Is there a discussion thread about how to defend against evil computers that try to steal the data off your flash drive? Such as:
1) Does ClamAV consider USB Dumper, hacksaw & switchblade a threat?
2) Is putting eicar.com on your flash drive (to mess with their AV program) too cruel?
3) Is there a standardized method of crypto for both files & PGP keyrings? And does that work against things like USB Dumper, hacksaw & switchblade; or do they just re-read the decrypted versions?
Thanks,
Lance
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
3) USB dumper just copies your data off your drive. If all its content is well encrypted, then whoever wants to use cant cause its encrypted.
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
1 : No, because USB-dumper is NOT a virus .
neither are any of the tools used in the Switchblade or Hacksaw.
A few AV's (mostly those intended for corporate use)will detect a few of the tools
and flag them as "risk" or such ..
2 : The only thing you will get out of that is a drive with quarantined and/or
deleted files .
3 : Not really. The only "safe" solution is to never present confidential files
to an "unknown" computer . If it needs to be encrypted it needs to be kept away from systems that you or someone you trust does not have admin-rights on .
The last time I inserted my USB drive in a computer at an internet cafe I got a virus IMMEDIATELY. Fortunately it was that relatively harmless one that changes your autoexec.bat and adds sxs.* files to your drive. But it could have been anything!
And this was in spite of the fact that on insertion my flash drive virtually explodes with defensive software -- RogueRemover, Avast, ClamWinPortable, Win Worms Doors Cleaner and Spybot S&D.
And you know what? It's all useless!
The portable Avast thing is junk, and since it doesn't update and has its hardwired definitions from god knows when, I'm about to uninstall it. Utter waste of space.
The Win Worms thing is something I tried just because I could but since it requires a reboot to close the open ports it finds, and most internet cafes will reset their machines at reboot, it is of no use. That, and any halfway decent malware will find a port, makes it a waste of space.
ClamWin is actually a good AV -- it's found things the full edition of AVG hasn't! -- but malware can act in a second, while CWP will take 5-60 minutes to scan a drive, depending on the size. In other words, "You lose!".
And the same goes for SpyWare Doctor -- good program, but on a HOME computer.
So what on Zeus's green earth do you guys use for protection?
And I haven't even mentioned the new USB copying malware. Talk about evil! And whoever said encryption will protect you is incorrect, unless you never unencrypt the volume -- in which case you can sit tranquilly watching the PA icon while meditating. Once you mount the volume, it's as accessible as an unencrypted one -- since that's effectively what it is!
"RogueRemover, Avast, ClamWinPortable, Win Worms Doors Cleaner and Spybot S&D"
Forgive me for not being aware of the details for all the programs you mention but I believe all but one, Avast, are retroactive/on demand scanners, they cannot protect you from infection, they only find the infection after the fact, when you run the program.
Spybot S&D does not look for viruses, just ad/spyware.
"the portable Avast thing is junk, and since it doesn't update and has its hardwired definitions from god knows when"
I update my Avast definitions everyday? The program has updated it's engine at least a couple of times in the past few months. Currently I have Definitions "5.1.2008 - 80105-0" from yesterday. What happens when you try to update?
"my flash drive virtually explodes with defensive software"
Really, but you ONLY have "5"
Tim
Things have got to get better, they can't get worse, or can they?
"the portable Avast thing is junk, and since it doesn't update and has its hardwired definitions from god knows when"
I'm referring to the purple Avast thing - the virus / worm cleaner tool. It actually can't updated its definitions.
There are certain trade-offs you gotta make, so I run the following ON PLUG-IN (er, "start-up?):
Spybot S&D -- Spyware and malware. A 5 min scan can check all running programs, processes, etc.
ClamWinPortable. Viruses. It's not automatic, but it's quite good. I scan my flash drive first, to see what infections I've already gotten, and then the main drive of the computer I'm using. Unfortunately that takes for bloody ever.
Avast Purple Thing. It's probably useless, but it takes only a few seconds, so what the hell?
Rogue Remover. A list of what are supposedly the most dangerous malware and viruses. Manual, annoying in several ways, but again, it's quick.
Windows Worms Doors Cleaner. Closes dangerous ports, NetBios, etc. But since it requires a reboot it's probably useless as the changes are probably reset, so I may dump it.
I also have a batch file designed to nail that stupid sxs.exe worm and to remove some of the files of the USB downloaders. It also removes any autoexec file placed on my flash drive.
This is all designed for dealing with computers *other than my own*, mind you.
I would much appreciate you (and everyone else, for that matter) sharing what security apps they use on their USB sticks and how they use them (if they do anything out of the ordinary). Also, if any non-portable apps can be installed on USB drives without problems.
Cheers!
Ahhhh, the "Purple Thingy"
Yes, you are correct, it does not update. It, like McAfee Stinger, needs to be replaced when a new version comes out. They are unfortunately designed to only catch a small subset of malware that was prevalent at the time they were created and that is presumed will be around for a while. The Microsoft Malicious Software Removal Tool is similar but gets updated every month. It can be download separately from the Patch Tuesday updates and carried on a flash drive or CD. Still, it only covers a small subset of what's out there.
You can ask ClamWinPortable to do just a Memory Scan. You are correct, the host scan takes forever. I run it while I'm watching a DVD movie, a long one
AdAware SE will run portably with no problems, however the Skanks at Lavasoft have cut off access to the latest defs from the free users. If you know someone who has the paid version you can use their defs, they are the same.
The only truly safe thing you can do is use a locked drive or cd and copy the programs from there to the host and run them from there. Delete them when you are done. Copy any downloads to an empty floppy or usb drive. Assume they are infected, delete any file you find on them that you did not put there and scan them on your home computer before copying anything off of them.
Note, this will only protect you from getting infected. Any data or personal information you used or had stored on the host while you used it is fair game. As was pointed out elsewhere even encryption might not help you as you have to unencrypt the data to use it.
Without inviting discussions on my choices I carry the following on my drive, in no particular order:
McAfee Antivirus [U3 only]
Portable Avast [U3 only]
XoftSpy Portable [U3 Only]
Stinger.exe from McAfee
Aswclnr.exe from Avast [the Purple Thingy]
MS Monthly MSRT from MS
Norman_Malware_Cleaner
Rootkit_Detective.exe from McAfee
RootkitRevealer.exe from MS
Panda PAVARK.exe
SophosRootKitDetector1.3
AdAware SE Personal
SpyBot S&D 1.5
ClamWinPortable
But that's only 14, I'm sure I'm missing one
Tim
Things have got to get better, they can't get worse, or can they?
Thanks a ton for all your specific suggestions. Norman looks especially promising.
I still can't figure out how all these rootkit detectors are supposed to help us normal people (and I've been doing computers since the bloody 80s). Sysinternals will show you all the suspicious stuff, but then you have to decide what's normal and what's evil. Based on registry keys longer than the average giraffe's... nevermind.
One thing to make sure to check out are command line parameters. Spybot S&D, for example, can run invisible, just immunize (you do NOT want that thing scanning your system for 75,000 items!), and then auto-seppuku. Quite useful.
Finally, how do you get Clam to only scan memory? I can't figure that one out.
Cheers.
If you want "strong" suggestions, here are a few:
1) If you cannot "prove" that a machine can be trusted, it probably can't.
2) If malware is already running with Administrative rights on a machine, nothing you can bring to the machine on a USB drive can help -- Administrative rights gives it the ability to hide from other programs (including AV software), shut down other programs, or modify them. With a little luck a program scanning for malware might raise an alarm before it is compromised (fairly likely but not guaranteed). (You might be able to kill the malware if you booted to a LiveCD, but how often can you do that at a public computer. Since one can do as much harm as good with a LiveCD, most public computers won't let you boot to a LiveCD.)
