How can I tell if a keylogger got added to my PC while I was in Beijing?

[FromTheRafters]

"Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
news:e%5Pk.76280$wc2.48368@en-nntp-01.am2.easynews.com...
> David H. Lipman wrote:
>> From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>
>>
>>
>> | Course it does. You can image the HDD, you can install hardware that
>> | intercepts the decrypted stream en route between disk and memory, you
>> | can put in a modded CMOS or BIOS that includes a builtin keylogger or
>> | data logger thats part of the firmware etc etc etc.
>>
>> | If you have access to the box for long enough, its yours.
>>
>> Now your making things up...
>
> Ya reckon?
>
>> "put in a modded CMOS or BIOS that includes a builtin keylogger "
>
> PC BIOSes are on EEPROMS. Booting the pc from a CD and running a custom
> BIOS upgrade is far from beyond the bounds of possibility.
>
> People hack the BIOS for CD and DVD drives all the time to add features
> and remove region settings. A quick google search shows that numerous
> people have hacked their PC bios to enable features that the mobo provider
> decided weren't for use.

BIOS might not be the right term - but what used to be called "option ROM"
and now referred to as "expansion ROM" can be used nefariously by malware
program fragments. I don't think an entire keylogger would work, but I could
be wrong. Most people don't realize just how much code lives outside the HD
or on the harddrive outside the filesystem's files.

[David H. Lipman]

From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>

| David H. Lipman wrote:
>> From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>


>> | Course it does. You can image the HDD, you can install hardware that
>> | intercepts the decrypted stream en route between disk and memory, you
>> | can put in a modded CMOS or BIOS that includes a builtin keylogger or
>> | data logger thats part of the firmware etc etc etc.

>> | If you have access to the box for long enough, its yours.

>> Now your making things up...

| Ya reckon?

>> "put in a modded CMOS or BIOS that includes a builtin keylogger "

| PC BIOSes are on EEPROMS. Booting the pc from a CD and running a custom
| BIOS upgrade is far from beyond the bounds of possibility.

| People hack the BIOS for CD and DVD drives all the time to add features
| and remove region settings. A quick google search shows that numerous
| people have hacked their PC bios to enable features that the mobo
| provider decided weren't for use.

I won't change my statement. The BIOS is very low level. Keyloggers and password stealers
are very high level. Compare to the OSI model.
Whose motherboard ?
What BIOS ?
What chip-set ?
What EPROM chip ?

This is all very Tom Clancy but not real world.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[David H. Lipman]

From: "FromTheRafters" <erratic@nomail.afraid.org>

| Yes, it would be naive to think such things don't happen.

| It's funny how "paranoid" one seems once he knows such things do happen.

| I could tell you stories ... but I value my freedom. )

*Its happening !*

You said... "I could tell you stories".

I am BARRED from saying what I know.

Since this is pulic knowledge...
http://emielfisher.wordpress.com/200...ts-blackberry/

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[FromTheRafters]

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:CYEOk.15464$OT2.788@newsfe01.iad...
> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message
> news:e0mcBFvOJHA.1144@TK2MSFTNGP05.phx.gbl...
>>
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>> news:uoX1I7pOJHA.4700@TK2MSFTNGP03.phx.gbl...
>>> "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
>>> news:09jOk.252876$5p1.56150@en-nntp-06.dc1.easynews.com...
>>>> Juan I. Cahis wrote:
>>>>>
>>>>> To be able to install a keylogger, the user should be logged in with
>>>>> Administrator features, and I supposed that the user didn't leave the
>>>>> computer unattended *and* powered on *and* logged in, did you?
>>>>
>>>> If the hacker has physical access to the computer, all bets are off. He
>>>> can boot from a CD or pendrive and install whatever the heck he likes
>>>> on the laptop.
>>>
>>>
>>> If the laptop fully supports bitlocker and bitlocker is used, physical
>>> access won't help you gain access to the contents of the hard drive.
>>
>> With physical access to a machine, what prevents you from adding
>> option rom and re-initializing the TPM? I assume by "fully supports"
>> you were referring to boot axis validation through the TPM.
>>
>> Otherwise, as the thread is about keylogging (and possible rootkit)
>> the contents can be had. The TPM feature puts up quite a roadblock
>> though.
>>
>> http://www.ngssoftware.com/research/...CI_Rootkit.pdf
>>
>
>
> Interesting reading but as I read it the techniques used would be very
> specific to a limited number of systems (i.e. no generic attack) and
> blocked by the use of a TPM.

Yes. But a targeted attack against some very common traveling laptops
like "Toughbook" or "Thinkpad" could yield quite a lot of compromised
systems when they get back home.

