PortableApps.com Platform and Suite 1.6 have been released.
ApplicationsUser loginFollow & Connect With Us   
What is a portable app?
Find out on the What is a portable app? page.
Sponsored Links |
Beating keyloggersSubmitted by jaffcat on October 23, 2008 - 3:46pm
Hi Guys, Any help please.....I need to find the safest solution possible. Not using public PC's is not an answer. Cheers, and thanks. Richard ( categories: )
|
What makes
Keepass 2 better than Keepass 1 ?
I know Keepass 2 is the newer version but I think Version 1 is pretty good too.
And against Hardware-keyloggers, there isn't anything you could do anyhow
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
Not Much
You can use the virtual keyboard to get around hardware keyloggers. And copy/paste from KeePass into a browser to get around em a bit. And ClamWin to scan for viruses/malware that may log.
Sometimes, the impossible can become possible, if you're awesome!
TCATO!!
Having been to the keepass site I came accross the following.
Which is the thing i was referring to.
Richard
--
Is Auto-Type keylogger-safe?
KeePass 2.x Only
By default: no. The Auto-Type method in KeePass 2.x works the same as the one in 1.x and consequently is not keylogger-safe.
Anyway, KeePass features an alternative method called Two-Channel Auto-Type Obfuscation (TCATO), which renders keyloggers completely useless. This is an opt-in feature (because it doesn't work with all windows) and must be enabled for entries manually. See the TCATO documentation for details.
Linux Live Disc, all the way
Linux Live Disc, all the way
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
thats a good idea
but it might be hard convincing the Guy in the internet-cafe to let you reboot the PC. And it wont help against hardware keyloggers.
I didn't know Virtual Keyboard would help against them either.
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
Copy/Paste is as easy to log
Copy/Paste is as easy to log by keyloggers/spyware as is logging what you type.
Yes and No
Not all keyloggers trap the clipboard. And I think some do it based on CTRL-V so right-click and paste would get around it.
Sometimes, the impossible can become possible, if you're awesome!
Thanks Guys..but anymore ideas?
I still need to find a usable way of gaining access to accounts....
Could I use a portable scanner (any suggestions) to look for software keyloggers and then if that is clear use Johns idea of copy and paste to beat hardware systems???
Thanks for your suggestions.....
Keep them coming
Richard
If you can't trust the
If you can't trust the machine, you can't trust the machine. There's not much you can do about it.
Someone who has physical access to the machine (e.g. the Internet Cafe's owner) can do all sorts of things to it, from hardware keyloggers to various low-level monitors. Even booting with a LiveCD wouldn't get around a hardware keylogger (though copy and paste, or an on-screen keyboard, would be a fairly decent workaround against a hardware keylogger).
John mentioned ClamAV Portable, which can scan for lots of things. I believe to be most effective it needs to run as an Administrator, which might be problematic especially for spy programs running at the deepest level in the operating system.
Your best bet is to use only the machines you trust most for your banking. Or get your bank to use something more secure than a reusable password, whether it is some sort of token or a challenge response to your cellphone or whatever. There are lots of ways to do it that are fairly good, and most don't involve asking you for your first grade teacher's name, which in any case is reusable.
MC
where will u work? on
where will u work?
on computer in company or netcafe or where?
most save way would be u make a bootable usb or cd with linux, and on it wine for emulating net framework and boot u r own os.
or maybe u think about to buy a very cheap and small pc like eee and use this for u r work, which u can plug via rj45 or wlan in most webcafes, hotels and and and....
think about alternatives to the systems in your environment
when u plug ur drive and enter some confidential passwords, specially from bank there is always a risk to get sniffed. take care u use the real bank site by checking the certificate when u go on bank sites from other countries because of phishing and bad dns servers.
A single death is a tragedy; a million deaths is a statistic.
KeeForm
There is a KeePass add-on called KeeForm that will fill in the fields with the appropriate entries that does NOT use the copy/paste method. It is more secure than the autotype method and is easy to use.
