Trusteer Rapport

Discussion in 'other anti-malware software' started by JerryM, Oct 4, 2012.

Thread Status:
Not open for further replies.
  1. No I don't, and I'm not attempting to offer it; I have no idea if it's useful or not. I'm just saying that its use by banks isn't a good indicator. It could be a decision based on facts, or it could be a decision based on marketing.
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    First of all, I'd like to say I'm just basing my comments on the date that data was made public.

    That said, the Youtube video you're pointing out was placed at Youtube on Oct 23, 2011. We're on Oct 07, 2012... nearly an year after that video.


    The article was written on October 12, 2011.

    Is any of this still valid? Or has Trusteer fixed it? It makes a different for a program to have issues and the developers fixing it or not fixing it.

    Otherwise, without knowing if it has been fixed... no one can say whether or not said program (regardless of the program) works as advertised.

    None of those sources (from the same author) have been updated. So, we can't take for granted something that was discovered nearly a year ago.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'd do more than skim it. It's a bit more than those two major points. There's also a race condition that allows malware to 'set itself' before Trusteer completely disabling the protection and the exchange of the key will always be an issue.

    The weakness of a substitution (or shift) cipher is that you can easily fingerprint it. It's not a secure way to hide data. This is still probably the least of their flaws.

    This 'attack' didn't make use of anything that was Trusteer specific ie: it didn't overflow some Trusteer code to break it. It made use of a fundamental design issue(s) that still exists.


    I've said this or similar in other topics. If a piece of security software doesn't raise the cost of attack it's not worth using. Even for legacy malware it's a 10 line patch of code to bypass Trusteer. An attacker doesn't have to think about it to bypass it it's simple. The fact that they don't is, as you say, obscurity. At this time it's fine for defeating keyloggers but in the video the guy states he doesn't even think it's suitable for legacy malware as the cost of attacking a system with Trusteer is no higher than attacking a system without it.

    If I keep seeing the same tests over and over again, naturally. It's really simple - the tests used are against malware that doesn't make use of the patches. That doesn't make Trusteer secure or any more difficult to bypass.

    @M00n,

    These are fundamental issues. They could fix the encryption but otherwise, as the video states, they're inherent to what they're trying to do. I think one of the last lines of the videos is "I thought about this a lot and I don't think there's a way to implement what they're trying to do that wouldn't be easily bypassable just because you have to pass that key to the browser". (Paraphrasing)
     
  4. Trusteer Support

    Trusteer Support Registered Member

    Joined:
    Sep 25, 2012
    Posts:
    6
    The strength of Trusteer Rapport is in its ability to detect, block, and remove financial malware as demonstrated by this report:
    http://www.trusteer.com/sites/default/files/Mandiant.pdf.
    Financial malware is the root cause of most financial fraud aimed at consumers and business banking customers using online banking.

    Trusteer and the banks we work with are constantly testing Rapport against financial malware to make sure it provides the most effective protection possible. We strongly encourage members of the security community to test Trusteer Rapport against financial malware. If you can find financial malware that successfully operate on a Rapport protected machine please let us know - publicly or privately.

    We offer money rewards for anyone who can provide us with a sample of a live financial malware “in the wild” that successfully operates on a Rapport protected machine.

    Thank you,

    The Trusteer Team
     
  5. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Thanks for joining this thread, much appreciated.
    Lot's of WSF readers/members have been reading about Trusteer Rapport and the 44Con presentation. (also much discussed on other (similar) fora I visit).
    Imo there's a difference between the actual performance of the Trusteer product, as in the linked test pdf, and the fundamental questions raised by the presentation.
    Could you, or a colleague, address the points made above by Hungryman?

    The reaction from Trusteer, as quoted on the Digit Security blog, doesn't offer much to go on.
    A nice cheque is always wellcome but a proper exchange of thoughts is wellcome also. :)
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I linked to that 44con via Twitter and was tweeted back a response. It was the response that was later 'debunked' (not trying to be rude, I just don't know how else to put it) by the same firm and I had linked to that in this topic. There hasn't ever been an official response afterwards as far as I know.

    Not trying to be rude, but based on that response (where there's a full paragraph that's marketing jargon and another paragraph attributing an OSX feature to Trusteer ie: admin) you won't be getting much.

    Again, I don't want to be confrontational. It's just what I'm seeing.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    I guess it would be important to define "financial malware", but why limit it to that? Wouldn't it be a concern if any kind of malware could disable TR?
     
  8. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    So it works but "it shouldn't". Malware should bypass it easily but it doesn't. I will keep Rapport installed, thank you very much.
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I am afraid you got an answer already, they cannot address the issue highlighted by 44con but at the same time they are ensuring that there is no malware (to their knownledge) that can bypass Trusteer. If we are aware otherwise then we should report it.

    Personally I don't find it a very convincing or transparent approach, this is why I do not trust the software and use something else. Other users have a different approach to security and are happy with the statement or results from other tests . All the respect for that :)
     
    Last edited: Oct 12, 2012
  10. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Or maybe other users have seen how every single piece of software has been bypassed in some blog and, giving that for granted, search for evidence from other sources too.

