Clipboard Security in a Sandbox

Discussion in 'sandboxing & virtualization' started by chinook9, Jun 24, 2011.

Thread Status:
Not open for further replies.
  1. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    I have been a little concerned that with my banking security configuration because I must drag and drop my user name at the Bank of America website. Recently I realized I don't have a problem. I'd like to know if my logic is correct.

    Setup: Windows XP SP3. Firefox 6..6.17 (NoScript, Keyscrambler, WOT), Sandboxie with seperate sandboxes for surfing and banking, with DefenseWall and Panda Cloud Pro. I have use Roboform but I can't get it to enter the user name on the Bank of America website. I also have KeePass.

    My concern has been that when logging into the Bank of America, I delete everything in a security sandbox . I open KeePass in the security sandbox and then click on Bank of America in the KeePass to open Firefox and go the Bank of America website. Once at the Bank of America website, the only way I can enter my user name is to copy the username in KeePass and paste it in the username dialog box on the website. I then enter my password with Roboform.

    I had always felt that there was a security problem when copying the username from KeePass, however, I now believe I am secure because the clipboard that is inside the security sandbox when I do this and so is protected. Am I correct?

    EDIT: I believe major questions is: Is the clipboard in the security sandbox protected from malware outside the sandbox.
     
    Last edited: Jun 24, 2011
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    No, I don't think you are protected. If you want to know for certain, download the SpyShelter test suite and run the clipboard test.
     
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    there should be no problems if you can be sure your computer is not already infected and if your surf directly to your bank website from a clean sandbox.

    if you are concerned though you could use Trusteer Rapport or Prevx Safe Online.
    although those 2 are not compatible with Sandboxie.

    using security app is always a trade-off between security and convenience and SBie is no exception.
    using a browser under SBie makes it impossible to drag and drop text/password into a browser.
    there are other inconveniences as well.

    i might be going off topic a little here but i am losing my patience quickly with security apps and the convenience hit they introduce.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Although I don't use password managers for important sites, have you tried KeeFox?
     
  5. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    I don't believe KeeFox would work with the Bank of America website due to the way the user name is entered. I do have it on this machine but I'm pretty sure it doesn't work with Sandboxie either but I will check on it again.

    Thanks for the help.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    IMHO, using anything to store your banking credentials is a mistake. Thats just my opinion ;)

    Sul.
     
  7. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    It's only a mistake if you do it in an insecure way :)
     
  8. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    i don't do banking on my pc.but if using zemana or spyshelter
    with its anticlipboard capabilities would be enough to hide your usernames and passwords?
     
  9. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Yes, both Zemana and Spyshelter would alert you to untrusted applications trying to read from your clipboard. Prevx SOL would also protect the clipboard content while at a HTTPS website. Trusteer Rapport would not protect the clipboard however - Rapport used to, but there appears to be a bug in the current version.
     
  10. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    I believe that DefenseWall would also provide this same protection. Isn't that correct?
     
  11. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    DW would alert to an untrusted app trying to copy clipboard contents but it does not stop the actual clipboard capture. It just tells you it's happening. At least that's how it worked when I used DW.
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i got the following message from Trusteer (in the console in the Full Report section) when copying and pasting username and password in Hotmail:

    i don't know if the copy/paste itself is protected but anyway...
     
  13. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Hmm..not sure. I corresponded with Trusteer earlier today about the clipboard protection issues and they said they were still looking into it.
     
  14. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    thnx for the update Scoobs! :thumb:
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, that's correct, DW blocks such the attempts only under "Go Banking/Shopping" mode since 3.14 version.
     
  16. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Good approach Ilya. :thumb:
     
  17. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    439
    Thank you for the reply. I had not previously used the Banking/Shopping mode (really stupid of me) but I will from now on.
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    From 3.14 version (waiting for script files translated to release the version) there is a built-in elementary browser, made specially for safe banking, without closing other untrusted processes.
     
  19. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Ilya,
    What's the status of DW and Windows 7 x64?
    Thanks.
    Hugger
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I'm gathering information. As much as I can.
     
  21. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    I finally got a response back from Trusteer. They advise that their "Consumer" version of Rapport does not provide any clipboard protection and that the published reports showing Rapport protecting against clipboard logging are not with the 'Consumer' version.
     
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Forgive me for showing up late and asking a basic question of the OP, but is it correct that you have tried entering your login info via the KeePass Perform Auto-Type feature, in which the default auto-type has been changed to two-channel auto-type obfuscation? I'm assuming that this is not possible (that you have already tried it), but I'm confused because you mention that you have to drag and drop, but then you say you have to copy and paste.

    Perform Auto-Type doesn't work?
     
Loading...
Thread Status:
Not open for further replies.