Completed my ultimate anti-keylogger defense

Discussion in 'other anti-malware software' started by Kees1958, Aug 15, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    Sometimes solutions can be so easy and obvious, that they are overlooked.


    This is what I have done on the new university laptop of my son

    Use Iron for daily browsing

    Downloaded Iron (a chromium clone which installs as a regular program in Program Files directory). Chrome has not been hacked in the pawn2own contest to years in a row. The more I understand their concept, the more I admire the simplicity of it.

    Let me give you the ultimate short version on how Chrome manages to totally isolate its tabs (rendered webpages).

    First it compiles JavaScript into machine code and generates hidden classes for fast access and security. Other webbrowsers use libraries in which malware can try to access classes used by other processes in the library by illegal addressing. In Chrome Javascript running in a tab can only see and access classes assigned to him.

    Secondly it sandboxes the tabs in total isolation by Using the CreateRestrictedtoken API and AdjustTokenPrivileges to lock down the token the rendering process is running with. Next it creates a Job object to place more limitations on that rendering process (e.g. no access to user handles in outside its own job, prevent desktop switching, prevent shutdown, die on unhandled exception, etc.). Then it runs the rendering process on a separate desktop to prevent for instance window message abuse. ==> total isolation using OS-features in a creative way :cool:.

    It is not surprising Chrome has not been pawned two years in a row. I used the Google DNS service by adding them into the browser.


    Use IE for banking
    I installed Trusteer Rapport free and added the online-banking sign-in webpages as my protected websites. Trusteer does not work on Iron (it does work on Chrome), so for normal browsing I do not have any delay due to security software overhead.

    Next I opened IE8. What? Use a browser with a bad reputation for the most sensitive transactions (although IE8 was a far more secure browser than FF3.0 on Vista with UAC on running in protected mode with low rights). Then I put the two sign-in screens of the two banks my son uses into the homepages. I told IE8 to start while launching those two home pages. Next I entered Windows Firewall with advanced features and ALLOWED IE8 ONLY TO ACCESS THE TWO IP-ADRESSES OF THOSE BANKS. Next I told IE8 to use the DNS server of my ISP. I added this DNS-server's IP address also as an allowed IP address in Windows7 Firewall for IE8.

    Conclusion
    When you use two browsers, you can use your Firewall to allow only specific IP-addresses. Using Trusteer and this FW-trick, malware can't log and send the data out using the browser's session (off course close other browser when banking).

    By the way I did the same for Outlook, only allowing a specific port and the IP-address of our ISP.
     
    Last edited: Aug 15, 2010
  2. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    267
    Location:
    Philippines
    Hmmm... interesting. Thanks for the guide Kees!
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Another excellent tutorial from the greatest Dutch Master since Van Gogh ;)
     
  4. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Why not use firefox instead of IE for the banking sites?
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Firefox runs with medium rights, IE8 with low righst (in protected mode). I have a Windows7 ultimate for my wife, so implemented the threats and countermeasure group policy enhancements by hand with regedit on my son's laptop. It is possible to lock down IE8 from changes completely and harden the way it handles network/TCP also.
     
    Last edited: Aug 15, 2010
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You can have any browser running with Low IL.
     
  7. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Thanks for the useful info..:)
     
  8. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    You did it again ;)

    Been waiting for another of yours mate.
    One snag so to say - you need to know how to configure your FW to do that... could you expand your tutorial by providing the info regarding Outpost and CIS?
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry Korben,

    I remember Stem has done some testing on Outpost. Maybe it is shown there.

    For CIS you have to copy the webbrowser default setting and look at details/advanced to add IP-addresses, when my memory serves me well.

    The beauty of using one browser is that you can tell your firewall to allow onlya point to point connection through your ISP DSN-server IP's.

    We are on Vista/Windows 7 now, so using its internal firewall because it filters well is fast and free.

    REgards Kees
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I agree. And the by-far simplest way to prevent keyloggers is to run maxed-out Safe Online plus ANY of the compatible browsers (Firefox, Chrome-family, Opera, Internet Explorer). Waaay simpler than "if this, then that" & "if that then this" and "configure this for that " & "tweak that for this". Sheesh, mon, I coming dizzy already. :rolleyes:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    P.S. Kees old shoe - no offense but me am kamikaze wild-doofus. Me run Admin forever. In Hawaii, "LUA" is where someone goes to pee & poop. :D
     
    Last edited: Aug 16, 2010
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Bill,

    Ahh well, my son was lucky to be drawn from the lottery in the bachelors study of his preference in the Netherlands. Drawing happens when your grade average is below B+ level.

    He has to travel by train for two hours single journey. So in stead of the most sexy laptop (CPU + GPU) power he needed one with a lot of battery power. Minimizing harddisk access is a way to increase battery life. The background scan of PrevX Safe is allways on, so that "one size fits all solution" was not an option.

    The laptop has a smart feature to use the build in graphics for low demanding video tasks (e.g. like word) and uses its mid-range GPU only when needed (e.g. Photoshop). By stripping fancy Win7 features and a lean setup we managed to increase the eco-mode battery life from 2h 40 mins to 3h 10 mins.