KeeForm is compatable with KP1 and 2.
IronKey and YubiKey
I think that you might look into using a flash drive called IronKey, which you can find at https://www.ironkey.com/, and/or YubiKey (http://www.yubico.com/), a one-touch USB key that lets you log into a web site (banks, forums, web-mail, etc.) if that site accepts the YubiKey. You can load PortableApps and KeePassPortable on the IronKey, and by using the built-in Firefox browser with Secure Sessions turned-on, bank securely, and even use copy-paste, and ScreenKeyboardPortable too, to enter your IDs and passwords until the IronKey does it automatically in the future. It's pretty hip. Try it.
Unrelated
This is unrelated to the current topic as neither of these do anything to beat keyloggers or other compromised PCs. IronKey does nothing to thwart keyloggers. And Yubikey doesn't work with most sites, so you're still just submitting a password. You're just as vulnerable.
Sometimes, the impossible can become possible, if you're awesome!
Soft Keyboards
Would it help to defeat hardware keyloggers by taking along your own soft silicone keyboard? Curious to know and would appreciate any feedback on this.
Seem small and compact enough to carry that it is not an issue.
Not at all
It'll still send the same key signals, which is what are detected.
I am a Christian and a developer and moderator here.
“It is in vain that you rise up early and go late to rest, eating the bread of anxious toil; for he gives to his beloved sleep.” – Solomon, Psalm 127:2
Silicone Keyboard
So is this saying that if I take along my silicone keyboard and plug it USB that a hardware keylogger will still log the keystokes? I thought that hardware keyloggers were a physical device between the USB port and the USB keyboard cable. Any keystokes on a different USB keyboard would not be logged true?
OR are there numerous other hardware keyloggers that are not at the USB port / USB keyboard junction ?
I would think that you could be reasonably safe with a USB silicone keyboard and a copy paste method described above to beat software keyloggers. Hmm or not!
Depends where
I'm not too familiar with hardware keyloggers (or software for that matter) but there are three places it could be: inside the keyboard, between the mobo and the keyboard, or inside the case. The best ones would be inside the case and work independently of the OS, and record so long as there's power.
And this goes back to my abstinence theory and analogy. The best way to beat a hardware keylogger is to not use the machine.
'̿'\̵͇̿̿\з=(•̪●)=ε/̵͇̿̿/'̿'̿ ̿
Actually...
Actually it's the only answer.
Think of it like sex. You're you and the public computer is your prospective partner. We won't get into what your flash drive is. With information security, much like sex, most folks just jump in and if something goes wrong they deal with it as it comes. And like there are a lot of threats out there (hardware keyloggers, software keyloggers, rootkits, stuff you might not know about), it's the same for the other as well. STDs, guilty feelings, the possibility of pregnancy.
Ergo, the only surefire way to stay safe is to not take the risk. If you take the risk, no matter how many precautions you take, there's still a risk, however small. Especially with information security. The dishonest stay a few steps ahead of, well, if not always the honest, at least the self-righteous. Have the RIAA had a single major victory over piracy? Aren't they still going after Kazaa as if anybody uses it anymore? So if they really want your personal data, they're gonna get it.
And, even though it fits, sorry for the crude analogy. I've been watching House.
'̿'\̵͇̿̿\з=(•̪●)=ε/̵͇̿̿/'̿'̿ ̿
Ubuntu
Saw a comment above about not been able to reboot a machine. What about Ubuntu Portable Ap OS. You can install to a USB or SD Card and run from within Windows. Gets you around software loggers true?
Yes, but
Like most things in security, it's a yes, but. Booting into your own OS will get you around any software keyloggers installed on the PC's OS. But it won't get you around hardware keyloggers. And most public PCs are configured so you can't boot from CD or USB.
Sometimes, the impossible can become possible, if you're awesome!
