Key loggers

September 6th, 2012 | Posted by bs in Technical - (Comments Off)

A brief description

A keylogger, also known as keystroke logger or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer’s keyboard. Using a key logger is one of the easiest ways to hack an (email/bank/social network) account if you have access to victim’s computer.

Keyloggers can be divided into two categories, keylogging devices and keylogging software. Keyloggers which fall into the first category are usually small devices that can be fixed to the keyboard or placed within a cable or the computer itself. The keylogging software category is made up of dedicated programs designed to track and log keystrokes. This software can be installed easily if you have physical access to the computer. If you don’t, you need to rely on more “difficult” methods of deploying it.

The logger may simply log the keystrokes and require someone to manually retrieve the data, or it could be designed to automatically send the accumulated keylogger data to an e-mail address or a shared web hosting space.

For more information, there are some links on Wikipedia and Nerds of Saugus that you can read up on.

DISCLAIMER: The information is for educational use only. I do not condone in any way, shape or form the use of any of these tools/information for illegal purposes! Use any of these files at your own risk! In short, if you try any of this, it’s on you!

OK, so what now?

Most websites will point towards anti-spyware and anti-virus software for the solution. This is a very bad solution.

Anti-virus/spyware software generally work on identifying “signatures” and “virus signatures“. These can easily be changed by using a Crypter such as RDG Tejon. Each time you crypt the file, you can add extra STUB data, which changes the signature. In general, “custom made” key loggers are the exact same code previously used and sold, but with a new signature. More can be found on this forum (requires registration).

Most keyloggers available on the market already have their signatures added to antivirus software, so can easily be detected.

In a 2010 study it clearly shows that antivirus/antispyware sofware is not fit for the job. Ignoring the fact that a Ukranian website voted for Ukrainian software, the concept and methods of testing is legitimate and rather sound. In short, get software specifically designed to find what you’re looking for. If you’re searching for a key logger, get a keylog finder!

What if I have a legitimate use for one?

Use your favourite search engine and download a few to test with or try this useful list as a starting point.

I would recommend running these tests on a computer you don’t care about, or inside of a Virtual Machine. Oracle’s VirtualBox is very easy to use and this limits the potential exposure to having your work/home PC compromised with malicious code. And trust me, there is a lot of malicious code out there – be careful when playing with borderline software!

How can I secure myself even more?

Any remote key logger will need to send information back to the attacker. This is relatively easy to stop. Install a firewall that blocks unknown outbound connections. Most likely, the key logger will try to connect outbound on ports 80 (website), 21 (File transfer) and 25/110 (mail). In Windows firewall, you can disable all programs that connect to port 80 aside from Internet Explorer/Chrome/FireFox which means that the key logger will still record, but never send the data back to the attacker. Here is a brilliantly detailed article on how to configure your firewall under Windows. If you’re using Linux, well, you know how to do this already. If you don’t, remove Linux and install Windows!!

The next thing you can do, is never install software you didn’t get from a trusted source. More often that not, keyloggers/trojans/virus software is installed when it’s attached to something else, like a movie player or a “useful tool” you can download for free.

Separate your work from your play. This simply means that if you have the luxury of multiple PCs, use one for work/personal banking etc. and the other for everything else. Keep one secure! If you’re not so fortunate, use a Virtual Desktop such as Oracle’s VirtualBox.

Know your computer! It’s silly to say and maybe think about it, but how often do you clean your PC? I clean my PC at least once every week (ok, so I’m nuts!), but when I do, I check for any extra cables or gadgets or even thicker cabling! The reason for this is quite simple: it gives you opportunity to double-check that everything is the way it should be, on a physical level. Check your keyboard, check the pads underneath your keyboard, check the connectors, check the cables, check the monitor connections.

Install Antivirus software. Configure it. Install Anti-spyware software. Configure it. Install Anti-Trojan software. Configure it. Install Anti-Keylogging software. Configure it. Install a Firewall. Configure it. Yes, it’s a pain – but so is losing the balance in your piggy bank or important information/documentation!

Closing thoughts

As a natural matter of security, avoid installing anything on your work/home PC that does not come from a very reputable source. Even then, it’s touch-and-go. A quick look at Sony, Apple and Google show that companies treat users as commodities and not as clients that should be cherished.

Always test new software in a virtual environment. I cannot stress this enough. Downloading that quick tool you need to convert a PDF might just have a virus or a trojan embedded.

Be vigilant. Keep backups. Know your PC and it’s surroundings.