3) AV software, to be effective, needs to be installed and running as a system service, with hooks deep into the innards of the operating system. (If not, see number 2.) It has to get going first and be ready to take action before the malware can start. To do this requires Administrative privileges and most likely a reboot. If you have administrative rights when you bring your USB drive, you could install the AV, but if the malware is already running, see number 2.
4) Keystroke loggers can grab your passwords from most programs when you enter them, and transmit them to their "mother ship". If they are installed ahead of time with Administrative rights, see number 2. If they are "hardware" keyloggers, installed on the keyboard, they are pretty much hidden from any software.
5) You could be fairly confident of a computing environment booted from a LiveCD that completely ignores programs installed on the host computer. There are theoretically some nasty things that could be done with, say, BIOS, to compromise even a LiveCD, but that would be relatively difficult. A "hardware" keylogger -- one that is, say, installed in the keyboard -- could grab passwords and such even in a LiveCD environment; but at least the malware running on the PC's normal OS won't be able to harm you. Running a LiveCD on a public computer should be restricted, so I wouldn't rely on it.
6) See number 1.
Sorry to be so pessimistic.
MC
Tantum suspiciosissimi supersunt
Only the paranoid survive
Things have got to get better, they can't get worse, or can they?
There are one, and perhaps two, things you can do to deal with keystroke loggers.
1. Use KeePass Password Safe . (You want version 1.09). It's free, open source, portable and sexy. Er, ah, three of the four, at least.
Once you've entered your passwords into the program (at home or wherever), you open it up at your local internet cafe, fire up your browser, and *drag and drop* your passwords into the appropriate boxes on logon pages. This method bypasses the clipboard and apparently has passed attempts to defeat it. It has alternate modes for when you are dealing with funky pages, one that send several channels of info to the clipboard at once, etc.
And even if the PW is intercepted, if you use keyfiles the PW is useless without the exact files you used.
Clever program.
You can also try the KeyScrambler extension for Firefox, which claims to encrypt keystrokes from end to end. Don't really know how reliable it is personally, but hey...
KeePass is one of a very few programs that seems designed with DADA in mind.
But, just ask yourself: if a machine has a keylogger running on it, what else might be running, and do you really want to authenticate to a web site or decrypt sensitive data in that environment? Even if it can't steal your password, while you are logged on it could send commands as if it were you. Once data is decrypted, it could make a copy of it.
Sigh.
MC
4) Keystroke loggers can grab your passwords from most programs when you enter them, and transmit them to their "mother ship". If they are installed ahead of time with Administrative rights, see number 2. If they are "hardware" keyloggers, installed on the keyboard, they are pretty much hidden from any software.
I pretty much now use KeePass and have things copies and pasted so I don't type it in the remote computers. Hopefully that helps stop keyloggers.
Don't be an uberPr∅. They are stinky.
I just noticed KeePass 2.04 Alpha is available. I'm wondering if I just could replace the old portable one with the latest executable and all things keep working correct (due to the launcher.)
Else I'll wait for the official portable releases
EDIT: I read that keypass v2 needs .net installed? How lazy of the programmers!
Are there alternatives to KeePass?
but they will keep the 1.x branch as a "non .NET" vrsion for those who dont have NET.
I think they will even provide bug fixes for 1.x just no new features.
Search the forums as there are several threads about this.
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
The following was in the Sans Newsbites from today:
~~~~~~~~~~~~~~~~~~~
TOP OF THE NEWS
--Man Pleads Guilty to Data Theft from Hotel Computers
(January 9, 2008)
Colombian engineer Mario Alberto Simbaqueba Bonilla has pleaded guilty
to charges of conspiracy, fraud, and identity theft for placing
keystroke logging software on hotel business center computers and
stealing personally identifiable information. Simbaqueba Bonilla stole
more than US $400,000 in a three-year period by installing the software
on computers at hotels in the US and in other countries. Simbaqueba
Bonilla is believed to have an accomplice, Nelya Alexandra Valero, who
is still at large. He could face between seven and 10 years in prison
when he is sentenced in March.
http://www.miamiherald.com/news/breaking_news/story/372940.html
MC
CWP will take 5-60 minutes to scan a drive, depending on the size. In other words, "You lose!"
Try writing a virus scanner that's faster than that without deep hooks into the system to intercept calls. You'll see why it's slow.
"If you're not part of the solution, you're part of the precipitate."
..."defense against the dork arts"?...
"I don't hate cats...as long as they stay on the freeway, where they belong."
- Brad Stine
I think the way to protect yourself against viruses, malware, USB dumper and the like is to have a file system access control software.
It's a feature already implemented in some personal firewall products - nothing new.
I wish it was implemented in Truecrypt, it seems logical to me because TC is already providing file system access to the OS so I think it will be best if some module of it would also (optionally) control what process can access what file.
I look at this kind of software as a firewall but with processes, exe checksums, paths, filenames, access types (read/write/etc) etc. etc. instead of ip's, ports etc.
A ruleset of this kind of software might look like:
---
from "any" to "any" ask
from path "c:\windows\explorer.exe" checksum "xxx" to pathregexp "^x:\\.*$" allow "read create"
from pathregexp "^x:\\.*$" to "any" allow "all"
---
This is of course is only a quick example.
Note:
Just in case it's not obvious, it's not meant to protect no one from hacksaw/etc stuff. It's only meant to allow you to safely insert your safe usb stick to an unsafe pc - not vice versa.
assuming that someone actually mods truecrypt to do what you desire, there is nothing to then stop someone from installing a modified set of truecrypt drivers on the local system, which would be used in preference to the ones on your UFD, which would perform exactly like you expected, apart from the extra hidden access rule
from "c:\nasty\app.exe" to "any" allow "all"
that it tacks on to your listing.
Again, we cannot stress this enough, unless you trust the PC, or you can trustably boot it from reliable media, you cannot ensure the safety and privacy of your data.
And bear in mind when you use truecrypt, you are providing your passphrase to the drivers that are installed on the PC, so if you can't be sure of them, you could have just given away the keys to your castle.
This problem is easy to solve:
---
if truecrypt_driver_install_state = false
installdriver();
else
removedriver();
installdriver();
if errorlevel = "anything but a nice clean install"
msgbox (Warning! truecrypt's authenticity can't be verified! Mount drives only at your own risk!);
---
While I'm sure there are other problems with my idea I also believe that they can be solved. Sure, I could be wrong. But I prefer the MAYBE of the optimistic better than the NOW WAY of the pessimistic. Maybe is better than nothing.
As for the other problems, Bring'em on.
which is why people install TC as administrator, and then you can run it as a non-admin.
Also, imagine a hook in the exec function
if driver being loaded == truecrypt
install my-evil-tryecrypt driver
else
install requested driver
The problem with false expectations of security is that they are not secure, and people all too often trust them to be safe.
I agree that your ideas would quite definitely improve security, and reduce the risks, but they would not eliminate them, and, if you need privacy and security, then you need privacy and security, not just the hope that you might probably have it most of the time.
If there is a hole in the system, then there is a hole in it, and it isn't secure.
Most PCs don't have keyloggers. Most PCs don't have hacksaw type apps. Most PCs won't try to capture key files from your UFD. Most PCs won't have a trojanned truecrypt.
However, some might, and that means that you're not safe, and you need to be aware of that, which brings it back to.. if you can't trust the machine....
Couple'o'things:
About admin rights,
That's perfectly fine with me. If I put my USB Stick (What's UFD by the way?) in a machine which I don't have administrative rights to and TC tells me it can't verify it's authenticity - I'll know that I'm not secured and I won't use it. I don't need my method to work all the time - Only to not "lie" to me that it's secured (to a degree, I'll come to that in a sec) when it's not.
