Wednesday, 17 February 2010

Keylogging Trusteer's Rapport

Let's get some perspective on this first: no security product is 100% secure and just because there may be an obscure way round a product doesn't mean you shouldn't use it and that it won't protect you against a lot of attacks. How secure is your Anti-Virus (AV) product? Certainly not 100%, so we need layers of security. Rapport is another layer of security and could help protect your machine.

I have said in my previous post about this issue how well Trusteer dealt with me. So, now to the method of keylogging Trusteer. It's quite simple really, but requires a special setup. Rapport hooks onto the keyboard driver to prevent keylogging. However, if you invoke the remote desktop feature in Windows then a different keyboard driver is invoked, which Rapport cannot hook onto. So, if you're using a remote desktop connection into your machine then Rapport will not be giving you the full protection (it still has other layers of protection that work in this scenario).

Is this such a special case that you don't need to worry about it? Well not necessarily. There are a plethora of remote access software solutions available to users who are increasingly using them to access their machines at home or at work. There is also another technology that can be leveraged to cause this effect whilst the user is at the actual machine. Microsoft have introduced RemoteApps to the Windows desktop environment to allow for legacy applications to appear to run seamlessly on Windows 7. This is done via Virtual PC running another OS and the RAIL QFE update to allow applications to be exposed from a desktop machine as RemoteApps. However, we can use this technique to look back at the machine and expose the web browser as a RemoteApp, which the user should not notice.

As I say, it's a special case and not one a user would normally encounter, but it is possible. There are other issues with Trusteer as well, being able to capture the screen of protected websites and information leakage as highlighted on here. It doesn't mean you shouldn't use Rapport though, just know and trust the machine that you're using. Basically, don't ever connect to any secure site or service from an untrusted machine, no matter what's installed on it.


Anonymous said...

Stumbled across your site today doing a little research on this product because everytime I login to do my banking (HSBC) I am nagged to install Trusteer. (BTW: I must say your site is excellent!) I have an observation: Is it just me…or is Trusteer Rapport not just a form of Trojan itself??? We are being "asked" (how long until it is mandatory?) by our banks to install a piece of software with Admin privileges to our computers that will track our keystrokes, passwords and login details in order to "ensure" that we only access approved banking websites and get warnings about reusing our passwords and other "unsafe" practices...emmm kay! Thanks for that! Now how do I know when I read articles like this one: - that Trusteer is not logging my keystrokes, tracking my surfing behaviour and copying my passwords into their own database somewhere? Just because they assure me that they don't???
- From what I can tell if I install Trusteer Rapport with the recommended settings and options (i.e. accept the defaults as most of us will) have I just handed over my machine and personal information to yet another entity. Isn't this the very thing that these Security Organisations should be trying to stop? Also, I assume the Trusteer application includes the facility to automatically update itself, the default settings that a user agrees to at installation time probably even includes an agreement to permit this without prompting (sorry I haven't had time to read the fine print to check)? Even if Trusteer don’t currently retain password information or keystrokes and leave them on the PC as claimed, what would stop Trusteer from sending down an update at any future time that captures all this information and more! Once they have attained market saturation and have their product installed on 100,000,000 UK and US PC’s… that is just too much control / risk to hand over to one company, especially one from a country with some dubious political practises (passports) of late. Somebody please tell me I am being overly paranoid!??!

Luke Hebbes said...

@Anonymous thanks for your support and comment. I can reassure you that Rapport doesn’t log your keystrokes and send them back to Trusteer (although I admit that it would be possible, but not in Trusteer’s interest). The keystroke mapping is only valid within a single page, any refresh or other navigation will remove the mapping from memory and start again. I have looked at this product quite a lot and no product can be 100% secure, but are you sure that you don’t have a Trojan keylogger on your machine? Remember that AV products can miss these polymorphic Trojans. Again, it could form a layer in your security arsenal. I wouldn’t necessarily write it off now (the product has changed a lot since my first posts on it), but use it knowing its limitations as with all security products.

Brown Jason said...

Good Screen monitoring software will help you to log and trace all your computer's activities and IP address even though you are away from your computer.

Post a Comment

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust