Thursday, 21 May 2009

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this.

Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most other companies would say their DNS is secure. They do also have an automatic update process, which needs to be tested in my opinion, as this could be the target of attack.

Another alarming thing I have discovered is the following:

"To protect you against phishing attacks Rapport learns the password (and
sometimes even the username) you use with protected websites"(ref).
What? Where and how does it store these? What hash function or encryption is it using? This is potentially a massive security flaw. I did try this feature out and it does ask if you want to remember the details, but in my opinion it should never do this. Now the hacker doesn't need a keylogger anyway, as they can attack the storage of the password! Talking of keyloggers, I was sure that Rapport couldn't protect against rootkits, malicious drivers and all malware keyloggers, and the proof can be found here (a video of someone logging the keystrokes when Rapport is used to protect the ING Direct login showing that Trusteer's Rapport can be bypassed or cracked). I know that some will say that this requires particular malware and this may be detected with your existing AV product. However, don't forget that Trusteer 'guarantee' security even on an infected system. They are also encouraging lax attitudes towards using AV products with their rhetoric.

With these problems in mind, I decided to install Rapport on a virtual Vista machine with no AV and start logging a few things. The install writes to the file system (obviously) and the registry. However, in use, it is writing to the file system, specifically a set of encrypted log files. Further investigation shows that they are using encrypted JavaScript files to access and write to these log files. Rapport also runs a service on your machine called RapportService and was using about 10MB RAM on my VM. This service protects the Rapport files from deletion or modification as far as I can see. On install, the boot sector is updated to run this service at startup. However, if you stop this, then you can play around with the files. (To do this you will need to boot into Safe Mode by running msconfig.exe and selecting this option in the Boot tab. If you do this, then Windows Defender may block Rapport from restarting.)

The files of interest seem to be stored on a per-user basis. There are lots of log files that are accessed each time you hit a Rapport site. The main ones seem to be rooksbas.log, koan.log, backend.log and backend-cfg.log. Of interest though are the .cfg files and the JavaScript files. You have to enter a code during install, which may be just for registration, but may also be some kind of seed for the key, because the program itself must have the encryption key for these files. In which case, it should be a matter of reverse engineering the code to find that key and then everything becomes open (but this is just a guess on my part and may not be true). They don't tell you what algorithms they use for this encryption though, which isn't always a good sign.

Running packet sniffing software on the machine whilst connecting to http://www.rbs.co.uk/ I found a few things. Firstly, RBS is using ATDMT to track users' habits and install tracking cookies - a form of malware! Rapport didn't pick up on this tracking cookie or block it. Also, it doesn't appear to contact Trusteer directly, however, it does tell the server that it is running, as "Trusteer-Rapport/3.5.0903" was added to the userAgent string and the following data was also sent to http://www.rbsdigital.com/: "X-Trusteer-Rapport: ver=3.5.0903.22; ak=C056E35A634C288C2BA683A7B21DBC6274417C4CBF7FCE0CBB561651EE30EB60; av=a0; rs=0.01372". This makes me wonder how their secure DNS server comes into play. This wasn't the first time I had gone to the RBS site though, so maybe it is cached, but again, where? Presumably in those encrypted log files.

The problem for Trusteer is that the more successful Rapport is, the more it will become a target for attack, and the less use it will be. They are trying to do something good and it is another level of protection, but the false claims make it dangerous. I believe that this product will make users complacent and take less care of their machine and credentials. Why bother having any form of AV product if Rapport protects my details anyway? People are being educated into thinking that if they see the green box at the top of the browser then they are safe and I think they will then throw caution to the wind. Even worse is that if they use a browser other than IE, then they have no protection at all. I don't think this is drummed into the users enough on the third party sites that use this.

It goes to show the old addage that a little learning is a dangerous thing. You are teaching users only part of the story and they will get lost in marketing hype and false claims. Trusteer should be open and honest about the capabilities of Rapport and push for more user education, then I would recommend their product. As it is (forgetting the compatibility issues) I cannot recommend that system administrators install this on their machines and let users believe that they are safe no matter what.

Edit: I have a new post here and a series of demo videos of Rapport blocking spyware.

Edit (10/4/10): I am still getting a lot of hits on this blog post so I thought that I ought to point out that Rapport as a product has matured a lot in the last year and many of the problems with compatibility, etc., have been sorted out. Also, the marketing has changed a lot to be much more realistic. If this is used as a layer in your overall security arsenal and is combined with user education, then it will help to protect your machine, data and identity. Download a keylogger for yourself and try using it before and after installing Rapport and you might see why your Banks are pushing it. I still think that the Banks have a duty to educate their users and to standardise the process of conducting online transactions and authentication to help users and stop many of the attack vectors currently being exploited.

13 comments:

Tim Trent said...

Have you had further thoughts on this topic? My bank is just about to "ask" me to deploy this plugin on my client to use their service and it makes me nervous.

Luke Hebbes said...