About exec-function-hack,
I'm not a real expert in this matter but I'm pretty sure ("sure" might be too strong. perhaps "believe" is better) there's an unbreakable way to be sure that what runs is your safe TC driver. Perhaps TC can encrypt a message that will be displayed in the gui that you can check with your eyes. I don't know a specific solution, maybe someone else care to try.
About security-philosophy-in-general,
I agree with you facts-description, not with the meaning you give them.
There is no such thing as "secure"/"secured", there are only different levels of security.
Just to emphasize: you say "If you can't trust the machine (that it is secured)..." implying that there is such a thing as a trusted/secured machine.
There isn't.
Not your machine at home (someone else might have used it),not even if the only person using it is you (someone [microsoft et al.] wrote the OS code), not even if it's gnu/linux (some malicious code could still be there and no-one have noticed), not even if you wrote your OS yourself from scratch (you are only human and humans make mistakes).
What you in fact say is - my pc at home is much much safer than internet-cafe-pc. That's fine. I can leave with this statement.
My goal is to be MORE secure than before. Not TOTALLY secure since, as I've stated, that's not possible.
Three options:
1. Not sticking my USB stick to a pc I can't trust - safest.
2. Sticking my USB stick to a pc I can't trust - highly risky - viruses/trojans/all-sorts-of-general-malware, network access to my USB stick, USB dumper and the like, etc. etc.
3. Same as 2 but with my method installed - safer than 2. How much safer? Let's make a list of our risks so far.
Risks so far:
1. pc have a trojanned truecrypt and I can't tell the difference.
Are there any more risks?
Are there any specific solutions to the current list of risks?
Unless you personally were being specifically targeted, then, in general, yes, you could pretty definitively check for the lack of admin rights, and, if you did something like make cosmetic changes to your own TC executable, so you could tell at a glance if it was yours, then you could be reasonably confident that you were safe.
If someone -was- specifically after you, all bets are off, but not many people suffer from that, fortunately.
Any you are quite right about there being no such thing as a completely secure computer, I was being lazy and I should have been using phrases like "secure enough" more.
And yes, provided you watch out for trojaned TC executables, a system such as you propose would definitely offer enhanced protection.
Ok, so I'll leave it here for a couple of days to see if there are any other comments that might help develop/clarify this idea and than I'll post it at TrueCrypt's forums to see if anyone is interested over there. Sadly I can't possibly do it myself - although I do code simple scripts/apps from time to time, I've never done something of this magnitude.
About cosmetic changes,
Although cosmetic changes might be a good idea it wasn't my original one. I was thinking about something like an encrypted string/number that was chosen randomly by TC at it's initial setup. This number will be displayed on the gui so you could see for yourself that it's the normal number you know.
I'm not sure at all that this idea is any good (at least not better from just making cosmetic changes) because the torajanned TC (if aware of this process) can easily run good-TC hidden, get the number from the gui and run itself while proudly displaying this number. It (BTC-Bad TC) doesn't need to bother with HOW GTC (good-TC) calculates that number - BTC will just use GTC as a black-box number calculating machine.
People, people, people... any other suggestions?
anything "standard" it to open to clever spoofing or capturing by the rogue. If you've hand-edited the sources to change some menu text, or bitmaps, or colours, then there is a huge array of little things that the rogue version would have to look for and try to emulate, but that the user can spot instantly. Effectively, they're no more than a random number that is compiled it at start time.
The drawback to both systems is that they involve a pretty-much unique copy of TC as your good one, which means that the end user would have to tweak and compile it, and the more automated the tweaking, the easier it would be for the rogue to know what to look for and emulate. Still, it is a very hypothetical attack, so unless you believe you are being specifically targetted, it should be very achievable.
What you are talking about is covered by hashes (and signatures, which use hashes). If you can carry with you a way to take, say, an MD5 hash (or better, both an MD5 and an SHA1 hash) it only takes a few moments to get the hash from a file and compare it with the known good hash. A certificate bumps things up a notch.
