to activex registrations
    4) changes to auto startups
    5) changes to standard installations
    6) changes to schedulers
    7) changes to shared drives and so on ...

    Probably,k depending on the "security needs", one may need to install
    some form of instrusion detector. I think we are going o/t but still
    keen in this discussion - BTW - What is the best intrusion detector in
    the market and how many are using?

    Having a dynamic checksum on all files takes a long time. I should know
    as I did it myself and at the end of the day, I gave up on the
    additional security. Instead, I have to selectively checksum just one
    or two selected directories. Still, I think this is probably the job of
    a good av instead.
    Hence one really need constant O/S patches and a review of
    services/daemons that may expose our vulnerabilities.
     
    pclogger, Jul 24, 2005
    #84
  5. Yoy G0

    panteltje Guest

    There is a saying here:
    Some people will want the whole hand if you give them a finger.....
     
    panteltje, Jul 24, 2005
    #85
  6. Yoy G0

    nemo_outis Guest


    An intrusion detector is a good idea, but far from a panacea. While not a
    classical ID, I use ProcessGuard (in combination with RegDefend). However,
    ANY protection run under the OS is potentially inadequate if one does not
    have continuous control and custody.

    For instance, in principle, the OS could have been compromised to not show
    the keylogger, to misreport its SHA256 or MD5 hash, etc. IOW the keylogger
    may be, in essence, part of a rootkit suite.

    The only solid defence against this is a scan from OUTSIDE the regular OS
    - such as a hash-checker run from a Knoppix CD.

    Yes, it's incredibly tedious but anything less is a kludge.

    Regards,
     
    nemo_outis, Jul 24, 2005
    #86
  7. Yoy G0

    Johan Wevers Guest

    What's wrong with Blowfish? I've never seen any documented attack on it
    other than brute force, which is unusable given the key length.
     
    Johan Wevers, Aug 4, 2005
    #87
  8. Yoy G0

    Crypto Guest

    Joe Ashwood has stated that Blowfish is weak.
     
    Crypto, Aug 4, 2005
    #88
  9. Yoy G0

    Johan Wevers Guest

    All I can find of this person are usenet postings (google with "john ashwood
    blowfish"). Is he supposed to be some authority? And if so, what has he
    published?
     
    Johan Wevers, Aug 5, 2005
    #89
  10. I'd say you didn't do enough searching, but you won't find anything that I
    have published about Blowfish, you will also find that my publications are
    difficult to locate as most have nevertouched the internet. But my statement
    was never that Blowfish is weak, my statement was that Blowfish has some
    minor attacks and is not considered among the state-of-the-art ciphers.

    For the case in question (password storage), the data files are likely to be
    small enough, the data changes infrequent enough, and the data used in such
    a fashion that Blowfish, used in a suitable mode of operation, should be
    sufficient.
    Joe
     
    Joseph Ashwood, Aug 6, 2005
    #90
  11. Yoy G0

    cipherpunk Guest

    Blowfish ... is not considered among the state-of-the-art
    True, although possibly misleading. "State of the art" is usually a
    euphemism for "has no significant track record". Ciphers are about
    trust and confidence as much as they are about the latest and greatest
    mathematical innovations. Nobody would seriously suggest 3DES as a
    state of the art cipher--it's got all the aesthetics of a Soviet-era
    automobile--but the trust and confidence in 3DES is nothing short of
    profound, given that after 25-plus years of cryptanalysis we've yet to
    find any practical results.

    My rule of thumb is I don't move a cipher over into the "I really like
    it" until there's ten years of history to look back over. So pretty
    much by definition, none of my "I really like it" ciphers are state of
    the art.

    3DES: 25+ years, still going strong.
    Blowfish: 12 years, still going strong.
     
    cipherpunk, Aug 6, 2005
    #91
  12. Yoy G0

    Johan Wevers Guest

    OK, a misinterpretaton from the previous poster I assume.
    As is stated in another reply, what matters for ciphers is trust, not
    modernness. Personally I still prefer IDEA.
     