, , ,

OpenSource and the world

June 27th, 2012 | Posted by bs in Technical - (1 Comments)

History lesson

OpenSource in it’s simplest form, is a free and open version of something. In other words, you don’t pay to have it, learn from it, modify it, and re-distribute it. Be it a computer software program, a soft drink or even  a film.

Much has been said about the pro’s and con’s of open source. The supporters of each turning against each other in something that our grandchildren would most likely call “the start of the New World War”. If you think I’m exaggerating, then feel free to browse Nine Current Flame Wars and Why Linux on a Desktop Sucks or grab a search engine and go take a look at the 100million+ links dedicated to trashing open source/closed source

Religious fanatics – the bunch of them!

So…?

Well, for the passed 17+ years, I’ve been using open source (most notably Linux, underwritten by the Church of the Subgenius which pre-dates the “world’s first open source religion” mentioned earlier!). Having started with kernel 1.1.23 way back in 1994 all the way up to 2.6.39 in 2012 (1.2.13 being the most stable in my humble and biased opinion).

I started in the days when X11R5/6 and XFree86 were competing to be dominant desktops (yes, before Gnome and KDE and all those other heavy-weight managers were around). The days when you still needed to compile your window manager and figure out ModeLines for your monitor/screen card combo!

The days before sound was easily available using ALSA or DVD’s were easily “decryptable” and illegal under Linux!! – Which lead to one of the most fun projects in subversion!

Ahh yes, I enjoyed spending hours upon hours upon hours in front of the computer building tools that would allow me to use it.

Now…

Now I just want tools that work, you know? Yes, it’s fun recompiling your kernel for the 27th time, as you did in your youth, but how does that relate to productivity? Open Source is a great concept, don’t get me wrong, but if it’s going to take 4 weeks for a “professional” to configure a high availability cluster (because <sarcasm>quorum rules are soooooo difficult</sarcasm>) to save costs, because we believe that open source is the only way, then I have precious little patience or sympathy for you. Buy a damn load balancer! And if you really really really hate “black box solutions” so much, there’s an open source alternative for you too!

The point is, stop wasting time on building bespoke solutions just because it’s open source or because you believe that my problem is so unique that I have to build a tool myself. Other people have done this already and it’s available; More often than not, it will fit what you require, maybe not what you desire… There is a difference! It takes far longer to build your own in-house solution that it does getting something off the shelf. (This is based purely on my experience with companies that insist on doing everything themselves).

Why the annoyance?

I was reminded recently of just how trust-worthy and seamless open source could be.

ClamAV is an open source anti-virus tool. I use it and it works great! Updates regularly and in general, I’ve had close to 0 problems with it – until now…

I noticed the following log entry:

Jun 27 12:47:57 srv freshclam[2209]: Received signal: wake up
Jun 27 12:47:57 srv freshclam[2209]: ClamAV update process started at Wed Jun 27 12:47:57 2012
Jun 27 12:47:57 srv freshclam[2209]: Your ClamAV installation is OUTDATED!
Jun 27 12:47:57 srv freshclam[2209]: Local version: 0.97.4 Recommended version: 0.97.5
Jun 27 12:47:57 srv freshclam[2209]: DON’T PANIC! Read http://www.clamav.net/support/faq
Jun 27 12:47:57 srv freshclam[2209]: main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Jun 27 12:47:57 srv freshclam[2209]: Downloading daily-15088.cdiff [100%]
Jun 27 12:47:57 srv freshclam[2209]: daily.cld updated (version: 15088, sigs: 222200, f-level: 63, builder: ccordes)
Jun 27 12:47:57 srv freshclam[2209]: bytecode.cld is up to date (version: 185, sigs: 39, f-level: 63, builder: neo)
Jun 27 12:47:59 srv freshclam[2209]: Database updated (1266626 signatures) from db.gb.clamav.net (IP: 217.135.32.99)
Jun 27 12:47:59 srv freshclam[2209]: ————————————–

Ok, so clamd is outdated, but the virus definitions are up to date. Easy enough, as per the FAQ listed above, we simply need to upgrade. So we do exactly that. Yum update shows:

—> Package clamav.x86_64 0:0.97.4-1.el6.rf will be updated
—> Package clamav.x86_64 0:0.97.5-2.el6.rf will be an update
—> Package clamav-db.x86_64 0:0.97.4-1.el6.rf will be updated
—> Package clamav-db.x86_64 0:0.97.5-2.el6.rf will be an update
—> Package clamd.x86_64 0:0.97.4-1.el6.rf will be updated
—> Package clamd.x86_64 0:0.97.5-2.el6.rf will be an update

Great, I’m getting new everything – yay! (sidenote: freshclam belongs to the clamav package).All packages install perfectly and without warnings or errors. We’re good to go ;)

Then, we notice the following in the logs:

Jun 27 13:50:43 srv clamd[7647]: clamd daemon 0.97.5 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jun 27 13:50:43 srv clamd[7647]: Running as user clamav (UID 494, GID 491)
Jun 27 13:50:43 srv clamd[7647]: Log file size limited to -1 bytes.
Jun 27 13:50:43 srv clamd[7647]: Reading databases from /var/clamav
Jun 27 13:50:43 srv clamd[7647]: Not loading PUA signatures.
Jun 27 13:50:43 srv clamd[7647]: Bytecode: Security mode set to “TrustSigned”.
Jun 27 13:50:43 srv clamd[7647]: Malformed database

Malformed database? HUH!? Restarting clamd, gives:

Stopping Clam AntiVirus Daemon:                            [FAILED]
Starting Clam AntiVirus Daemon: LibClamAV Error: cl_cvdhead: Can’t read CVD header in /var/clamav/daily.cld
LibClamAV Error: cli_loaddbdir(): error parsing header of /var/clamav/daily.cld
ERROR: Malformed database
[FAILED]

Trawling the internet shows me to “0″ the db files, and run freshclam to re-create them. Further searching tells me to delete the database and rebuilt it. Nope – neither worked.

It’s not serious really – I mean it’s not like I’m running a production service here!

Aside from the fact that no mails are getting through, because each one needs to be passed off the the AV to scan it, I figure it’s old-school time… start at the beginning and run everything in debug mode – one at a time, checking inputs, outputs, directories, permissions, hell – I’ll even k/strace if needed!

Hmph! Where’s the “Don’t Panic” message now!?

# /usr/bin/freshclam -v –debug –stdout
Current working dir is /var/lib/clamav

INSERT SWEARING HERE!

What these geniuses went and did, was change the db directory in one package from /var/clamav/ to /var/lib/clamav/ but not in the other!

One quick symlink later, and all is well. No, I’m not going to trawl through configs right now! (once I have downtime, then yes).

Start of a Conspiracy?

My thoughts

The above is just one example of how tiny annoying things creep up every day. EPEL changes their directory structure and breaks automated updates. ClamAV changes their directory structure and breaks running a system. PHP deprecates features and replaces them with others, breaking functional websites. Ad infinitum!

Yes, open source is great. I’ve made a living out of supporting/developing/automating open source (and closed source) systems for decades (well, almost 2 decades) and what bugs me, is the fact that everyone who sings only the praises of one instead of being open minded to both, sits with the same problems as me. Yet, they see nothing to very little wrong with the way things are done?

Open source has it’s place. Closed source has it’s place. Use the right tool for the right job and all that.

…but whatever tool you use, can we at least get a working version of it that doesn’t eat my time away because people simply change things. I don’t mind bugs per se – I understand that no software will ever be perfect, straight off the production line. But changes like these, that take precious minutes/hours/days away from people, simply because someone decides they don’t like the previous coder and/or code and need to move away from that structure and so disrupt me, is not only selfish, but ignorant and destructive.

Can we not just think about the impact beforehand and plan a little better? Making software, as a tool, more stable, repeatable, secure and worthy of being called Open Source?

Is that so much to ask?

Is it…?

Really…?

, , , , ,

The end of an era

June 14th, 2012 | Posted by bs in General - (1 Comments)

The history of Camel

In 1913, R.J. Reynolds innovated and revolutionised the smoking world by creating the packaged cigarette and brought Camel cigarettes to the likes of me…

In 1985, JT (Japan Tobacco) was founded on April Fools day (yes, the 1st of April). They sell Camel outside of the USA.

In 2007, (oddly, on April 18th) JT swallowed the Gallaher Group – 3rd largest tobacco company after BAT (British American Tobacco) and Imperial Tobacco.

In 2012, JTI decided to stop production of Camel Filters, but keep the rest of their current Camel portfolio (which, basically means Camel Lights, re-branded).

Brand loyalty

I started with Camel Filters, and I’ve stuck to them throughout all the years. Even to the point whereby I was told off by people (friends) for walking an extra 20 minutes (yep, I’d “walk a mile for a Camel”), to find a shop that sells my brand – hey, I like the taste and the feel. Having tried other smokes in the past, I found a brand I enjoy – the end. All other smokes, are just… well, pick your own painfully obscene word, and insert it here!

A few years ago, I was plied by a cigarette sales person with 18 (yes eighteen!!) cartons of free cigarettes. It wasn’t my brand, so I politely declined the offer and walked away with a snide comment under my breath of “if the cigarette was any good, you wouldn’t have to bribe people to take them for free!!”. I simply refused (and still do) to smoke anything else.

Even within the Camel product line, which spans about 20+ different lines, I just never enjoyed any of them aside from the Filters. It’s been the same brand, for 22 years!

Smoking? Seriously!?

So yes, I smoked for around 22 years. Always Camel Filters.  Thanks to this dumb-arse move (not supplying Filters), I no longer have the “luxury” of contributing my part of £12.1+ billion in tax revenues, at 78% on the product, which equates to over £5 on a £7 pack of smokes! Yes, yes, yes, I know. So we’ll add that smoking related illnesses cost around £5 billion – so the government is still doubling up on profit! So there!

You know, the weird thing is that I don’t mind paying 2/3rds of the price on tax – I don’t mind the hike in extra tax, making a pack of premium cigarettes sell for over £8.00 in 2012, when it obviously costs less than £2 to produce. What I mind is that the only brand I ever enjoyed, is now no longer available.

Having smoked a single brand for over 20 years, having that specific brand removed, is just annoying. Yes, I’m aggravated and annoyed and in general, full of disinterest.

So why?

Having phoned up the wholesaler Palmer & Harvey (they look after 63,000+ retailers including the ones I used to buy my smokes from), they put me onto JTI (Japan Tobacco International), which supplies them with the Camel product. I phoned up JTI and the response was simply (and I’m paraphrasing) “it didn’t sell enough”.

Well, I can’t argue with the figures – if a brand doesn’t do well, you rip it out and replace it – simple economics. We’ll ignore the fact that this is mostly the retailers fault for always having damn close to no stock of that specific brand! This is based on my own shopping habits, of me walking up to a counter that sells tobacco, asking for Camel Filter and being told there’s only 1 pack left. Which, in my mind, means that the product sold really fast! But sadly, this just means that retailers didn’t stock enough Filters to be able to push up the revenue.

Bastards!

My thoughts

I could import… couldn’t be bothered. I could smoke something else… I refuse to lower my standards! So that leaves only one option: After 22 years, yes, I’ve quit. This is day #2 btw, and so far I’m reasonably positive (positive that I’m going to go insane, that is!)

The urges to smash the phone into tiny itty bitty little pieces while laughing maniacally as it starts ringing, is ever increasing, but I’ll survive… The phone might not!

Loyalty buys you nothing… 2 decades of brand loyally, supporting one brand and one brand only, and this is how it ends… sad… Oh well, at least I don’t have to stand in the snow at 03:00 having that “last fag before I go to bed”… And I can now join the millions of wannabe “activists” complaining about smokers destroying the world (even though I know they’re funding a considerable portion of it).

All good! The downside is having my phlegm dry up…

 

, , , , ,

EU Cookie “Law”

June 10th, 2012 | Posted by bs in Technical - (Comments Off)

Background

According to a post from the ICO (Information Commissioner’s Office), it’s now a legal requirement to add a blurb about cookies (See the rather impressively detailed post from Channel4) and gain some form of consent for the users (could be implied consent after the last 11th-hour amendment in the previous link). The legal requirement comes from the UK government to be more compliant with EU regulations (or in this case, an EU directive, which in itself is not a law, but rather a goal).

But…

Very few articles actually point back to the EU Directive itself. Feel free to search Google for the actual document! It’s annoying that not even the ICO has a link back to the source of this new law. The EC has a link to cookies, but again, does not attach itself to the original directive. It’s enough to make me wonder why it is that people are trying to hide the source…?

So,

After a long and laboured search, you can find the actual directive.

Having read through it (yes, I’m that lame), it seems to be simply and semi-self explanatory.

Cookies and security

Having a cookie policy is great. Having cookies are great. Having cookies that store personal information for cross-site tracking, is not so great! It would be easier and better to simply make a law that defines a usable cookie as part of a session. I see no reason to keep a cookie for longer than your browser is open.

Sure, to keep you logged into your webmail or some other site, it’s a great idea – or is it?

Imagine for a second, you’ve enabled automatic login to you webmail, your social networking sites (personal and professional), your favourite online stores and even your administration account to your blog. The reason is quite simple: It’s my home computer and I trust it, and I hate typing in passwords the whole time!

So what happens when your PC is stolen? Or you log onto a malicious site that drops some malware that reads all your cookies, sends it to an attacker who recreates them, and logs into your account without even bothering with a password. Can’t happen? Here’s how this is possible.