You can't be "safe", but you can be "safer"
The first thing you need to know is what threat you want protection against. If the NSA or the KGB are after your password, then a laser beam pointing at the glass of your home's window can act a microfone detecting the sound each key in your keyboard does, and as each key has a slightly different sound, it acts as a key logger. I've also read about methods to see your screen from a van parked in front of your house. And, no, it's not science fiction, I've read about this methods, or at least the possibility of developing them from serious sources.
But then again, if it's just a normal cracker/script kiddie who is not specifically against you, but just hunting for anyone to hack, crack or rob, then you need to remember "You don't need to be faster than the fastest lion, just faster than the slowest gazelle"
Now, assuming the NSA isn't after you, you're expecting just a bunch of normal threats:
1) Software "input loggers" (might be logging keyboard, clipboard, and even mouse movements).
2) Hardware keyloggers. Same stuff but done in a chip between the input source and the motherboard. This can be a little device on the wire of the keboard (but inside the casing) or between the USB plug and and the USB socket, or inside the computer's casing between the motherboard and the USB socket (specially the ones at the front of the box, removed from the motherboard)
3) Sniffing (reading everything you send over the network), DNS poisoning (making the DNS take you to a clone of the bank's page instead of the real one) and a million other threats from outside the computer where you're working.
With a good clean, trusted browser (e.g.: Firefox Portable) and a decent banking page, plus a bit of user education (should I have said "user" or "your, sir"?) number 3 should not be anything to fear, at least not any more than from home.
Using a clean operating system, such as a bootable USB or a Linux Live CD, protects you from anything that's software on the computer you're at. But it's difficult to get the CyberCafé owner to let you use one of those. After all, for all he knows, you might be the one who's trying to install a keylogger on the computer.
Trying to detect keyloggers and the like is never going to be 100% safe because there is always going to be some software that your soft can't detect (though it might be safer than just typing without even checking).
About hardware... you can't do anything about it, except use another computer.
So, no, again, you can't outrun the fastest lion.
But if you really must use homebanking from a public PC, you can make it hard for them to get your key. A simple but rather efective way to do this is:
Open a web page with content that is continually changing, or chat for a while with a friend.
Then copy by selecting with the mouse + right click + copy one letter from your password at a time and then paste it in the password box, again with the mouse. Do this out of order. i.e.: if your password is AbCd, find a "C" on the page/chat/whatever and paste it. Then a "b". etc. It takes time and a lot of focus to do it right, but it's really makes it hard to get your pass.
Notice that someone logging what you type would know what page you used, by tracking your mouse they would know how much you scrolled, and where you copy-pasted, and by tracking your clipboard they would know what letters you copied. And they could also be using something similar to pcAnywhere or VNC (but clandestine, like sub7) to make an .avi of everything you do during your session.
But you do realize any of this would be a lot harder for them than you just typing your password for the keylogger to record. So with that, you'll probably be "safe enough"
Someone suggested asking the bank to provide a token.
A token is a little thing the size of a pendrive with a button and a screen. When you press the button it gives you a number (like 6 digits) that you need to type together with your password and is only good for one minute or some other similarly short time. Let them log the number, in 30 secs it's no good anyway. That would considerably improve on the security level, but I don't know if you'll find a bank that uses that for "normal" accounts. (There are still ways around this, but not anything a script kiddie in a cybercafé will have).
So there you have some panorama of what tricky ground you're treading with this. Welcome to the fascinating world of IT (un)security.
Regards:
Wences
The bank
I agree about the bank, except I think it is critical that banks -- and the Internet as a whole -- get away from reusable passwords.
It feels like the bank's current strategy is to use Javascript to erase the password you carefully had your home browser save in a password-protected security device, and making you tell it your first grade teacher's name (or some other information "only you would know") every couple of weeks. The first just makes it more likely you'll have a weak, memorable password, or write your strong password on a piece of paper stuck to your computer. In other words, it's not really making things better. The deal with the first grade teacher's name is that it is reusable. It is also researchable, if you use the real name. Those make it very weak. In other words, the things the banks are doing to make you THINK you are more secure are actually making you somewhat less secure.