    For me, for example, it's very significative that TR scored 100% on a test commissioned by Kaspersky, that I guess is not very happy to see a free app along with their paid products at the top on their own maketing announcements.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Yes, and to complete my previous sentence I should have said:
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Security software is never 100% effective. New malware is constantly being created and security software constantly needs updating to defend against it. A vendor that cannot acknowledge that a weakness has been discovered in their product does not inspire confidence. I won't use a security product if I can't trust the vendor to admit vulnerabilities and be transparent about the effort to fix them.
     
  13. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Odd blog, by the way. It began and ended with the Trusteer affair, or so it seems. Last news bit from exactly one year ago: October 12, 2011

    I personally don't like "security experts" that publicly disclose vulnerabilities before they are fixed. But this guy is happy with it:

    To start, the statement that “the information security industry has self-instituted a responsible disclosure process” is a rather contentious statement. Indeed, it can be easily shown that the ‘industry’ has not “self-instituted” any disclosure process. The adherence to any disclosure process is entirely at the behest of the individual or Company involved. To state that “the information security industry has self-instituted a responsible disclosure process” is to imply that a consensus has been reached resulting in an explicit agreement between all parties in the “information security industry”. To our knowledge, no such agreement has been reached, and furthermore, if such an agreement does exist, we are not aware of any documentation detailing it. The next statement, namely “[m]ost researchers follow this practice, and do not disclose a vulnerability publicly until they have advised the software developer of the problem and given them the opportunity to fix it”. Firstly, it is unclear as to what ‘practice’ Mickey Boodaei is referring to as described above. Secondly, Digit Security is not aware of any evidence demonstrating that the majority of publicly disclosed vulnerabilities are disclosed prior to the “software developer” being informed and given the “opportunity to fix it”.
     
  14. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    vojta, when becomes documenting 'obfuscation-by-design' instead of 'encryption-by-design', disclosing a vuln. or even 'disclosing exploit code' as Trusteer mentions?
    If I'd painted a dog on my house and you'd pointed out: 'It's actually not a real dog', I could hardly blame you for compromising my home security.

    Really, I don't want to bicker about TR or seemingly go all fanboi on Digit Security.
    Just some more info on the implemented fix by Trusteer, as quoted in the blog; '...the fix was to make sure that any access or attempt to communicate with the driver is only done by components that are signed by Trusteer'.
    The D-Sec blog mentions; 'Finally, with regards to the ‘fix’ that Trusteer claim to possess, we have reviewed the ‘fix’. However, Digit Security will be holding onto any subsequent findings for a later date, ...'.
    That also would be welcome info.
    Perhaps wsf readers are spoiled by/used to the frequent direct contact with sw devs here.
    (I agree with you on responsible disclosure though, to a certain extend that is, especially regarding 'time-to-fix').
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    I would say it's responsible for security experts to notify a vendor about vulnerabilities and have a discussion about when they will be fixed and the timing of a public disclosure. But what should the experts do with their information if the vendor won't have that discussion?
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    We're spoiled by the software developers here that actually answer our questions about their products.
     
    Last edited: Oct 12, 2012
  17. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Hello, I rarely use T.R as it does not work sandboxed. However I just tried logging onto my bank, and noticed the address bar icon is not showing in F.F 16.0.1 . It has always showed in the past, is anyone else having this problem ? T.R is running in task manager. Many thanks
     
  18. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    How about...........nothing:

    1-You tell your neighbor that his door is open.

    2-He does nothing about it.

    3-Do you inform the nearest thieve around?
     
  19. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    That happens sometimes when updating Firefox to a new version. Try to repair the installation from TR's uninstaller. Better reboot after that.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Sorry, but this doesn't stand up. Once a way to exploit a program is discovered it's only a matter of (usually not much) time before someone will exploit it. The neighbor analogy doesn't work either. The vendor is not the neighbor being put at risk by choosing not to close the door, it's the many thousands of users of the vendor's program who have not been told that "the door is open". Yes, publicly revealing the exploit makes it available to the bad guys, however it also makes it available to the good guys who may be able to find a solution, and it forces the vendor to stop the denial. It also informs all the users who I believe deserve know.
     
  21. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Trusteer said that they had fixed the issue, anyway. They just refused to keep talking with the guy becuse of the publishing of the code that could bypass Rapport, if I didn't misundertood all the saga.

    Then the blog stopped cold and thus we are missing the end of the story, as Trusteer version is not good enough to be trusted in Wilders, or so it seems.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Responsible disclosure is both a courtesy and irrelevant to the quality of the data.

    If I find a vulnerability and publish it online it doesn't make it any less exploitable than if I'd sent it to the vendor. In one case there's responsible disclosure in the other there isn't.

    I think the concept of responsible disclosure is another topic entirely and should probably be put in one.

    edit: To the above post, they only claimed a fix to a single problem. The race condition isn't mentioned.
     
  23. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Thanks but i could not find a repair option. I reinstalled, all is well now :thumb:
     
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,055
    I personally do not perform online financial transactions and i feel that people like me do not need this program.
    Im quite happy using what i have got and the last time i used trusteer which was about 2 years ago it brought my laptop to a standstill.
    Unless you do regular online transactions then this program is just not needed by your average home user.:shifty:
     
  25. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Glad that it works now. When I wrote about 'repair' I was thinking in one of the possible answers to the question that the unistaller asks you when you run it. It leads to a repair mode. But uninstalling and installing again is safer, of course.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.