KeyScrambler, is still really effective?

[ExtremeGamerBR]

Hello!

I'm not suspicious of the effectiveness of the program but it's just a question.

With the current keyloggers highly developed, using a program that offers only a scrambling of the keys, it is still effective in preventing theft of logins and passwords? In addition to passwords programs - Keepass, for example.

I know that no program is 100% but wonder if it continues to offer a relevant protection...

Thanks in advance!

[kjdemuth]

Keyscambler uses 128 bit encryption. It would be far easier for someone to find another way to log your information than to break that encryption.
"KeyScrambler uses both standard symmetric-key and asymmetric-key encryption. The algorithm used for symmetric-key encryption is Blowfish (128-bit). The algorithm for asymmetric-key is RSA (1024-bit)."

[PJC]

KeyScrambler Free (i.e. IE and FF Add-on) together with SpyShelter Free.

[jmonge]

top notch

[moontan]

it is a good product but i think if one worries about keyloggers one should also worry abour types of loggers: screen, clipboard, mouse, etc...

I like it because it's easy to use - no questions, no pop ups, no warnings

[Amit]

yeah keyscrambler is awesome..

[blasev]

Keyscrambler free are awesome, but since Firefox is going for fast update cycle it just can't keep up.

Yesterday I was trying KS free with Firefox 7.1 and Firefox 8.0 on Windows 7 64 bit.
Sometimes KS doesn't work (the key aren't scrambled), I must turn off then turn on ks to make it work.

I would still recommend using KS, especially with IE

[Amit]

Quote:

Originally Posted by blasev

Yesterday I was trying KS free with Firefox 7.1 and Firefox 8.0 on Windows 7 64 bit.
Sometimes KS doesn't work (the key aren't scrambled), I must turn off then turn on ks to make it work.

ks works smoothly with firefox 8.0 in my pc...

[BoerenkoolMetWorst]

Most modern banking malware uses Man in the Browser attacks, Keyscrambler doesn't protect against this, so depending on what you use it for and your other security, the protection might not be relevant enough anymore.

[ichito]

Quote:

Originally Posted by BoerenkoolMetWorst

Most modern banking malware uses Man in the Browser attacks, Keyscrambler doesn't protect against this (...)

It's the part of article "Man-in-the-browser attack" from site of OWASP Project

Quote:

8. When the handler detects a page-load for a specific pattern in its targeted list (for example -https://secure.original.site/account/do_transaction-) it registers a button event handler.
9. When the submit button is pressed, the extension extracts all data from all form fields through the DOM interface in the browser, and remembers the values.

https://www.owasp.org/index.php/Man-...browser_attack
Why this?...KS encrypt "on-the-fly" all keystrokes typed by user in browsers for example my login and password
login: ichito
password: blabla_bla
KS changes randomly letters and signs to
login: %5i:*/
password: +j("#>jY_@
How those signs are useful for trojan and why KS don't protect me?

[BoerenkoolMetWorst]

Quote:

Originally Posted by ichito

It's the part of article "Man-in-the-browser attack" from site of OWASP Project

https://www.owasp.org/index.php/Man-...browser_attack
Why this?...KS encrypt "on-the-fly" all keystrokes typed by user in browsers for example my login and password
login: ichito
password: blabla_bla
KS changes randomly letters and signs to
login: %5i:*/
password: +j("#>jY_@
How those signs are useful for trojan and why KS don't protect me?

Yes, by encrypting the keystrokes, KS creates a secure 'tunnel' between keyboard and browser so keystrokes can't be read as they are typed. Then the browser sends them securely to the site you visit(if it's HTTPS) so intercepting network traffic won't work either, but MitB attack doesn't try to intercept keystrokes as they are typed or going over the network, it attacks the browser itself, where it's insecure/decrypted for a while. As you can read from the information you posted, it steals the info just before it's sent encrypted over SSL:

Quote:

9. When the submit button is pressed, the extension extracts all data from all form fields through the DOM interface in the browser, and remembers the values.

[Kuffi]

I just found keyscrambler today and became curious about how it works.

So it installs a driver that that hooks the incoming keyevents as I read - now what will happen when I

1) simply kill the keyscrambler driver so it won't run anymore?
2) simply also hook the same incoming datastream and give it to the keylogger (via ring0 driver)?
3) hook the decryption and get the text from keyscrambler?
4) get the encryptionkey which has to be there somewhere?

Thank you

[Hungry Man]

After listening to the Trusteer Rapport debacle and how there are fundamental flaws with theses things I'd be very surprised if keyscrambler works all that much better, though at least it uses legitimate encryption.

I don't know enough about how it works though.

[Scoobs72]

Not wishing to have a downer on Keyscrambler, but you have to ask what it will in fact protect you from. Against all the modern banking malware it's pretty much useless as this type of malware hooks after the point at which the keystrokes are decrypted, as well as stealing from the clipboard and taking screenshots.

I'm not even sure that any of the commercial keyloggers restrict themselves to just keyboard logging these days.

Far better, imo, that if you are concerned about 'keylogging' then you use an application with full-spectrum anti-keylogging capabilities.

