Clipboard Security in a Sandbox

I have been a little concerned that with my banking security configuration because I must drag and drop my user name at the Bank of America website. Recently I realized I don't have a problem. I'd like to know if my logic is correct.

Setup: Windows XP SP3. Firefox 6..6.17 (NoScript, Keyscrambler, WOT), Sandboxie with seperate sandboxes for surfing and banking, with DefenseWall and Panda Cloud Pro. I have use Roboform but I can't get it to enter the user name on the Bank of America website. I also have KeePass.

My concern has been that when logging into the Bank of America, I delete everything in a security sandbox . I open KeePass in the security sandbox and then click on Bank of America in the KeePass to open Firefox and go the Bank of America website. Once at the Bank of America website, the only way I can enter my user name is to copy the username in KeePass and paste it in the username dialog box on the website. I then enter my password with Roboform.

I had always felt that there was a security problem when copying the username from KeePass, however, I now believe I am secure because the clipboard that is inside the security sandbox when I do this and so is protected. Am I correct?

EDIT: I believe major questions is: Is the clipboard in the security sandbox protected from malware outside the sandbox.

 

No, I don't think you are protected. If you want to know for certain, download the SpyShelter test suite and run the clipboard test.

 

there should be no problems if you can be sure your computer is not already infected and if your surf directly to your bank website from a clean sandbox.

if you are concerned though you could use Trusteer Rapport or Prevx Safe Online.
although those 2 are not compatible with Sandboxie.

using security app is always a trade-off between security and convenience and SBie is no exception.
using a browser under SBie makes it impossible to drag and drop text/password into a browser.
there are other inconveniences as well.

i might be going off topic a little here but i am losing my patience quickly with security apps and the convenience hit they introduce.

 

Although I don't use password managers for important sites, have you tried KeeFox?

 

I don't believe KeeFox would work with the Bank of America website due to the way the user name is entered. I do have it on this machine but I'm pretty sure it doesn't work with Sandboxie either but I will check on it again.

Thanks for the help.

 

IMHO, using anything to store your banking credentials is a mistake. Thats just my opinion

Sul.

 

It's only a mistake if you do it in an insecure way

 

i don't do banking on my pc.but if using zemana or spyshelter
with its anticlipboard capabilities would be enough to hide your usernames and passwords?

 

Yes, both Zemana and Spyshelter would alert you to untrusted applications trying to read from your clipboard. Prevx SOL would also protect the clipboard content while at a HTTPS website. Trusteer Rapport would not protect the clipboard however - Rapport used to, but there appears to be a bug in the current version.

 

I believe that DefenseWall would also provide this same protection. Isn't that correct?

 

DW would alert to an untrusted app trying to copy clipboard contents but it does not stop the actual clipboard capture. It just tells you it's happening. At least that's how it worked when I used DW.

 

i got the following message from Trusteer (in the console in the Full Report section) when copying and pasting username and password in Hotmail:

i don't know if the copy/paste itself is protected but anyway...

 

Hmm..not sure. I corresponded with Trusteer earlier today about the clipboard protection issues and they said they were still looking into it.

 

thnx for the update Scoobs!

 

Yes, that's correct, DW blocks such the attempts only under "Go Banking/Shopping" mode since 3.14 version.

 

Good approach Ilya.

 

Thank you for the reply. I had not previously used the Banking/Shopping mode (really stupid of me) but I will from now on.

 

From 3.14 version (waiting for script files translated to release the version) there is a built-in elementary browser, made specially for safe banking, without closing other untrusted processes.

 

Ilya,
What's the status of DW and Windows 7 x64?
Thanks.
Hugger

 

I'm gathering information. As much as I can.

 

I finally got a response back from Trusteer. They advise that their "Consumer" version of Rapport does not provide any clipboard protection and that the published reports showing Rapport protecting against clipboard logging are not with the 'Consumer' version.

 

Forgive me for showing up late and asking a basic question of the OP, but is it correct that you have tried entering your login info via the KeePass Perform Auto-Type feature, in which the default auto-type has been changed to two-channel auto-type obfuscation? I'm assuming that this is not possible (that you have already tried it), but I'm confused because you mention that you have to drag and drop, but then you say you have to copy and paste.

Perform Auto-Type doesn't work?