A potential compromise in this scenario is with rootkits. A rootkit could recognize that you are calculating an MD5 sum or attempting to validate a certificate and show you a false result. You might be able to mitigate this by using your own MD5 sum program, since the rootkit might only be capable of recognizing and compromising system methods of validating things (e.g. the Microsoft security libraries).
The more common the tool, the more likely the rootkit would be able to recognize it and show a compromised result.
After you validate the TC drivers, there might still be problems. A program could be monitoring your usage of the drive, and recording data streams that you pull off the drive (when you view or edit a document, for example). So you'd have to be able to validate all of the core operating system files, not just the TC driver.
I would be surprised if the TC driver showed a GUI or other user interface. That would be shown by the TC program itself, which talks to the driver; you could potentially be using your own copy of the GUI software. It would be good if the TC program were hardened against that sort of compromise (at least to detect it) and was able itself to validate that it was talking to a legitimate version of the driver.
The mitigation for almost all of these things is to prevent unauthorized Admin access to the machine. Windows does a pretty good job of protecting its own drivers and libraries, except from Admins, who can generally do whatever they want.
PS Some of what you talk about is "security by obscurity". That might be one part of your strategy (you definitely want to keep your pass phrases secret as well as complex) but in general we are looking for security methods that don't rely on "the key under the welcome mat", because someone just might be able to find that key. It's why Truecrypt uses encrytion algorithms that are subject to analysis and rigorous mathematical proof. Everyone who wants can learn exactly how the AES algorithm works, but that won't help figure out the contents without the pass phrase and/or key file. If your method is there for all the world to see, and can't be compromised by a rootkit, it is much stronger than if it is some secret thing that only you know about.
MC
I usually talk about being able to "prove" that a machine is safe. I think it is possible, for a given set of criteria. For example, if I can verify a digital signature on each driver and executable on a machine, and verify the source of each piece of software, I've achieved one level of "provable" security. Depending on how secure you want to be, you might want to add some other tests, like taking a checksum of the bios to make sure it has not been tampered with.
Yes, Microsoft makes mistakes, but they won't stay in business if they don't address their mistakes. There is a certain level of liability there that balances the security risk. The same with other legitimate software vendors. Most of the flaws in their software cannot be used to compromise a machine without running another piece of software, one that is created for that purpose (e.g. a virus or trojan). If such software is prohibited from running, that makes it much harder to compromise the machine. (Preventing the software in this context could mean restricting unknown programs by policy, blocking network access to the machine, restricting physical access to the machine, real-time anti-malware software.)
Windows currently has some fairly effective ways to limit what executables can run. There are also add-ons that can limit programs by policy.
You'd probably not find such a locked down machine useful, since the PortableApps programs we bring with us to the machine would not run (unless they had been previously allowed by policy).
The buzzword in security is defense-in-depth. I guess one criteria for "safe enough" is how much "depth" a particular installation has. If the machines are protected from physical tampering, run good firewall and anti-malware software, have policies about what software can run, are protected behind network firewalls, and are monitored for intrusions, that might be pretty good "depth". You might be able to measure such defenses when deciding whether to plug your USB drive into the machine.
I agree that the criteria is "is it secure enough" -- that you evaluate the risk, and decide for yourself whether the risks are tolerable and justified by the benefits. And if I saw an Internet cafe or hotel business center being run by people who are knowledgeable and concerned, I'd be more likely to accept their assertions that they control physical access to the machine, have an effective firewall and real-time anti-malware scanning, and reset the machine to a known state between users. If their machine refuses to allow my PortableApps to run until they have checked them, even better, since I'd have some hope that they haven't permitted malware to run.
Anyway, that's some of what is involved with proving a computer is secure, or even proving that it is secure enough.
As for what kinds of things could compromise your safety:
Again, most of these things involve competence and trust. When it comes to a third party's machine (e.g. at a hotel or internet cafe) that can be about as hard to prove as whether the machine is secure.
MC