How can I tell if a keylogger got added to my PC while I was in Beijing?

[Mark McIntyre]

Juan I. Cahis wrote:
> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote:
>
>> If the hacker has physical access to the computer, all bets are off. He
>> can boot from a CD or pendrive and install whatever the heck he likes on
>> the laptop.
>
> Unless you have set the BIOS password, which any respectable SysAdmin
> of any respectable business corporation doing international business
> should always have set.

Like I said, physical access trumps all. How long do you think it would
take to zap the cmos battery or remove the HDD, boot it in a spare
laptop and then replace the (now infected) HDD?

[Mark McIntyre]

Kerry Brown wrote:
>
> If the laptop fully supports bitlocker and bitlocker is used, physical
> access won't help you gain access to the contents of the hard drive.

While I understand your point, you're still wrong. If you have physical
access you can clone the drive and spend as long as you want cracking
encryption.

[FromTheRafters]

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:uoX1I7pOJHA.4700@TK2MSFTNGP03.phx.gbl...
> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
> news:09jOk.252876$5p1.56150@en-nntp-06.dc1.easynews.com...
>> Juan I. Cahis wrote:
>>>
>>> To be able to install a keylogger, the user should be logged in with
>>> Administrator features, and I supposed that the user didn't leave the
>>> computer unattended *and* powered on *and* logged in, did you?
>>
>> If the hacker has physical access to the computer, all bets are off. He
>> can boot from a CD or pendrive and install whatever the heck he likes on
>> the laptop.
>
>
> If the laptop fully supports bitlocker and bitlocker is used, physical
> access won't help you gain access to the contents of the hard drive.

With physical access to a machine, what prevents you from adding
option rom and re-initializing the TPM? I assume by "fully supports"
you were referring to boot axis validation through the TPM.

Otherwise, as the thread is about keylogging (and possible rootkit)
the contents can be had. The TPM feature puts up quite a roadblock
though.

http://www.ngssoftware.com/research/...CI_Rootkit.pdf

[Kerry Brown]

"Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
news:5ZqOk.72594$yq3.53462@en-nntp-07.am2.easynews.com...
> Kerry Brown wrote:
>>
>> If the laptop fully supports bitlocker and bitlocker is used, physical
>> access won't help you gain access to the contents of the hard drive.
>
> While I understand your point, you're still wrong. If you have physical
> access you can clone the drive and spend as long as you want cracking
> encryption.


Theoretically yes. In the real world - good luck.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

[Mark McIntyre]

Kerry Brown wrote:
> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
> news:5ZqOk.72594$yq3.53462@en-nntp-07.am2.easynews.com...
>> Kerry Brown wrote:
>>>
>>> If the laptop fully supports bitlocker and bitlocker is used,
>>> physical access won't help you gain access to the contents of the
>>> hard drive.
>>
>> While I understand your point, you're still wrong. If you have
>> physical access you can clone the drive and spend as long as you want
>> cracking encryption.
>
> Theoretically yes.

No, IRL.

> In the real world - good luck.

And its not like the chinese govt have access to supercomputers.
Remember, this thread is all about paranoia.

[Kerry Brown]

"Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
news:AXBOk.217580$1p1.93637@en-nntp-08.dc1.easynews.com...
> Kerry Brown wrote:
>> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
>> news:5ZqOk.72594$yq3.53462@en-nntp-07.am2.easynews.com...
>>> Kerry Brown wrote:
>>>>
>>>> If the laptop fully supports bitlocker and bitlocker is used, physical
>>>> access won't help you gain access to the contents of the hard drive.
>>>
>>> While I understand your point, you're still wrong. If you have physical
>>> access you can clone the drive and spend as long as you want cracking
>>> encryption.
>>
>> Theoretically yes.
>
> No, IRL.
>
> > In the real world - good luck.
>
> And its not like the chinese govt have access to supercomputers.
> Remember, this thread is all about paranoia.


Ahh - if you're talking about the Chinese government they would just use the
secret imbedded Manchurian chip they install on all electronics manufactured
in China to access the data.