Cookie crime

So even if my PC isn’t stolen; do you really want your private surfing habits available to prying eyes? With very little knowledge of computers, you can easily build a surfing history of someone (who has wiped out their recent history, but left their cookies), by simply browsing to see which domains a cookie is attached to. You’d be surprised what you can learn from someone just by following the cookie trail.

OK, so you’ve wiped your browser cookies. You’re safe, right? Wrong!

An LSO (Local Shared Object), is an object that stores data in the same way a cookie does, but not inside the browser. So by deleting your cookies, you may have wiped out some data, but not all. These “super cookies” or “flash cookies” as they are incorrectly referred to, survive cookie deletions and don’t show inside the browser!

Regardless of your security setting inside of Firefox or Internet Explorer or even Google Chrome, these objects exist in a world of their own, and can only be manipulated (well, that’s not strictly true, but unless you’re technically minded…) by browsing to the Macromedia website.

Go have a look – fun :)

You need to check your security settings after each upgrade of any Adobe/Flash/Macromedia product, as they tend to reset the values to default “allow” on every new version installed.

My thoughts

Regardless of my personal thoughts on cookies, they’re going to be around for a while. There are methods of making your PC (and your personal information/accounts) a little safer while using them though.

  1. Follow the links above and get a few privacy tools like Flashblock or Better Privacy.
  2. Clean your cookies daily. LSO and browser cookies. (yes, it’s a pain re-logging into every website, but it’s safer)
  3. Never trust a website just because it’s a big brand. Google likes to track

And remember… you never know who’s peeking at your data!

, , , , ,

LinkedIn password issues

June 6th, 2012 | Posted by bs in Technical - (Comments Off)

Seems fitting that my first post would be tech/security related…

Background

So right, seems 6.4+ million passwords surfaced on a Russian forum (link has been removed, Google cache still has something here) when a poster named “dwdm” asked for help decrypting 6,458,020 SHA1 encrypted passwords. Some more links to forums in Russian. A copy of the password list can be found on Narod.ru in 7Zip format.

Alarm bells went off when peopled noticed passwords such as “linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword” surfaced. Assumptions that this was in fact a LinkedIn password list were raised, to which the company finally admitted to.

Tech stuff

So the passwords are encrypted, right? Who cares? Well, due to the fact that salting wasn’t used, the forum members could easily “decrypt” the passwords using rainbow tables. Previously thought “secure” passwords up to 15 characters long were cracked in a few hours. Passwords such as “QWE123!@#qweqwe”,  “m3adowsP@$$w0rd”,  “Gänseblümchen”,  “654321abc!@#$%^” and “111708!QAZ2wsx^C” might look secure, but they are in fact not. These are among the first 585,491 password that were cracked in the first few hours!

If the Rainbow Tables link was a little too techie, try an easier explanation or see the Free Rainbow Tables page.

So how do I secure my passwords?

  1. Don’t simply trust, that because some website has a million users, they have any clue about security!
  2. Use a new password for every site you register one. Yes, it’s a pain, but you will only ever limit your exposure to one site that way.
  3. Follow the Best Practise guidelines to good passwords, as a start. (The policy LinkedIn suggests, is a relatively good start)
  4. Always Log out!
  5. Don’t use internet cafe’s for anything personal or secure (like internet banking!!)
  6. Check out the following password strength tester (Source is included) built on Best Practise. If you get a 10, I’ll be impressed!

My thoughts

In short, there is no real useful way of securing your password. Passwords are old, outdated and useless. Much like installing the latest lock, there is always a key that can be copied, or someone proficient enough in lock picking. Storing your password in a password vault is also not an option any more. *sigh*

Make the password easy, people crack it. Make it difficult, people write it down on post-it notes where others get easy access. Passwords should be banned (if used on their own). 2 to 3 factor authentication which includes a password, is the way to go. A sample of DNA, an access card (USB, keycard, whatever!), and a password used together, is the only way forward. I can hear the complaints already!!

Well… until we figure out how to duplicate or steal that too!

Afterthought

An easy way to generate really hard to crack password (and remember them) is by taking quotes from your favourite book or poem or film. A password like “A man should look for what is, and not for what he thinks should be.” (Quote from Albert Einstein) can be turned into a secure(ish) password such as: aMaN514wh@t|s&!4wh@thTSb. – Best Practise gives this password a 6 out of 10, proving my theory that passwords alone are not the answer!

I’ll be adding more security related articles in the upcoming months. Feel free to check back on occasion (or grab an RSS feed)!

, , , ,