security from key-loggers

[Ed_The_Gypsy]

There has been discussing here earlier on the risk from key-loggers, particularly when globe-trotting.

I just ran across this link which may be of interest:

John Barnett's Windows XP Help and Support

I have not evaluated this software, just reporting it.

Cheers,

Gypsy

[cute fuzzy bunny]

I've been reading up a little bit on some of the next wave of spy/malware. Turns out that almost everything has a little cpu and updatability of firmware these days. Even the smart battery in your laptop has a little ATmega406 cpu and some updatable firmware and can access some system resources to signal battery conditions.

With smart disk drive controllers, little limited cpu's in the keyboard controller, etc its only a matter of time before a piece of bad code can slip something into a piece of hardware in your system that would be almost completely undetectable by any operating system or virus detection product.

Its even highly plausible for the systems cpu microcode/firmware to be altered such that the cpu itself could perform logging or do damage to the system without the underlying software even being aware of the malwares presence.

It may simply be coming to the point where its almost implausible to protect yourself, and just not "going to the bad parts of town" or "associating with the wrong elements" will be the only way to largely avoid trouble.

Something like keyscrambler is great until someone puts something undetectable and invasive on your network cards firmware, run by the network cards microcontroller with full access to system memory and the disk drive or has a cpu based rootkit that says its doing something to protect you when its doing the opposite.

[travelover]

This kind of ties in with the suspicion that chip makers may be inserting back doors into the chips themselves.

IEEE Spectrum: The Hunt for the Kill Switch

Last September, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of a Syrian radar—supposedly state-of-the-art—to warn the Syrian military of the incoming assault. It wasn't long before military and technology bloggers concluded that this was an incident of electronic warfare—and not just any kind.


Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips' function and temporarily blocked the radar.

[lsbcal]

Can anyone guarantee that the OP's link is legitimate? I'm not accusing Gypsy of being dishonest at all. But since we are talking about security issues how do we know:
1) That Gypsy is not being spoofed?
2) That the link to John Barnett's site has not been compromised after the posting?
3) That John Barnett's site has not been hacked and compromised?
4) That the software is legitimate?
5) That the software is not prehaps selectively choosing victims?

I could go on but hope I've made the point that choosing your trusted source is a challenge .

[kumquat]

Quote:

Originally Posted by cute fuzzy bunny I've been reading up a little bit on some of the next wave of spy/malware. Turns out that almost everything has a little cpu and updatability of firmware these days. Even the smart battery in your laptop has a little ATmega406 cpu and some updatable firmware and can access some system resources to signal battery conditions. With smart disk drive controllers, little limited cpu's in the keyboard controller, etc its only a matter of time before a piece of bad code can slip something into a piece of hardware in your system that would be almost completely undetectable by any operating system or virus detection product. Its even highly plausible for the systems cpu microcode/firmware to be altered such that the cpu itself could perform logging or do damage to the system without the underlying software even being aware of the malwares presence. It may simply be coming to the point where its almost implausible to protect yourself, and just not "going to the bad parts of town" or "associating with the wrong elements" will be the only way to largely avoid trouble. Something like keyscrambler is great until someone puts something undetectable and invasive on your network cards firmware, run by the network cards microcontroller with full access to system memory and the disk drive or has a cpu based rootkit that says its doing something to protect you when its doing the opposite.

A secure computer for you:



If only I could put a pancake tinfoil hat on it.

[cute fuzzy bunny]

Heyyy...are you the real lsbcal?

[lsbcal]

Quote:

Originally Posted by cute fuzzy bunny Heyyy...are you the real lsbcal?

I could be a spoof, but then why would I be saying such smart things?

[Nords]

Quote:

Originally Posted by travelover Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips' function and temporarily blocked the radar.

Way too complicated. Even Tom Clancy would be embarrassed.

I'd hesitate to credit to military infowarfare tactics or espionage anything that could also be ascribed to sleeping bored & badly-trained watchstanders...

[cute fuzzy bunny]

My guess is someone forgot to turn it back on when they were done washing the bird poop off of it.

[cute fuzzy bunny]

Google 'arce bad peripherals'. Or 'rutkowska blue pill red pill'

[kumquat]

Still googling 'CFB breaks HTTPS'

Refer to messages 25 thru 27 in this thread, done it yet? Link please.

[Marquette]

Quote:

Originally Posted by kumquat Still googling 'CFB breaks HTTPS' Refer to messages 25 thru 27 in this thread, done it yet? Link please.

I did read up on wep key cracking after that and went to a more secure scheme before not needing wireless at all and just going back to hardwire.

