Completed my ultimate anti-keylogger defense

I also want to know.

 

This how the sandbox of Iron/Chromium/Chrome works

https://www.wilderssecurity.com/showpost.php?p=1742947&postcount=11

Use the --safe-plugins switch and you have a total isolated sandbox

 

dailymotion.com videos does not work under --safe-plugins... why?

 

I don't see what it could add to Windows Firewall with Advanced Security. That was my doubt since first post.
I assumed that, considering Trusteer Rapport was mentioned, that Kees had no default deny policity set in place, only for IE. This, by itself, won't prevent any keylogger from sending out information, unless the keylogger tries to use IE own session to send out the information.

If that's the case, that Windows Firewall is not set with a default deny policy, then how will blocking IE from connecting to any IP, except those strictly allowed in firewall, prevent keyloggers from sending out information, if they do not make use of IE's own session? It won't.

Unless the firewall is set with a proper default deny policy in place and, in this scenario, Trusteer Rapport or similar make no sense, at all, since the keyloggers can not send out information.

 

The --safe-plugins switch cripples. It also cripples Adobe Reader plugin, and it will make reading PDFs using the plugin impossible. I personally invoke Adobe Reader, and not the plugin.

Now, for youtube, Adobe Flasher will work fine with the --safe-plugins switch. No idea why won't work with some others. Maybe a poor flash coding in those websites? Just a very wild guess.

If it works with Youtube and others, then it's not a problem with the browser, flash plugin or the switch. Rather with the websites, I guess. Makes any sense?

 

yes.

 

Could you tell me how do I enable CreateRestrictedtoken and AdjustTokenPrivileges in Iron?

 

Perhaps we need a guide on how to use Iron efficiently...

 

I think you just need to use the --safe-plugin to enable those.

 

These are how you make the "sandbox". You create a restricted token with the CreateRestrictedToken call, and you adjust the tokens privelages to run at Low Integrity Level with AdjustTokenPrivelages call.

These are APIs to the methods in the OS. What chrome does is to use these methods when creating each "tab".

If you truly wanted to, you could code your own program that created a process similar to what chrome is doing. IE does the same thing in protected mode.

To do this, you need to have a "handler" process that will be the parent process. It will have (normally) a higher level of rights so it can do things it needs to do. It, in turn, uses the CreateRestrictedToken and AjustTokenPrivelages APIs to start the children processes. In this manner, one parent process (in chromes case also runs on another 'desktop' session) has all the power, but the actual "coming and going" happen in child processes that are restricted.

All makes sense, yes? These are not something you can enable AFAIK, they are what is happening inside the code.

Sul.

 

Thanks Manchar and Konata Izumi, I'm beginning to understand how this great web browser!

 

Hi Kees! Few questions from me.
1. Why you stress on restricted ip access for browser, does it mean that key logging data ip sent out by the browser in most/ many cases?
2. Have you tested the real effectiveness of Rapport. I have tried it with AKLT and Elite Keylogger and it failed miserably.
PS: I always thought KeyScrambler to be very strong but it apparently failed against a hook based key logger in MRG testing. Now only viable option for me remains Prevx SOL but i don't like that even if i only want safe online part and gives a real time on-execution scanner as well. It is of concern due to possible conflicts, system slow down, and un-needed features.

So why not i fire up Ubuntu live CD and do my financial transactions from there. Or may be Parted Magic live CD, it has chromium as default browser.

Also no one mentioned a about an on-screen keyboard like the one in windows itself. KIS has one built-in virtual key board as well. Should this be as good as KeyScrambler.

Thanks for the input.

 

Neos SafeKeys - http://www.aplin.com.au/neos-safekeys-v3

Portable version available as well

 

Failed against keylogger in MRG testing.

Sorry, may be I was mistken, could not find any such test!!

 

what failed?
Neo's Safekey?

 

Were all doomed i say - DOOOOMED

 

Just because this or that fails in TESTING,doesnt make it a no go in real world useage.

Takes tests for what they are worth.If your that paranoid,then you'll never be satisfied no matter what software you want to run.

 

The first step, is actually not to make the system infected in the first place.

To achieve that you need to cover 3 infection vectors, in a first stage, which are:

* Browsing;
* E-mail (Protection will vary if you use browser or e-mail client);
* USB/CD/DVD;

If you believe you can build a hyper Fort Knox around these 3 vectors, then there's one one more vector left:

* You, the user

 

BloodMoon and Aigle, sorry did not see your post (Sully has answered other questions)


With Group Policy you can lock down IE8 in the same way Trusteer Rapport does with the following exceptions, trusteer also
-checks for keyboard hooking and low keyboard access on driver level
-scrambles the keys and informs you when screen prints are made
- checks whether code of IE8 is changed or DLL's (modules they call it) are added (I guess the mean process manipulation and DLL-injection prevention)

So what it does fairly well is protect IE from tunnelling information from within the browsing session.

A FW with outbound application should protect you when a program phones home using his own process name. The idea behind the FW with the restricted IP's is, that when a process from outside IE tries to call out spawing IE (and bypassing Trusteer protection) it needs to send its keystroke to a certain IP address. Because the FW only allows the IP's of the Bank websites plus the DNS service (use for instance Sunbelt Clearcloud or the one of your ISP), you make a sort of point to point connection (like old fashioned direct dial in) with your bank.

This dual Browser approach with one locked down (IE8 is not allowed to download programs, install unsigned binaries, download files, etc) and one 'normal' used browser is used behind the safe-admin setup.

This safe-admin can be considered as a hardened UAC with a selective deny execute and intrusion protection (lower rights objects are not allowed to change higher rights objects) approach.

So outside the browser session I only install software which I explicitely allow.
In this context Trusteers, disabling add-ons etc provided some extra's with the ones mentioned above (also for people not having a pro or ultimate to use this tip).

Regards Kees

 

My point was that Rapport is not doing what it says. No key scrambling at all.

 

give Neo's Safekey a try.

it's a pretty slick concept well executed.

 

Excellent information..Thanks Kees

 

Well, to be honest I did not test it, because it is used by 60 banks (one being ING Direct), so I assumed it would work as advertised (see explanation below).

From my 23th until 27th I worked for a Dutch bank as system designer, dba and network specialist. In these days security was still an aspect of each profession, not the specialism it is now. I have worked as an IT-er until I was 34, but never have encounter more rigid testing procedures as at that time (working for the banking corporation).

As a sales manager I worked for the company who invented TMAP (http://en.wikipedia.org/wiki/Test_Management_Approach) and ING was one of the leading customers to implement this as a worldwide company standard (Ruud Teunissen one of the authors worked in one of my teams to manage this implementation) . Because ING direct is one of the banks using it, I assumed Trusteer Rapport would do what it promised to do.

What were the settings you tested it?

Regards Kees

 

Hi, by this info I expect it to work very well. May be I made a mistake.I secured pay pal login page with it and made sure that it was green.

Then I put my user name and password for login and tried to key log with three
tools.

1- AKLT
2- SpyShelter keylogger test tool
3- Elite Keylogger( tested logging on another secured site).

In all cases key logger/ POCs were able to get my login data. I will try it with some others too. I am really surprised.

 

Why it doesn,t matters? It matters lot IMO.
I think a security software that fails a test tool/ POC/ test malware is even more prone to fail in real world when encountered with real malware.

BTW I am not too paranoid. I am not using any such applications. Infact I don,t do any financial transactions except occasionally but I am discussing it just to know what strategy I must assume if ever I am going to use my PC for such activities. Just for knowledge and experience.