Maybe it seems just a little 'over the top' to some people, but this is just
the sort of thing that makes the TPM necessary.

> The attacker would have to have some pre-existing knowledge of the target
> (or be very lucky) and the target couldn't be using a TPM. For anyone that
> would be a target of this kind of sophisticated attack I doubt they would
> leave a laptop with critical data on it unattended or even that they would
> be carrying a laptop with this kind of data on it. Anyone targeted this
> way would probably be as sophisticated as the attacker.

What data - it is not about data. It is about compromising the laptop's
security. Maybe even compromising the 'system' it might be attached
to back home. Maybe data is the final objective, but not necessarily
data on that laptop.

> Paranoia abounds, but in real life it's rarely justified. In the context
> of the original question - we don't have enough data. If bitlocker or some
> other form of disk encryption wasn't in use and the OP is worried the
> solution is to wipe the hard drive and restore from a backup taken before
> travelling to China.

Yes, as reluctant as many people are to do this, it is often the best
choice.
Unfortunately, any forensic evidence would be lost in this case.

[FromTheRafters]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Ho-dnTCbLJWjY5HUnZ2dnUVZ_gednZ2d@giganews.com...
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
> | Yes, it would be naive to think such things don't happen.
>
> | It's funny how "paranoid" one seems once he knows such things do happen.
>
> | I could tell you stories ... but I value my freedom. )
>
> *Its happening !*
>
> You said... "I could tell you stories".
>
> I am BARRED from saying what I know.

We're in the same boat in that respect. I won't even discuss that which
I know to be declassified - it just ain't worth it.

> Since this is pulic knowledge...
> http://emielfisher.wordpress.com/200...ts-blackberry/

Thanks for the link - interesting the eavesdropping aspect.

[Alun Jones]

"Paul Adare" <pkadare@gmail.com> wrote in message
news:1lva5wb1hygef.1p65qj3dzrtf6.dlg@40tude.net...
> On Thu, 30 Oct 2008 11:29:51 -0300, Juan I. Cahis wrote:
>
>> Unless you have set the BIOS password, which any respectable SysAdmin
>> of any respectable business corporation doing international business
>> should always have set.
>
> BIOS passwords are trivial to bypass. Any sys admin, respectable or not,
> who relies on those for security should be fired.

I'd far rather educate people than fire them - of course, it's nice to think
that all the people you ever hire will have been educated before you hired
them, but very few of us are born with perfect knowledge.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

[Anne & Lynn Wheeler]

Donna Ohl <donna.ohl@sbcglobal.net> writes:
> I was in Beijing, and I used my Windows PC there with a freeware firewall
> and freeware anti virus and freeware malware scanners.
>
> Recently a friend said nearly all American travelers were to be warned by
> the State Department that their laptops, if left in the hotel, were almost
> certainly compromised.
>
> How could I tell if a keylogger or other spyware was inserted onto my
> laptop by the Chinese?

recent news with more sophisticated flavor ... which mentions having
lots of countermeasures against detection:

Three Year Old Trojan Compromised Half Million Banking Details - The
exact origins of the Trojan have not been determined yet
http://news.softpedia.com/news/Three...ls-96953.shtml
Trojan steals 500,000+ bank and card details
http://www.finextra.com/fullstory.asp?id=19217
'Ruthless' Trojan horse steals 500k bank, credit card log-ons
http://www.computerworld.com/action/...icleId=9118718
Advanced Trojan Virus Compromises Bank Info
http://www.redorbit.com/news/technol...nfo/index.html
Sinowal data-stealing trojan has infected half million PCs
http://www.scmagazineus.com/Sinowal-...rticle/120243/

part of archived (linkedin) thread (regarding article from Kansas City
FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that
includes discussion of countermeasures for compromised PCs
http://www.garlic.com/~lynn/2008p.html#28
http://www.garlic.com/~lynn/2008p.html#32

--
40+yrs virtualization experience (since Jan68), online at home since Mar70

[occam]

Emil Tiades wrote:
> On Sun, 26 Oct 2008 21:59:26 -0700, Donna Ohl
> <donna.ohl@sbcglobal.net> wrote:
>
>> I was in Beijing, and I used my Windows PC there with a freeware firewall
>> and freeware anti virus and freeware malware scanners.
>>
>> Recently a friend said nearly all American travelers were to be warned by
>> the State Department that their laptops, if left in the hotel, were almost
>> certainly compromised.
>>
>> How could I tell if a keylogger or other spyware was inserted onto my
>> laptop by the Chinese?
>
> You MUST get one of these without delay
> http://zapatopi.net/afdb/

Will these work even if the foil is made in China?

<concerned>