@Tim: Yes, I have had another look at this and they have made some changes to both their marketing hype and the product (it now works in different browsers and on MacOS). I'm currently doing some more tests on it and will soon publish some answers to the most common questions I get asked about it.

Tim Trent said...

Thanks Luke. All my instincts scream "do not deploy"

Adi Dalzell said...

Nice review. I read my online banking inbox which said to install this in the near future. I have zone alarm and avira running and don't intend on touching this.

Trusteer said...

Hello,

We would like to address some of the questions raised in this blog post and subsequent comments.

First of all, we are more than happy to work with any security researcher who has any questions or comments about Rapport. We have never turned down any request for additional information and constantly look for ways to improve and evolve Rapport.

We are doing everything possible to ensure that this is a best-of-breed product and are always mindful of the responsibility that we have for protecting people’s online banking sessions.

We do not claim that Rapport is a silver bullet. On the contrary, we emphasize that whilst we believe that Rapport is an important additional security layer it is by no means a hack proof solution or a cure for all security problems. While other vendors may make these claims, we at Trusteer do not believe that it is appropriate.

The hash function in use with Rapport is "SHA-256". Rapport asks for the user’s permission before storing the hash and users can disable this feature entirely, if they wish. Based on experience we know that this provides an important layer of defence for the many users who are likely to fall for a phishing attack.

Regarding our DNS server. Rapport consults with an additional DNS server based on the bank’s policy, unless the the IP is already known to it.

Regarding your link to “a proof ... that Rapport can be bypassed or cracked” - we’ve made endless attempts to contact whoever is behind this and get to the root of the problem, assuming this demo has any validity. If there is a bug, flaw, or vulnerability we’re keen to learn about it and fix it. Unfortunately while people have linked to this and even founded their opinion of Rapport based on it, no one has yet been able to provide any actual technical information.

We actively encourage security researches to turn to us with any findings as at the end of the day we’re all trying to make the internet a safer place.

Warm regards
Support at Trusteer.com

Luke Hebbes said...

@Support at Trusteer.com: Thanks for supplying this feedback and information. I'm glad to see that you are using standards such as SHA-256. I have also noted above that you have changed a lot of the wording on your website to be much more realistic and that some of the problems stem from your customers' sites and not yours.

I have always said that what you are trying to do is worthy and I have no problems with that. It was mainly the over-selling and lack of user education that I had a problem with. All products have flaws; there is no such thing as absolute security and any security professional that says otherwise is a fool. So, I don't expect your product to be perfect and that's fine, as you seem to be committed to improving it. I will let you know of any findings we come up with.

reviewmylife said...

I've found your various posts on Rapport very interesting. On the whole I think it is worth having Rapport on my computer, but they do need to work on some of the concerns. I've found an additional problem to do with password leakage - I've put a post up about it here - http://www.reviewmylife.co.uk/blog/trusteer-rapport-password-leakage-problem/

Luke Hebbes said...

@reviewmylife Interesting post.

Anonymous said...

Zeus has a VNC module available that allows an attacker to remote control an infected machine. If Zeus' poly morphic encryption was able to hide it from Rapport and that attacker used the VNC module to remote control the machine, this could potentially expose the key strokes as in your scenario above.

Anonymous said...

Hello. Thanks for a good post and to those who came back to review and comment. I have also been advised by my bank and IT to switch to Trusteer but I have been running Authentiums SafeCentral which is a similar product with a slightly different strategy. I have done all the reading I could before forking out the money for it and checked if a key logger could get info etc. I can say that I am so far impressed but after reading this artical I wonder if I am living with another false sense of security. I would love it if you did a post on SafeCentral or at least took a look at it from a security pro's opinion.

Anonymous said...

Hi guys...

I recommend you look into TrustDefender as an alternative to both Rapport and SafeCentral.

TrustDefender also locks down banking sessions, suspends malware (trojans, keyloggers, spyware etc), verifies authenticity of banking site etc, but is browser-agnostic meaning I can use ANY browser (Rapport is a plugin and only supports 4 browsers? SafeCentral is yet another browser I have to use instead of my favorite Opera browser).

Also, TrustDefender doesn't learn or store passwords at all, so there is no risk associated with your credentials ending up in the wrong hands.

Oh, and it is so simple to use. 2MB installer and then the TrustDefender agent automatically starts and protects you BEFORE you even enter you username, password or authentication token etc.


For more info

help(at)trustdefender(dot)com

Anonymous said...

Can you say rootkit?

After removal of rapport run any anti root kit software. I used the one in free avg and it will find 21 rootkits. enough fo me to avoid it like the plauge!

Luke Hebbes said...

I think you'll find that most AV products will flag other security products as malware. AVG will certainly flag Microsoft Security Essentials, Panda Cloud AV and Avast as malware. It doesn't make it right; it's more about how the software works and how it hooks into the OS. Most security software assumes that it is the only product you will install.

Post a Comment

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust