Results 1 to 10 of 48

Thread: How can I tell if a keylogger got added to my PC while I was in Beijing?

Hybrid View

  1. 10-30-2008, 07:40 PM #1
    FromTheRafters Guest

    Re: How can I tell if a keylogger got added to my PC while I was in Beijing?


    "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
    news:uoX1I7pOJHA.4700@TK2MSFTNGP03.phx.gbl...
    > "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
    > news:09jOk.252876$5p1.56150@en-nntp-06.dc1.easynews.com...
    >> Juan I. Cahis wrote:
    >>>
    >>> To be able to install a keylogger, the user should be logged in with
    >>> Administrator features, and I supposed that the user didn't leave the
    >>> computer unattended *and* powered on *and* logged in, did you?
    >>
    >> If the hacker has physical access to the computer, all bets are off. He
    >> can boot from a CD or pendrive and install whatever the heck he likes on
    >> the laptop.
    >
    >
    > If the laptop fully supports bitlocker and bitlocker is used, physical
    > access won't help you gain access to the contents of the hard drive.

    With physical access to a machine, what prevents you from adding
    option rom and re-initializing the TPM? I assume by "fully supports"
    you were referring to boot axis validation through the TPM.

    Otherwise, as the thread is about keylogging (and possible rootkit)
    the contents can be had. The TPM feature puts up quite a roadblock
    though.

    http://www.ngssoftware.com/research/...CI_Rootkit.pdf


    Reply With Quote Reply With Quote
  2. 10-31-2008, 09:52 AM #2
    Kerry Brown Guest

    Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

    "FromTheRafters" <erratic@nomail.afraid.org> wrote in message
    news:e0mcBFvOJHA.1144@TK2MSFTNGP05.phx.gbl...
    >
    > "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
    > news:uoX1I7pOJHA.4700@TK2MSFTNGP03.phx.gbl...
    >> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
    >> news:09jOk.252876$5p1.56150@en-nntp-06.dc1.easynews.com...
    >>> Juan I. Cahis wrote:
    >>>>
    >>>> To be able to install a keylogger, the user should be logged in with
    >>>> Administrator features, and I supposed that the user didn't leave the
    >>>> computer unattended *and* powered on *and* logged in, did you?
    >>>
    >>> If the hacker has physical access to the computer, all bets are off. He
    >>> can boot from a CD or pendrive and install whatever the heck he likes on
    >>> the laptop.
    >>
    >>
    >> If the laptop fully supports bitlocker and bitlocker is used, physical
    >> access won't help you gain access to the contents of the hard drive.
    >
    > With physical access to a machine, what prevents you from adding
    > option rom and re-initializing the TPM? I assume by "fully supports"
    > you were referring to boot axis validation through the TPM.
    >
    > Otherwise, as the thread is about keylogging (and possible rootkit)
    > the contents can be had. The TPM feature puts up quite a roadblock
    > though.
    >
    > http://www.ngssoftware.com/research/...CI_Rootkit.pdf
    >


    Interesting reading but as I read it the techniques used would be very
    specific to a limited number of systems (i.e. no generic attack) and blocked
    by the use of a TPM. The attacker would have to have some pre-existing
    knowledge of the target (or be very lucky) and the target couldn't be using
    a TPM. For anyone that would be a target of this kind of sophisticated
    attack I doubt they would leave a laptop with critical data on it unattended
    or even that they would be carrying a laptop with this kind of data on it.
    Anyone targeted this way would probably be as sophisticated as the attacker.

    Paranoia abounds, but in real life it's rarely justified. In the context of
    the original question - we don't have enough data. If bitlocker or some
    other form of disk encryption wasn't in use and the OP is worried the
    solution is to wipe the hard drive and restore from a backup taken before
    travelling to China.

    --
    Kerry Brown



    Reply With Quote Reply With Quote
  3. 11-01-2008, 08:14 PM #3
    FromTheRafters Guest

    Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

    "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
    news:CYEOk.15464$OT2.788@newsfe01.iad...
    > "FromTheRafters" <erratic@nomail.afraid.org> wrote in message
    > news:e0mcBFvOJHA.1144@TK2MSFTNGP05.phx.gbl...
    >>
    >> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
    >> news:uoX1I7pOJHA.4700@TK2MSFTNGP03.phx.gbl...
    >>> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
    >>> news:09jOk.252876$5p1.56150@en-nntp-06.dc1.easynews.com...
    >>>> Juan I. Cahis wrote:
    >>>>>
    >>>>> To be able to install a keylogger, the user should be logged in with
    >>>>> Administrator features, and I supposed that the user didn't leave the
    >>>>> computer unattended *and* powered on *and* logged in, did you?
    >>>>
    >>>> If the hacker has physical access to the computer, all bets are off. He
    >>>> can boot from a CD or pendrive and install whatever the heck he likes
    >>>> on the laptop.
    >>>
    >>>
    >>> If the laptop fully supports bitlocker and bitlocker is used, physical
    >>> access won't help you gain access to the contents of the hard drive.
    >>
    >> With physical access to a machine, what prevents you from adding
    >> option rom and re-initializing the TPM? I assume by "fully supports"
    >> you were referring to boot axis validation through the TPM.
    >>
    >> Otherwise, as the thread is about keylogging (and possible rootkit)
    >> the contents can be had. The TPM feature puts up quite a roadblock
    >> though.
    >>
    >> http://www.ngssoftware.com/research/...CI_Rootkit.pdf
    >>
    >
    >
    > Interesting reading but as I read it the techniques used would be very
    > specific to a limited number of systems (i.e. no generic attack) and
    > blocked by the use of a TPM.

    Yes. But a targeted attack against some very common traveling laptops
    like "Toughbook" or "Thinkpad" could yield quite a lot of compromised
    systems when they get back home.

    Maybe it seems just a little 'over the top' to some people, but this is just
    the sort of thing that makes the TPM necessary.

    > The attacker would have to have some pre-existing knowledge of the target
    > (or be very lucky) and the target couldn't be using a TPM. For anyone that
    > would be a target of this kind of sophisticated attack I doubt they would
    > leave a laptop with critical data on it unattended or even that they would
    > be carrying a laptop with this kind of data on it. Anyone targeted this
    > way would probably be as sophisticated as the attacker.

    What data - it is not about data. It is about compromising the laptop's
    security. Maybe even compromising the 'system' it might be attached
    to back home. Maybe data is the final objective, but not necessarily
    data on that laptop.

    > Paranoia abounds, but in real life it's rarely justified. In the context
    > of the original question - we don't have enough data. If bitlocker or some
    > other form of disk encryption wasn't in use and the OP is worried the
    > solution is to wipe the hard drive and restore from a backup taken before
    > travelling to China.

    Yes, as reluctant as many people are to do this, it is often the best
    choice.
    Unfortunately, any forensic evidence would be lost in this case.


    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules