Linux & key Loggers

Lisa Kachold lisakachold at obnosis.com
Fri Jul 1 17:19:39 MST 2011 

Ditto!

Hiding & Recovering Files in JPEGs <http://www.securitytube.net/video/1988>

On Thu, Jun 30, 2011 at 4:16 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> Mike:
>
> More to make the post complete with all available attack vectors that could
> be deployed to install a keylogger on Linux (MAC and Windows):
>
> On Thu, Jun 30, 2011 at 2:09 PM, mike enriquez <mylinux at cox.net> wrote:
>
>> **
>> On 06/30/2011 06:55 AM, Lisa Kachold wrote:
>>
>> Hi Mike!
>>
>> On Wed, Jun 29, 2011 at 5:09 PM, mike enriquez <mylinux at cox.net> wrote:
>>
>>> Does anyone on the List know if Key Loggers are a problem in Linux?
>>> I don't know a thing about them.  My windows computers get the things all
>>> the time.
>>> Do I need to worry about them in Linux.
>>> Thanks for any comments.
>>>
>>
>> Unlike Windows, where the attack vector is mainly virus from file
>> transfers, in Linux (and Mac) the attack vector is going to be browser
>> based.
>>
>> So if you don't limit javascript trust, you can fall victim to any manner
>> of installations, ssh, or infestations from browser based attacks like
>> BEef <http://linux.softpedia.com/get/Internet/HTTP-WWW-/BeEF-29854.shtml>.
>> This tool will provide a triangulated Host --> Website --> YourBrowser
>> attack similar to XSS scripting browser attacks, that opens your entire
>> linux (or Mac) system to full control via the Browser (Opera/FireFox/etc).
>> A keylogger like the one referenced by Sam would trivially be installed
>> without your immediate knowledge.
>>
>> Of course if you do not properly firewall your home network, have a "cable
>> modem" that is subject to hacked firmware, or take your laptop to public
>> venues without a proper analysis of open ports or iptables, you can always
>> pick up a "hitcher", who could install a key logger or other hack.
>>
>> Various hardware hacks also exist, similar to tiny USB devices that can be
>> setup on your keyboard or monitor between connections, which are commonly
>> used by IT managers in NOCs and Operations Centers (where oblivious
>> Operations and Systems staff continue to surf Facebook rather than actually
>> work).
>>
>> Regularly reading the logs, setting up reporting devices that inform of
>> new files or packages and of course watching packet traffic by port on a
>> regular basis will assist you to identify keyloggers, as well as BEef and
>> XSS browser hacks, since you will clearly see a great deal of nepharious
>> traffic.
>>
>> Of course if you allow 3rd Party Cookies and don't control Javascript, you
>> are just laying on a large number of "adware" and other installations that
>> create traffic.  Be sure you use NoScript or another Javascript trust
>> control plugin at the browser level.
>>
>> It is recommended that ANY systems user always have a fairly realistic
>> understanding of network trust, packet ports and "regular traffic".
>>
>> Also, beyond KEYLOGGERS, everyone needs to know that EVERY SINGLE SITE YOU
>> GOOGLE, every place you visit can trivially be cross referenced from other
>> sites for which you authenticate to provide AT A GLANCE NSA and DHS data
>> that will provide a complete profile.  This includes CHAT LOGS, Warez sites,
>> TORRENT, and porn sites.
>> The false sense of security that you can use a Anonymizer or browser Proxy
>> site, while it will allow you get to FaceBook from work, will not protect
>> you from large scale data taps at the level of Akamai Caching and
>> Cable/Telecom providers which can be configured to hit any number of
>> parameters for which the feds are interested.
>>
>>
>> Also, if you download FULL email messages, including PDF attachments,
> (which you open without updating your Adobe Browser Plugin or other
> applications for all known exploits) and JPEGs (executable files which I can
> trivially [bind to an .exe file for Win7 powershell fun] or include Unicode
> UTF or BOM characters that can and will setup cron jobs (to open a reverse
> ssh session to my hacked server at a certain time of night for instance) or
> wget a keylogger [since this is the subject we are discussing here in this
> PLUG post] when "opened") you are opening new attack vectors for Linux (or
> even specifically addressed to you by an associate)  [an excellent reason to
> obfuscate your "real identity" at 2600 Club meetings....].
>
> References:
>
> http://xahlee.org/comp/unicode_BOM_byte_orde_mark.html
>
> http://www.hackingethics.com/blog/2008/07/22/how-to-convert-exe-files-to-jpg/
>
> http://justhackitnow.blogspot.com/2011/02/hide-multiple-files-into-single-jpg.html
>
> http://www.dirtyservices.com/2010/how-to-create-adobe-acrobat-pdf-exploit-trojan/
>
>>
>>> Mike Enriquez
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>  Thank you Lisa,
>> I love this group.
>> Every time I ask a question I get an education.
>> Take Care.
>> Mike
>>
> <snip>

**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110701/e654e728/attachment.html>

More information about the PLUG-discuss mailing list