[PLUG-Devel] HackFest Series: KeyLoggers (Trust [and Ownership] = Everything) for Administrators v1.1

Mon Dec 1 09:24:00 MST 2008

Hi,

>Proud to be a PC? Show the world. Download the "I'm a PC" Messenger
themepack now. Download now.<http://clk.atdmt.com/MRT/go/119642558/direct/01/>
Shut up. :-)

Thanks and best regards,
Ryan Rix
TamsPalm - The PalmOS Blog
(623)-239-1103 <-- Grand Central, baby!

Jasmine Bowden - Class of 2009, Marc Rasmussen - Class of 2008, Erica
Sheffey - Class of 2009, Rest in peace.

On Sun, Nov 30, 2008 at 10:48 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

>  Not all that glitters is gold.   Keyloggers can exist as part of a
> honeypot, PCI tool, management or systems administration utility or even a
> simple trojan virus.
>
> It's becoming more and more common to log all root keystrokes in layers of
> trust and secrecy that systems administrators don't even immediately
> recognize are there.
>
> Many keyloggers exist, but the three most often deployed in systems
> include:
>
> 1) Pam Daemon/Systems Level:
>
>  rootsh utility, which allows you to enable a systems logger that will show
> everything logged to the terminal whenever anyone invokes sudo.
>
> http://freshmeat.net/projects/rootsh/
>
> Many inplementations recommend renaming rootsh to another seemingly
> innocous sounding word - like "termd".
>
> The use of rootsh and other keyloggers for root is exceptionally useful
> should you have more than one systems administrator, or want to keep track
> of changes on production systems.  PCI compliance and SOCKS both require
> controls in place for the root or administrative user.
>
> The logs, (which by default log to /var/log/rootsh/ which can be changed
> upon implementation) of course, can be edited, like any logs, unless you
> utilize a stunnel or other syslog-ng single network loghost with limited
> access, which is yet another recommendation for a secure administration.
> Systems level keyloggers (from the "old school") include console and tty
> device logging:
>
> http://freeworld.thc.org/papers/writing-linux-kernel-keylogger.txt
> 2) Kernel level:
>
> Sebek clients (with Honeywall server) provide nearly invisable logging
> capacity for honeypot and systems administration monitoring.
>
> http://www.honeynet.org/tools/sebek/
>
> Sebek is a kernel module that is available for Windows machines also.
>
> 3) Hardware based tools.
>
> These masquerade as a USB to PCI or other conversion tool and most often
> deployed at NOCs with KVM's that don't also provide tty capacity.
>
> http://www.keelog.com/download.html
>
> These are especially useful, however the most saavy systems administrators
> usually see the terminal pause and flash that accompany use of a hardware
> logger.
>
> SO if you feel you ARE BEING WATCHED, you ARE.  [I personally I can't type
> when watched!]
>
> The legal ramifications of micro-critique of a systems administrator or
> engineer for making such typing mistakes is problematic due to the
> non-exempt federal statutes for professionals, (since the FLSA standards
> requires us to be able to work without micro-direction) but be advised, all
> high level responsible actions are logged post 2001 in America!
>
>  http://www.lieffcabraser.com/itovertime.htm
>
> Trojan Keyloggers:
>
> http://www.youtube.com/watch?v=fVy82nFcvVg
>
> www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
> http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
> ------------------------------
> Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona
> Department of Economic Security will provide a one hour presentation on
> forensics.
>
>
> Laugh at this MSN Advertisement:
> ------------------------------
> Proud to be a PC? Show the world. Download the "I'm a PC" Messenger
> themepack now. Download now.<http://clk.atdmt.com/MRT/go/119642558/direct/01/>
>
> _______________________________________________
> PLUG-devel mailing list  -  PLUG-devel at lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-devel/attachments/20081201/f05a1561/attachment.htm 