Anything's possible but AFAIK even a supercomputer wouldn't be able to brute
force AES in any sort of useful time frame.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

[Kerry Brown]

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message
news:e0mcBFvOJHA.1144@TK2MSFTNGP05.phx.gbl...
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:uoX1I7pOJHA.4700@TK2MSFTNGP03.phx.gbl...
>> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
>> news:09jOk.252876$5p1.56150@en-nntp-06.dc1.easynews.com...
>>> Juan I. Cahis wrote:
>>>>
>>>> To be able to install a keylogger, the user should be logged in with
>>>> Administrator features, and I supposed that the user didn't leave the
>>>> computer unattended *and* powered on *and* logged in, did you?
>>>
>>> If the hacker has physical access to the computer, all bets are off. He
>>> can boot from a CD or pendrive and install whatever the heck he likes on
>>> the laptop.
>>
>>
>> If the laptop fully supports bitlocker and bitlocker is used, physical
>> access won't help you gain access to the contents of the hard drive.
>
> With physical access to a machine, what prevents you from adding
> option rom and re-initializing the TPM? I assume by "fully supports"
> you were referring to boot axis validation through the TPM.
>
> Otherwise, as the thread is about keylogging (and possible rootkit)
> the contents can be had. The TPM feature puts up quite a roadblock
> though.
>
> http://www.ngssoftware.com/research/...CI_Rootkit.pdf
>


Interesting reading but as I read it the techniques used would be very
specific to a limited number of systems (i.e. no generic attack) and blocked
by the use of a TPM. The attacker would have to have some pre-existing
knowledge of the target (or be very lucky) and the target couldn't be using
a TPM. For anyone that would be a target of this kind of sophisticated
attack I doubt they would leave a laptop with critical data on it unattended
or even that they would be carrying a laptop with this kind of data on it.
Anyone targeted this way would probably be as sophisticated as the attacker.

Paranoia abounds, but in real life it's rarely justified. In the context of
the original question - we don't have enough data. If bitlocker or some
other form of disk encryption wasn't in use and the OP is worried the
solution is to wipe the hard drive and restore from a backup taken before
travelling to China.

--
Kerry Brown

[Mark McIntyre]

Kerry Brown wrote:
> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
>>
>> And its not like the chinese govt have access to supercomputers.
>> Remember, this thread is all about paranoia.
>
> Anything's possible but AFAIK even a supercomputer wouldn't be able to
> brute force AES in any sort of useful time frame.

Mind you, they said that about DES, once upon a time. And more recently,
about SSL. And all this assumes good quality passphrases and good
implementations of the enc algo.

a.i.w snipped from the newsgroups as its not relevant there.



--
Mark McIntyre

CLC FAQ <http://c-faq.com/>
CLC readme: <http://www.ungerhu.com/jxh/clc.welcome.txt>

[AMUN]

"Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
news:nOFOk.61552$i92.37934@en-nntp-03.am2.easynews.com...
> Kerry Brown wrote:
>> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
>>>
>>> And its not like the chinese govt have access to supercomputers.
>>> Remember, this thread is all about paranoia.
>>
>> Anything's possible but AFAIK even a supercomputer wouldn't be able to
>> brute force AES in any sort of useful time frame.
>
> Mind you, they said that about DES, once upon a time. And more recently,
> about SSL. And all this assumes good quality passphrases and good
> implementations of the enc algo.
>
> a.i.w snipped from the newsgroups as its not relevant there.
>


Why is everyone just ignoring the obvious that since most computers and
boards are MADE in China, they may already be infected before you buy them.

[Dustin Cook]

Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote in
news:aXqOk.72593$yq3.34533@en-nntp-07.am2.easynews.com:

> Juan I. Cahis wrote:
>> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote:
> >
>>> If the hacker has physical access to the computer, all bets are off.
>>> He can boot from a CD or pendrive and install whatever the heck he
>>> likes on the laptop.
>>
>> Unless you have set the BIOS password, which any respectable SysAdmin
>> of any respectable business corporation doing international business
>> should always have set.
>
> Like I said, physical access trumps all. How long do you think it
> would take to zap the cmos battery or remove the HDD, boot it in a
> spare laptop and then replace the (now infected) HDD?

heh, physical access doesn't trump encryption.




--
Regards,
Dustin Cook, Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org