Skip to main content

Keylogging Trusteer's Rapport

Let's get some perspective on this first: no security product is 100% secure and just because there may be an obscure way round a product doesn't mean you shouldn't use it and that it won't protect you against a lot of attacks. How secure is your Anti-Virus (AV) product? Certainly not 100%, so we need layers of security. Rapport is another layer of security and could help protect your machine.

I have said in my previous post about this issue how well Trusteer dealt with me. So, now to the method of keylogging Trusteer. It's quite simple really, but requires a special setup. Rapport hooks onto the keyboard driver to prevent keylogging. However, if you invoke the remote desktop feature in Windows then a different keyboard driver is invoked, which Rapport cannot hook onto. So, if you're using a remote desktop connection into your machine then Rapport will not be giving you the full protection (it still has other layers of protection that work in this scenario).

Is this such a special case that you don't need to worry about it? Well not necessarily. There are a plethora of remote access software solutions available to users who are increasingly using them to access their machines at home or at work. There is also another technology that can be leveraged to cause this effect whilst the user is at the actual machine. Microsoft have introduced RemoteApps to the Windows desktop environment to allow for legacy applications to appear to run seamlessly on Windows 7. This is done via Virtual PC running another OS and the RAIL QFE update to allow applications to be exposed from a desktop machine as RemoteApps. However, we can use this technique to look back at the machine and expose the web browser as a RemoteApp, which the user should not notice.



As I say, it's a special case and not one a user would normally encounter, but it is possible. There are other issues with Trusteer as well, being able to capture the screen of protected websites and information leakage as highlighted on ReviewMyLife.co.uk here. It doesn't mean you shouldn't use Rapport though, just know and trust the machine that you're using. Basically, don't ever connect to any secure site or service from an untrusted machine, no matter what's installed on it.

Comments

  1. Stumbled across your site today doing a little research on this product because everytime I login to do my banking (HSBC) I am nagged to install Trusteer. (BTW: I must say your site is excellent!) I have an observation: Is it just me…or is Trusteer Rapport not just a form of Trojan itself??? We are being "asked" (how long until it is mandatory?) by our banks to install a piece of software with Admin privileges to our computers that will track our keystrokes, passwords and login details in order to "ensure" that we only access approved banking websites and get warnings about reusing our passwords and other "unsafe" practices...emmm kay! Thanks for that! Now how do I know when I read articles like this one: http://www.theregister.co.uk/2010/02/02/e_banking_password_fail_survey/ - that Trusteer is not logging my keystrokes, tracking my surfing behaviour and copying my passwords into their own database somewhere? Just because they assure me that they don't???
    - From what I can tell if I install Trusteer Rapport with the recommended settings and options (i.e. accept the defaults as most of us will) have I just handed over my machine and personal information to yet another entity. Isn't this the very thing that these Security Organisations should be trying to stop? Also, I assume the Trusteer application includes the facility to automatically update itself, the default settings that a user agrees to at installation time probably even includes an agreement to permit this without prompting (sorry I haven't had time to read the fine print to check)? Even if Trusteer don’t currently retain password information or keystrokes and leave them on the PC as claimed, what would stop Trusteer from sending down an update at any future time that captures all this information and more! Once they have attained market saturation and have their product installed on 100,000,000 UK and US PC’s… that is just too much control / risk to hand over to one company, especially one from a country with some dubious political practises (passports) of late. Somebody please tell me I am being overly paranoid!??!

    ReplyDelete
  2. @Anonymous thanks for your support and comment. I can reassure you that Rapport doesn’t log your keystrokes and send them back to Trusteer (although I admit that it would be possible, but not in Trusteer’s interest). The keystroke mapping is only valid within a single page, any refresh or other navigation will remove the mapping from memory and start again. I have looked at this product quite a lot and no product can be 100% secure, but are you sure that you don’t have a Trojan keylogger on your machine? Remember that AV products can miss these polymorphic Trojans. Again, it could form a layer in your security arsenal. I wouldn’t necessarily write it off now (the product has changed a lot since my first posts on it), but use it knowing its limitations as with all security products.

    ReplyDelete
  3. Good Screen monitoring software will help you to log and trace all your computer's activities and IP address even though you are away from your computer.

    ReplyDelete

Post a Comment

Popular Posts

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post . How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't real

How Reliable is RAID?

We all know that when we want a highly available and reliable server we install a RAID solution, but how reliable actually is that? Well, obviously, you can work it out quite simply as we will see below, but before you do, you have to know what sort of RAID are you talking about, as some can be less reliable than a single disk. The most common types are RAID 0, 1 and 5. We will look at the reliability of each using real disks for the calculations, but before we do, let's recap on what the most common RAID types are. Common Types of RAID RAID 0 is the Stripe set, which consists of 2 or more disks with data written in equal sized blocks to each of the disks. This is a fast way of reading and writing data to disk, but it gives you no redundancy at all. In fact, RAID 0 is actually less reliable than a single disk, as all the disks are in series from a reliability point of view. If you lose one disk in the array, you've lost the whole thing. RAID 0 is used purely to speed up dis

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most