Keylogging is a No-No (IMHO) comment at will!

Discussion in 'other anti-malware software' started by Escalader, Jul 5, 2010.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    WHAT FOLLOWS HERE IS IMHO

    There is no need for any application be it 3rd party or Windows 7, Vista, XP etc to ever track user keystrokes let alone transmit these data to any web site. Without putting to fine a point on it this is a privacy invasion.

    So a solid set of tools is needed to minimize the risk.

    Some products have techniques to detect key-logger behaviour but have had issues with false positives.

    The applications to watch are ANY that have or request outbound connections. The primaries are browsers, mail clients and updaters for 3rd party products.

    We are talking here about passwords, banking account numbers etc. Serious stuff.

    At a minimum set these type products (FW SW and AV/FW/HIPS ) suites etc to request or ask for key-logging then we will KNOW which ones try to do it. Then block them or remove them from your set up. If the product is needed replace with one that doesn't keylog.

    This tracking is done 2 ways, from the keyboard and what we used to call "screen scrapers". For the first, there is a product I use called KeyScambler for the second I have nothing but I would like a tool.

    Both invasions require a trojan/malware to be installed on your PC. If it is the security product itself you guys know what to do.

    So we hope that the AV/ASW products catch the bulk. None are 100%. I currenly use Nod32 which does hunt for Keyloggers but again none are perfect. I also use SAS on demand.

    The next idea is an ip /site blocker defence setup which blocks any packet outbound to known "evil" sites. This employs a blacklist idea, so it is a never ending catchup game. I use PeerBlock which also gives me a white list function for banking etc. My idea is why make it easier for the bad guys.

    For those who are fearful of M$ privacy invasion , it is possible to block ALL M$ sites and turn off the auto updating which is usually monthly. Then nothing can go directly to them packet wise. Indirect is another matter.

    I stopped turning the MS service off for updating since if you use Windows as an operating system and don't trust MS then get a different os.
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You're right in that no single product can detect all potential keylogging methods. That's one of the reasons I use a strict default-deny policy that's applied to both applications and internet access and employ a strict testing procedure before an app is installed on my default systems, first virtual systems, then physical test units. This minimizes the chance of a keylogging app getting installed in the first place, but does not entirely eliminate it. The application of default-deny to internet access acknowledges that possibility and serves as an additional defense. I don't allow any auto-updating or any "calling home" from anything, including the OS. All updating is treated as an administrative task.

    Blocking the OS from connecting out or "calling home" isn't just about not trusting Microsoft. It's just as much about not believing in their ability to make an OS that can't be exploited and maliciously used by someone else. The way I see it, the OS itself shouldn't be part of the attack surface and should be isolated from the internet as much as possible. Yes, there's other options for operating systems, but apps installed on other OS can have the same problems. No matter what OS we choose, the decision is a compromise, a balance of several factors, not the least of which is security. Hardware compatibility, compatibility with external devices, software availability, compatibility with other systems on the network. There's no such thing as being able to trust any OS (or any other device in this world) unconditionally. Nothing is 100% safe, secure, or reliable, not your computer, your car, your home, your job, etc. You do the best you can with what's available to you.
     
  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    how do I default deny "all" IP addresses except for my banking sites?
    I know Online Armor Premium or ++ has Online Banking mode that does exactly what I want but I can't afford it.

    free alternatives?
     
    Last edited: Jul 5, 2010
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not familiar with OA. Most software firewalls can do this. Make a rule permitting your browser to connect to the IP of the site(s) you want it to access. Follow that with another rule blocking all internet access for the same browser. Most firewalls read rules from the top, downward. The first will specify what's allowed. The 2nd will block the rest.
     
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    is it possible to block everything on all ports... and allow only browser to connect to the IP of the site I want to access.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A firewall should block anything that you or the default rules/settings don't already permit. It should be possible to block as little or as much as you want with a software firewall. The exact method will vary depending on which one you use.
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes it is possible. You need to work the world of FW rules to do this. But FW rules are covered in another forum here.

    You would need the ip's of the sites you want a sort of personal white list. Then the browser rules would ONLY allow access to those. Then a block all other connections after the allow rules.

    As well you need to block all other applications from www access. Most FW's on set up tell you which ones ask for access. Then you block them. It is not practical to block them all as windows needs some access in order to translate site names into ip addys as an example with the DNS service.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If you wanted to, the systems DNS service could be disabled and the individual web apps could be allowed their own DNS access. Both options have their pros and cons. Whether it's the systems DNS service or individual apps, DNS access can be restricted to the IPs of your DNS service provider.
     
  9. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Couldn't any browser be configured to use a non-existent LAN address as a local proxy and enter exceptions (such as your banking sites) as the real IP addresses?
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Before you consider implementing a default-deny approach to internet access, there are some things you need to consider. You have to understand the basics of how the internet works, the basic DNS system, the networking basics for your home/business system, and the internet requirements of the applications you'll be using. In order for default-deny to be effective, you have to understand what to allow, how much and why. This can get quite involved, especially with system services where the same process can be performing multiple functions, and has the potential to be used maliciously. It'll take some time to work thru all the details. A firewall that can save and import more than one configuration file makes it possible for you to work on such a setup when you feel up to it and to use a more conventional setup when you don't. Escalader was involved in several learning threads for different firewalls, probably has links handy for them too. Some of them cover the details of rules for system services and considerations that go with them. The Kerio 2 thread is one of them. They have a lot of good material for anyone who wants to use the full potential of their firewall.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    nice coments;) keep going:) :thumb: :thumb:
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    EDIT: I was going to post some examples, but as Escalader said, there are some firewall rule threads in the firewall forum.

    ----
    rich
     
    Last edited: Jul 5, 2010
  13. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Are there other software that would do "default-deny all IP addresses" instead of a software firewall?

    Do you think Peerblock can do the job?
    How can I create a blocklist(.p2p) for peerblock that would block
    0.0.0.0 - 255.255.255.0
    this range would block everything, right?

    then I could just whitelist (allow) some IPs to go through it.



    P.S. I'm behind a NAT Firewall
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    My use of DNS Service was an example only.:thumb:
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    If all you need is P2P PeerBlock provides an up to date block list for us.

    On blocking all ( a bit over the top, but interesting) you could do it by adding the ip range to the permanent list.

    PeerBlock help shows how to do this.

    The thing is you won't know which application try to send packets out with PeerBlock alone, only a FW or maybe a sniffer (not sure on sniffers) could tell you that.
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    The links to the learning threads are available in the FW forum at the very top in the stickies.

    What I want is a Keyloger tool that works in W7 and 64 bit.
     
Thread Status:
Not open for further replies.