    Johan Wevers, Aug 6, 2005
    #92
  13. Yoy G0

    Crypto Guest

    I agree. Trust comes over time.
    How do you feel about 3IDEA or triple IDEA?
     
    Crypto, Aug 6, 2005
    #93
  14. Yoy G0

    Winged Guest

    I did indicate I do use it.

    Even with it's long key capabilities I wouldn't trust it with nuclear
    secrets, but it's good enough that I use it. I just indicated it might
    be broken by someone if they wanted to bad enough. It is a good cypher.

    Winged
     
    Winged, Aug 7, 2005
    #94
  15. Yoy G0

    Johan Wevers Guest

    If applied the same with 3DES: I don't know enouggh of ciphers to judge
    that. I can't judge if this is stronger than single IDEA. If IDEA is a group
    this won't make it any stronger AFAIK, but I don't know if IDEA is a group.
     
    Johan Wevers, Aug 7, 2005
    #95
  16. Yoy G0

    Crypto Guest


    I'd say you didn't do enough searching, but you won't find anything that I
    have published about Blowfish, you will also find that my publications are
    difficult to locate as most have nevertouched the internet. But my statement
    was never that Blowfish is weak, my statement was that Blowfish has some
    minor attacks and is not considered among the state-of-the-art ciphers.
    [/QUOTE]

    You claimed that CryptoSMS is weak because it uses Blowfish
    as one of its encryption layers. SO which is it? Do these
    "minor" attacks allow you to break Blowfish encrypted messages,
    or not?
    Are short messages equally small enough that Blowfish in CBC mode
    "should be sufficient"?
     
    Crypto, Aug 8, 2005
    #96
  17. [Note to those who are in the groups other than sci.crypt. I am only
    replying to this because these are legitimate questions, [email protected] has been
    nominated for "troll of the year" on sci.crypt for various reasons]

    I claimed that CryptoSMS has so many flaws in every part of it that it's
    strength is somewhere up there with tissue paper, among these was the poor
    selection of cryptographic primitives, which I believe the one I repeatedly
    told you was weak is RC4.
    If the key is strong yes, in the case you are referring to, it was rather
    thoroughly lestablished that the key selection would be heavily flawed. It
    is also critical that the password storage case requires a single file so
    the CBC proof is easily satisfied, using short messages it is far more
    difficult to satisfy.
    Joe
     
    Joseph Ashwood, Aug 10, 2005
    #97
  18. Yoy G0

    Crypto Guest

    Note that Joe has been similarly nominated.
    You claimed it was weak because it *might* have a
    problematic implementation of ARC4 and Blowfish.

    You also pointed out "flaws" that were in fact nonexistent.
    Tissue paper that you can't break?
    Imagined flaws in key selection based on your assumptions about English
    passwords. Such statements make no sense when examined in the light of
    actual/potential pass phrases in use.

    If it is so heavily flawed, why have you not demonstrated real "breaks"
    instead of imaginary ones? The anonymous challenger is still floating
    around, posting requests from time-to-time, which you have been patently
    ignoring.

    Meanwhile, your suggestions of possible weaknesses in CryptoSMS have
    been taken seriously, and pass phrase salting/stretching has been added
    to increase entropy. I really do appreciate the realistic criticisms
    you have posted. Thanks. It's just your continued insults that get
    a little bit tiring.
     
    Crypto, Aug 10, 2005
    #98
  19. [about CryptoSMS]

    This is simply for the other newsgroups, if you want to see the status of
    CryptoSMS feel free to read the threads on sci.crypt I will not be
    discussing it further.
    Joe
     
    Joseph Ashwood, Aug 10, 2005
    #99
  20. Yoy G0

    Cooker Guest

    Online security should be a most for posters of this group.specially if
    u is making shit.:>)

    But I agree. I would like to see here more posts about synthesis or
    people looking for answers that pertain to drug chemistry...
     
    Cooker, Aug 11, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.