    Regards Kees
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Congratulations!!!:thumb: :thumb: :thumb:

    When he graduates, I hope he will quickly be hired to a high-income job, so he can easily afford to send you on an all-expense tour of Hawaii. I will definitely wine you & dine you with MUCH aloha.

    How about if he uses one of those thumb/flash drives? The biggest I have seen is 32GB -- that ought to meet his needs. Don't flash drives use a lot less battery power than hard drives?

    I might have expected that your solution had a perfect reason, and GREAT ingenuity, behind it.

    Well conceived, sensei !

    Couldn't he also carry an extra battery pack, as a stand-by? Too heavy or too expensive or . . .?

    Warm regards, be well, live long, enjoy great serenity.

    Bill
     
  13. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    i'm not familiar with iron chrome? can you post a link to their website? :)
     
  14. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
  15. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    @lordraiden

    thanks! just saw the site.. i like the catchy description "SRWare Iron: The Browser of the future" :D

    Is the portable version also as secure as it says? looks reeeaall good to me :D
     
  16. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    The portable version must be as secure as the normal one.
     
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Use IE8x64 instead of IE8x32 for banking if you can. 64bit processes are further isolated from 32bit processes which nearly all malware in existence is. On top of that, it's an easy/cheap way to load IE without plugins which adds another layer of security.
     
  18. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Love multi-browser recommendations. I always recommend them to enterprise folk as well as endpoint policy enforcement that restricts the web browser doing sensitive stuff to white-listed URLs only, as well as blacklisting those same URL's in the other web browsers.

    The nice thing about selecting IE8 for online banking or other sensitive tasks is that developers universally test their web applications for IE compatibility. Whereas other browsers are often treated as an 'extra' cost.

    Say, do you all know if an old plug-in/add-on, such as Flash or Shockwave, still takes IE8 out of 'Protected Mode'? This has to do with some kind of legacy, backwards-compatibility effort by Microsoft, which about a year ago seemed frustrated that Adobe was not updating its plug-ins accordingly.

    Cheers,

    Eirik
     
  19. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    @Kees

    Master, your every wish is my command.

    What an elaborate set-up you have devised, but then I expect it from a person with such a colossal amount of expertise and knowledge like yourself.

    Me ? I`m just a footslogger following the guy in front, if he don`t go, I don`t.

    Kees, you can see my tiny army of minders in my signature. I do have a number of very popular stand-alone jobs as well.

    I have never had anything come up on my scans for months, especially since I installed Sandboxie about 3 months ago. As far as I can therefore see, my system is lilly white.

    Q1 : Is this selection I have "good enough" for general purposes against keyloggers ?
    Q2 : Does Sandboxie protect me 100% against keyloggers ?
    Sandboxie is set to delete the sandbox on FF shutdown.

    I do not have a single grain of financial or delicate personal data on my computer.

    Will be grateful to hear your valued comments.

    John
     
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,733
    Nice idea for binding a browser on ip's. for me too overstealthed - a bit too paranoid.
    anyway that is possible for any browser - incl portables.
    And no - that is not safe vs keyloggers if you know how those work.
    even sandboxie aint secure.

    KeyScrambler might an option ► http://www.qfxsoftware.com/
     
  21. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    You are very correct in saying "overstealthed - a bit too paranoid." for the average punter, but Kees ain`t the average punter. To him it is an easy ride, to us it is far too complicated and probably unnecessary.

    In advance of Kees reply, KeyScrambler looks good on reading the site`s blurb and Free too - is it ?. Seems to say it is an Add-on. Sending in code is child`s play, ancient practice, but how does it get decoded at the receiving end ?

    HUM, does it really work without screwing up anything ? :argh:

    John B

    EDIT PS :- Over many months my computer has been clean on scans by umpteen different programs and I still scan it several times each week, quick and deep. My name and passwords are auto-filled in, I do not use the keyboard. They are welcome to take part on Wilders Forum if they find out that data.
     
    Last edited: Aug 16, 2010
  22. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    How about the following for keeping financial info/passwords secure:
    Have admin account+2 LUA accounts+SRP+close user startup locations.
    Use the 2nd LUA account ONLY for financial transactions.
    Use admin account ONLY for system maintenance.
    Use LUA account 1 for day to day browsing (using Iron etc in sandboxie)
    Of corse, turn off autorun.

    For malware to find out fianncial info, it would have to infect admin account, or run in browser in LUA-2; both of which are pretty much ruled out by the above settings...
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I will try that. Trusteer Rapport still has some benefits over x64 like proces protection and screenprint plus keyscrambling.


    Thx :thumb:
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Please give Trusteer Rapport a go and read their specs. This is the anti-capture part. The point-to-point binding is the anti-outbound (of collected data) part


    But I will take IE64 with Keyscrambler free for a ride, (combining your suggestion plus funkydude's tip) see what is lighter :thumb:
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Eirik,

    Thanks. I did not know about taking IE8 out of protected mode. This is another reason to try the Funkydude/Brummelchen combo if IE8 64 bits (does not has flash) with keyscrambler.
     
Loading...
Thread Status:
Not open for further replies.