Reusable passwords are becoming a really weak link, and not just for banking. It's time to graduate the whole Internet to the next level of access control.
Now if I could only patent it and convince everyone to change, I'd be in good shape.
Note that doesn't solve some of the other problems of keylogging, like getting personal information, account numbers, etc. It just prevents the keylogger from getting a reusable password. But it would be a start.
MC
Roboform or SignUp shield
If you just have web sites that require login details you can use Roboform or SignUp shield to store the login details in an encrypted database and enter these details into the web forms in a secure manner. They both provide one-click-logon to web sites such as banks and web-based email with having to type anything (except a Master password). Free versions of these apps are limited to 10 entries.
Although these store personal details in an encrypted database in a manner similar to KeePass they only work with form-based web sites, whereas KeePass will function with any Window requiring input. The portable version of Roboform (Roboform2Go)is my preferred tool as it accommodates FirefoxPortable as the preferred browser.
I use KeePass as the database to store EVERY personal detail, Roboform for web-based login details.
KeePass v Roboform
porteri, I would be very grateful if you would explain why you need Roboform... I thought KeePass could do web logins as well.
Treo680 2G_SD+USB PAM & ASuite
Reasons
I use Roboform over KeePass only for web logins; ironically I used KeePass to login into this forum.
Reference to KeePass refers to v1 and applies to KeePassPortable.
Firstly: Depending on the application, keyloggers can capture keystrokes, mouse movements, the screen and clipboard entries, so all these should be assumed to be in play on the untrusted computer. The keyloggers are usually idle during inactivity and start the capture process when there is keyboard or mouse activity. So, to minimize capture we should minimize these actions and this can be achieved by using single-click launching.
KeePass:
KeePass launches the default browser, usually IE, when selecting the URL. This can be overridden by the {FIREFOX} parameter but it only applies to an installed copy of Firefox, not FirefoxPortable (unless you specify the {CMD}parameter and enter the path to FFP, but this does not handle the changing drive letter associated with USB drives).
The auto-type feature uses the copy-paste method to the clipboard. Even with the security features which apply to the clipboard (single paste or clear after specified time) the data can still be captured. Using the KeeForm plugin overcomes this issue by providing single-click functionality and uses a direct paste method, but it only works with IE, not Firefox, and entries have to be configured to use it.
Finally, all entries have to be manually entered into KeePass.
RoboForm:
Purpose built for web page entries it provides single-click functionality. It lets you select the preferred browser (default, IE, Firefox or FirefoxPortable) and will launch the preferred browser automatically, then fill in the fields.
Auto-fill uses a direct paste method and can be used for any fields, ie credit cards, personal details, login details etc.
When entering the passphrase to unlock the database, a built-in soft-keyboard is available which pastes directly into the application.
Automatically saves the data from forms into the database. Fill-in the form (on a trusted computer) and select save. The URL and all fields will be saved into the database. No manual entry required.
Can synchronize between installed and portable versions easily.
A couple of issues do exist with respect to portability: RboForm2Go copies data to the temp directory and removes it upon correct closure. It does leave some files behind but these do not reveal anything except that it has been used. I use Portidy to remove these. The second issue is that it prefers to be in the root directory of the USB drive. It will work in lower directories, eg \PortableApps\Roboform, but will not automatically update.
To summarize: I use KeePass frequently on trusted computers, but for untrusted computers I will use RoboForm for the extra security.
Cheers,
Jeff.
RoboForm & KeePass
Thanks Jeff for the detailed reply.
Isn't it a shame that KeePass hasn't been enhanced to do the same as RoboForm or that RoboForm can't be used to keep the information you keep in Keepass? Seems to me they both do similar jobs and it would be easier to handle if one could just use one or the other... or have I not fully understood?
Cheers,
Roger.
Treo680 2G_SD+USB PAM & ASuite