I'm still not concerned about SSL in general, aside from the talk about servers not being properly decomissioned before they're sold. However, there is a serious flaw in OpenSSL on Debian and all derivitives thereof... or any OpenSSL keys that have been exchanged with those distros. Debian OpenSSL Predictable PRNG Toys The recommendation is to re-encrypt anything stored with those weak SSH/SSL keys.

Anyway, boy, this is all way OT.

[cute fuzzy bunny]

Hmm, most of the security guys I know like it when people hear about what can go wrong and how to protect themselves.

The good ones anyhow.

Let me know when you figure out why the DOD doesnt allow SSL for any information top secret or higher...

[unclemick]

Sooo - a bad toupe and fake mustache in an internet cafe would be a dead give away - or would it be the throw away rubber gloves worn while typing.

heh heh heh - ok so I'm not a bottle blond from Missouri with bacon breath. .

All of which begs the question - what does the ordinary smuck(aka non geek) do when he wants to pay bills(the usual suspects), do his taxes and maybe check his IRA accounts on line?

You are not paranoid if they really ARE out to get you?? - or what?

[kumquat]

Quote:

Originally Posted by cute fuzzy bunny Hmm, most of the security guys I know like it when people hear about what can go wrong and how to protect themselves. The good ones anyhow. Let me know when you figure out why the DOD doesnt allow SSL for any information top secret or higher...

Thanks for the link.

[cute fuzzy bunny]

Quote:

Originally Posted by kumquat Thanks for the link.

Here's your link:

http://i43.photobucket.com/albums/e3...kidfinger2.jpg


If I remember right, the topic was either whether it was perfectly safe to use any random internet cafe's internet to do major financial transactions or whether to use any open access point available to do the same.

Some folks said "Yeah sure! I do it all the time! Its okay!". And they also run naked across the highway with a bag over their head and nothing bad has EVER happened!!!.

Its my recommendation to do neither. No encryption or security is foolproof.

Now if you always use SSL, and you always have your updates applied, and you always have your firewall on and set right, and...and...and... :

I'm happy with people being aware of what can go wrong and to use proper safeguards and be just a little bit more careful than they need to be.

Seems you have some other agenda. In this case, its taking off with somones topic to apparently address some earlier perceived injury with no interest in educating your fellow forum members in security related matters.

Oh, and by the way, your investing related advice also sucks.

[mark500]

Type your password with extra characters in it and then use the mouse to highlight and delete the extra characters. For example, you might type passFROGword and then highlight and delete the middle four dots. Or type p1a2s3s4w5o6r7d8 and delete every other dot. A keylogger would still record all of the keystrokes that make up your password, but they'll be mixed with other unrelated keystrokes.

[lsbcal]

Mark, this is a good way to do it, thanks. What I've often done is to type the last part of password and then move curser and type the first part. I always assume my machine is bugged. Goes along with a suspicious nature .

[Marquette]

Ok, first, SSL 2.0 and 3.0 support multiple ciphers. The client and server will negotiate to the strongest cipher they both speak. So, to say that SSL has been broken is a misnomer, or to say that DoD doesn't allow SSL is a misnomer. In the first case, when I posted the link on OpenSSL being compromised, the issue is that the universe of randomness (2^15 'random' numbers) that's introduced into the cipher key is extremely small. As such, the keys are easily guessable. In the second case, well, I can't find anything on DoD's site about what they will or won't allow for ciphers. Failing that, I'm going off of NIST's site and their list of approved ciphers:

NIST.gov - Computer Security Division - Computer Security Resource Center

One of the more common SSL ciphers, SHA-1 (FIPS 180-1) is not on the list. SHA-1 is potentially vulnerable to a collision attack, but I'm not sure if I'd worry just yet.

[Ed_The_Gypsy]

Quote:

Can anyone guarantee that the OP's link is legitimate? I'm not accusing Gypsy of being dishonest at all. But since we are talking about security issues how do we know: 1) That Gypsy is not being spoofed? 2) That the link to John Barnett's site has not been compromised after the posting? 3) That John Barnett's site has not been hacked and compromised? 4) That the software is legitimate? 5) That the software is not prehaps selectively choosing victims? I could go on but hope I've made the point that choosing your trusted source is a challenge .

Ya got me! I am actually a sleeper for the KGB (except they changed their phone number and I am stuck here).

Or maybe I'm the guy who put the bug in the printers that were sent to Saddam that disabled their radar in Desert Storm. I forget.

Your point is a good one. It appears to me that a number of little anti-malware software review sites are actually run by the guys whose software is top-rated on that site. It is easy to imagine constructing such a self-serving website to distribute spyware. It would be hard work, though. I have a hard time imagining someone working so hard to get into jail.