[lordraiden]

Quote:

Originally Posted by Hungry Man

After listening to the Trusteer Rapport debacle and how there are fundamental flaws with theses things I'd be very surprised if keyscrambler works all that much better, though at least it uses legitimate encryption.

I don't know enough about how it works though.

What trusteer rapport debacle?

you can not compare TR with KS, KS just proctect against real time keyloguers (not very common in real malware because are easy to detect), and TR protects against any way to steal your information from the browser.

[Scoobs72]

Quote:

Originally Posted by lordraiden

and TR protects against any way to steal your information from the browser.

Not always true with Rapport. Although it can protect against the common methods (MITB, Keylogging, Clipboard logging, Screenshot logging etc), each bank that provides Rapport to its customers has a different configuration, some of which don't include all the protection methods, e.g. clipboard protection is often not provided. One bank's version of Rapport is not necessarily providing the same level of protection as another bank's.

[Hungry Man]

TR is a farce. It's essentially useless and can be bypassed with a few lines of code.

edit: -https://www.youtube.com/watch?feature=player_embedded&v=EimZQgt7WPg-

There's something with more info. There have actually been a few more whitepapers since that really emphasize the issues.

They are plenty comparable. They both try to encrypt information from the keyboard to a program. As noted in that video, this is not currently possible.

edit2: wilders topic about it http://www.wilderssecurity.com/showthread.php?t=320410

[Kuffi]

Quote:

Originally Posted by Hungry Man

though at least it uses legitimate encryption.

Problem is what I stated already "4) get the encryptionkey which has to be there somewhere?" - you encrypt with a key that has to be there somewhere, either hardcoded in the driver or generated automatically and then has to be stored somewhere and told the decrypt function - either way it's screwed and useless.

[Hungry Man]

Without knowing how it works it's hard to say but the video basically stated that there are fundamental flaws in areas that these to products both deal with.

[lordraiden]

Quote:

Originally Posted by Hungry Man

TR is a farce. It's essentially useless and can be bypassed with a few lines of code.

edit: -https://www.youtube.com/watch?feature=player_embedded&v=EimZQgt7WPg-

There's something with more info. There have actually been a few more whitepapers since that really emphasize the issues.

They are plenty comparable. They both try to encrypt information from the keyboard to a program. As noted in that video, this is not currently possible.

edit2: wilders topic about it http://www.wilderssecurity.com/showthread.php?t=320410

Its a flaw of 2011 are you sure that this has not been already fixed? maybe it was fixed few days after it was made public

Quote:

Originally Posted by Scoobs72

Not always true with Rapport. Although it can protect against the common methods (MITB, Keylogging, Clipboard logging, Screenshot logging etc), each bank that provides Rapport to its customers has a different configuration, some of which don't include all the protection methods, e.g. clipboard protection is often not provided. One bank's version of Rapport is not necessarily providing the same level of protection as another bank's.

You can configure TR to have any website to be protected like those preconfigured banks websites, the only difference is that truster can not check the IP to see if is the same that they have in the database for that bank.

[x942]

Quote:

Originally Posted by Hungry Man

Without knowing how it works it's hard to say but the video basically stated that there are fundamental flaws in areas that these to products both deal with.

Time to break IDA Pro again

Quote:

Originally Posted by lordraiden

Its a flaw of 2011 are you sure that this has not been already fixed? maybe it was fixed few days after it was made public




You can configure TR to have any website to be protected like those preconfigured banks websites, the only difference is that truster can not check the IP to see if is the same that they have in the database for that bank.

I have verified in that thread the HM linked other potential vulnerabilities in the software. I am more than happy to try and confirm the flaws described in that video as well. If it is that easy I shouldn't have much trouble circumventing it.

[ichito]

Quote:

Originally Posted by Scoobs72

Far better, imo, that if you are concerned about 'keylogging' then you use an application with full-spectrum anti-keylogging capabilities.

And that is the reason why I still use SpyShelter with KS in one combo...although I know that some users prefer signature-based programs.

[Hungry Man]

Quote:

Originally Posted by lordraiden

Its a flaw of 2011 are you sure that this has not been already fixed? maybe it was fixed few days after it was made public




You can configure TR to have any website to be protected like those preconfigured banks websites, the only difference is that truster can not check the IP to see if is the same that they have in the database for that bank.

The released a "fix" but never addressed many of the issues and there have been whitehat papers since then explaining this.

As the video says, it takes only a few lines of code to bypass and any beginner programmer with assembler could do it.

x942, if you're willing to look into it I'd appreciate that.

The very design of it was criticized in the video.

[Scoobs72]

There's at least two separate issues here:

1. If you're going to use an anti-keylogger then can you just use Keyscrambler or do you need a full-spectrum AKL? My opinion on that is posted above, i.e. you would want a full spectrum AKL.

2. Is the only solution for protection against keystroke logging either the use of encryption/obfuscation as deployed by Rapport and Keyscrambler or HIPS alerts as per Spyshelter, Zemana, OA, PFW etc? And is the obfuscation approach fatally flawed in it's logic?
This for me is the more interesting question. How for example is WSA protecting from keystroke logging - obfuscation or HIPS alerts?