Linux & key Loggers

Lisa Kachold lisakachold at obnosis.com
Sat Jul 9 00:25:10 MST 2011


Please join us at Maker Bench in Tempe for our first presentation at the new
location on *Linux Attack Vectors*.  As always this is a full-duplex linux
event with welcome participation from Linux Community.   We will follow up
with hands on analysis of individual machines, so bring anything with a
kernel that you might you want us to check out.

Please update your hackfest schedule to include our new Tempe location and
time on the 2nd Saturday of every month 3PM - 6PM.

Please see http://plug.phoenix.az.us <http://phoenix.plug.az.us/> site
schedule also.

An example complete schedule also appears at http://hackfest.obnosis.com:

Excerpt:

Monthly security presentation labs, with open community participation occur
every month on the Second Saturday in Tempe at the Maker
Bench<http://www.makerbench.com/?page_id=1202>(3-6PM) and Third
Saturdays (Noon-3PM) in Chandler at
Ganglplankhq.com. <http://ganglplankhq.com./>

This interactive lab and presentation format covers industry news, specific
protection issues in linux, ongoing industry tool development, RFC scripts,
exploits & net neutrality.

Ethical and legal, as well as liability aspects of security testing are
covered as we investigate the strange world of computer insecurity from our
portly Penguin perspectives.

Hackfests are specially scheduled demonstrations that include open member
participation hacking, cracking, exploits and IDS.
Hackfests are open encroachment events with designated targets.

We also provide information and tools to modify cable modems for DOCSIS 2.0
JTAG to USB and no-solder pin.

Hack test your installations, networks, and program source using Linux
Security distro tools.

2nd Saturday 3-6PM Tempe meeting facilities generously provided by
MakerBench <http://www.makerbench.com/?page_id=1202>.

3rd Saturday Noon-3PM meeting facilities generously provided by
Gangplankhq.com <http://gangplankhq.com/> in Chandler.

Plan on being able to use live CDs, or USB jump drives to follow along, if
you bring your laptop and targets are announced. Since we have a VMware
Server, you can pre-request a specific target or make arrangements to have
your code ported to one of our virtuals and hit with Metasploit or Rapid 7
Community edition.  Open network access is unlimited (with "play nice"
rules).

Feel free to call or email me if you get lost or have questions.



On Thu, Jun 30, 2011 at 4:16 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> Mike:
>
> More to make the post complete with all available attack vectors that could
> be deployed to install a keylogger on Linux (MAC and Windows):
>
> On Thu, Jun 30, 2011 at 2:09 PM, mike enriquez <mylinux at cox.net> wrote:
>
>> **
>> On 06/30/2011 06:55 AM, Lisa Kachold wrote:
>>
>> Hi Mike!
>>
>> On Wed, Jun 29, 2011 at 5:09 PM, mike enriquez <mylinux at cox.net> wrote:
>>
>>> Does anyone on the List know if Key Loggers are a problem in Linux?
>>> I don't know a thing about them.  My windows computers get the things all
>>> the time.
>>> Do I need to worry about them in Linux.
>>> Thanks for any comments.
>>>
>>
>> Unlike Windows, where the attack vector is mainly virus from file
>> transfers, in Linux (and Mac) the attack vector is going to be browser
>> based.
>>
>> So if you don't limit javascript trust, you can fall victim to any manner
>> of installations, ssh, or infestations from browser based attacks like
>> BEef <http://linux.softpedia.com/get/Internet/HTTP-WWW-/BeEF-29854.shtml>.
>> This tool will provide a triangulated Host --> Website --> YourBrowser
>> attack similar to XSS scripting browser attacks, that opens your entire
>> linux (or Mac) system to full control via the Browser (Opera/FireFox/etc).
>> A keylogger like the one referenced by Sam would trivially be installed
>> without your immediate knowledge.
>>
>> Of course if you do not properly firewall your home network, have a "cable
>> modem" that is subject to hacked firmware, or take your laptop to public
>> venues without a proper analysis of open ports or iptables, you can always
>> pick up a "hitcher", who could install a key logger or other hack.
>>
>> Various hardware hacks also exist, similar to tiny USB devices that can be
>> setup on your keyboard or monitor between connections, which are commonly
>> used by IT managers in NOCs and Operations Centers (where oblivious
>> Operations and Systems staff continue to surf Facebook rather than actually
>> work).
>>
>> Regularly reading the logs, setting up reporting devices that inform of
>> new files or packages and of course watching packet traffic by port on a
>> regular basis will assist you to identify keyloggers, as well as BEef and
>> XSS browser hacks, since you will clearly see a great deal of nepharious
>> traffic.
>>
>> Of course if you allow 3rd Party Cookies and don't control Javascript, you
>> are just laying on a large number of "adware" and other installations that
>> create traffic.  Be sure you use NoScript or another Javascript trust
>> control plugin at the browser level.
>>
>> It is recommended that ANY systems user always have a fairly realistic
>> understanding of network trust, packet ports and "regular traffic".
>>
>> Also, beyond KEYLOGGERS, everyone needs to know that EVERY SINGLE SITE YOU
>> GOOGLE, every place you visit can trivially be cross referenced from other
>> sites for which you authenticate to provide AT A GLANCE NSA and DHS data
>> that will provide a complete profile.  This includes CHAT LOGS, Warez sites,
>> TORRENT, and porn sites.
>> The false sense of security that you can use a Anonymizer or browser Proxy
>> site, while it will allow you get to FaceBook from work, will not protect
>> you from large scale data taps at the level of Akamai Caching and
>> Cable/Telecom providers which can be configured to hit any number of
>> parameters for which the feds are interested.
>>
>>
>> Also, if you download FULL email messages, including PDF attachments,
> (which you open without updating your Adobe Browser Plugin or other
> applications for all known exploits) and JPEGs (executable files which I can
> trivially [bind to an .exe file for Win7 powershell fun] or include Unicode
> UTF or BOM characters that can and will setup cron jobs (to open a reverse
> ssh session to my hacked server at a certain time of night for instance) or
> wget a keylogger [since this is the subject we are discussing here in this
> PLUG post] when "opened") you are opening new attack vectors for Linux (or
> even specifically addressed to you by an associate)  [an excellent reason to
> obfuscate your "real identity" at 2600 Club meetings....].
>
> References:
>
> http://xahlee.org/comp/unicode_BOM_byte_orde_mark.html
>
> http://www.hackingethics.com/blog/2008/07/22/how-to-convert-exe-files-to-jpg/
>
> http://justhackitnow.blogspot.com/2011/02/hide-multiple-files-into-single-jpg.html
>
> http://www.dirtyservices.com/2010/how-to-create-adobe-acrobat-pdf-exploit-trojan/
>
>>
>>> Mike Enriquez
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>  Thank you Lisa,
>> I love this group.
>> Every time I ask a question I get an education.
>> Take Care.
>> Mike
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (602) 791-8002  Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com <http://www.homesmartinternational.com>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>


-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110709/1508231b/attachment.html>


More information about the PLUG-discuss mailing list