What happens if someone uses a keylogger to hijack someone's account?

There is no way to retrive one’s data if one’s account details are compromised or lost correct? And even if one sets up account recovery with a third party that’s of limited use. Now what if one is unwittingly victim of a keylogger attack. Many computers are victims of rootkits these days and it’s not inconceivable that hardware manufacturers would be unscrupulous and install backdoors into their products. Or the gov’t could get ahold of your machine somehow, or it could otherwise be compromised. What if the hardware, not the software, the hardware, gets compromised and reads your details and info as you are typing it in? Then it gets analyzed after the fact and boom your account gets nabbed, your data is lost and you’re screwed. What do you do to counter this in a maidsafe universe?

1 Like

Great question, it’s a recurring one and bothers me. We can protect the Internet and all that is there. The end points are a concern as people will use win / osx and other hacked operating systems.

There are some fallbacks (as you say the account sharing etc. but it’s a sticking plaster INHO).

There are lights though, things like trezor type devices defeat keyloggers, but again it’s a part solution. After launch this is an area that a team should get around and solve. There is a whole OS that may work, but too hard, we could get a hardened bsd/linux but again it’s hard.

The vaults are probably fine even on compromised OS’s.

My feeling is like bitcoin, on line banking etc. we need to get the message out, use XXX to be secure. To be really secure then use our version of YYY (a tails type OS should be created, I can happily create such a thing pretty simply). I think though mobile is perhaps even worse as ios and android are harder to move due to relationships with phone providers being difficult for alternative OS’s.

It is an area that would be great to ‘fix’ I think the early days will be advise people to use a secure OS and perhaps we should provide one for client software.

4 Likes

Using a secure OS is harder than it sounds because even if you’re familiar with it (which most people aren’t) there’s little official support. My ISP doesn’t support linux at all which is a pain. A thought here would be to create alternate phone hardware and a network based on maidsafe arcitecture. I mean why do we use phones at all? And with maidsafe it would be even easier to have voice calls and stuff what with the faster speeds the network would provide. You’d basically just need to build the hardware and the interface. Make the hardware cheap and the interface software open source so you could buy/print the hardware part cheap and then download your software interface to the SAFEphone of choice. I don’t know it was just a thought I had there.

As for dekstops and such I don’t think people are going to switch to linux in droves until we get them more familiar with it. The masses dont care about security that much or even know what a keylogger is. Most are just concerned with their facebook and youtube. So getting them onto a more secure platform will be a case of follow the pretty pictures. I think what will drive traffic will be developing awesome apps that run better, faster and stronger on SAFE. In short we’ll need to out perform the internet and closed source software.

1 Like

Maybe Maidsafe should have something like this in place

Use secure systems from known & reputable vendors.

That’s the problem it doesn’t take much for a gov’t to pas a law or buy out a vendor and have a backdoor installed. Just look at “known and reputable vendors” like Microsoft or Google, oh joy.

Consider the fact gov’s are getting real interested in Trusted Computers right now. I don’t much care for a computer that can refuse to do what I tell it and can be remotely shut down by a third party.

2 Likes

I know, but there’s no other solution.

If you don’t use MaidSafe, those risks remain (assuming you still use some kind of computing device).
If you use MaidSafe, those risks remain.

Realistically speaking a resourceful and determined opponent cannot be matched.
If they put a team on you, even if the h/w and s/w you got it safe, you won’t last a week (in terms of IT security) as they can still get to you in at least a dozen publicly known ways (and probably few more that are yet unknown). You do what you can (buy Lenovo?) and hope that they don’t have millions of teams they can dispatch to steal data from tens of millions of other security-conscious users.

Well said. I use lenovo (if it does help, still closed really) and a cut down version of ubuntu (no gnome/kde) but it is a worry. Like FB dropbox etc. the problems exist when you r friends/email recipients etc. do not take steps. We need to get to a point where secure is easier cheaper and more available than insecure. I think SAFE is a great first step, but so much more to do. There seems to be an appetite and if some of the projects could just come together, like the phone projects (but off the phone network), Mesh / whiteband and then hardware and OS it will work.

I think the OS is getting within reach now (many desktops are changing, its a good time to strike) , if we could only get some top notch graphics designers / gui / usability experts (pedantic folks like Viv) and somehow fund a team to just relax sit back and create something magical then it may work.

This movement that is growing will help, but its gonna need a huge push, the effort is immense, the resistance is incredible and early projects need to face being destroyed and distracted by a huge group, including corporate, governments and in some cases other projects (amazingly). When we launch and this community grows and finances itself (please deity) it would make for an interesting project, to bring together others with such goals.

Not to be underestimated but then again its nowhere close to impossible.

6 Likes

A couple of things to consider regarding Android security:

Also worth noting (by same company):

It would be great to have F-Secure come in to help tackle the end security issues. Maybe worth reaching out (e.g. Mikko on twitter). I’ll prod him now :slight_smile:

1 Like

Please do, there are options for anti - virus companies for sure.

1 Like

Why lenovo?

My friends laugh at me for running Gentoo, but you can sure cut-down on the amount of code that can possibly execute. The ability to toggle configuration flags on configuring scripts is very handy IMO.

What is the stripped down Ubuntu?

Just non Western built and hopefully less likely to have been tampered with. The whole thing is a mess right now though. I am not sure it helps too much though, as I said its closed hardware so who knows anyway.

I use the ubuntu repo’s which I like (lazy) but none of the usual desktops with all the Ubuntu integrations (add serving, privacy erosion etc.). I use Awesome - WM, clang vim and not much more (vlc, chromium etc.). Gentoo etc. has always appealed to me as well though, I must admit. Bsd keeps coming back to me though as well as forays into haiku and those versions etc. Microkernels and a new OS also appeals, I like microkernels and even more these days. Docker is a recent find that has promise (like bsd jails), its nearly there in terms of secure, but not yet.

I wish there was some kind of open source Qa system that would allow us to ensure the code has not been messed with or broken. If there were some trusted org that could perhaps code review sign packages etc. it would help. Even knowing c/c++ etc. then there is no way I can even begin to review sources that I use. Who knows what we may achieve over time.

3 Likes

Relatively speaking, a decent mix of quality and good reputation.
Have you seen a proof they inserted NSA spyware in the h/w they sell to their customers or assisted the US gov’t in data theft? I haven’t.

1 Like

Being Chinese owned somewhat reduces the chances of co-operation with US agencies :wink:

As for Chinese agencies… what better than acquiring access to a product that is prized throughout the West! No evidence they’ve used it, but I am skeptical we can trust any major supplier. Where a state, even a “democracy” like the US can threaten to bankrupt a company (cf. news of the threats to Yahoo revealed this weeks - fines bigger than the US economy in that case), we know that the government will get what the government wants from corporations, whose only interest is to stay making money. It takes individuals with a conscience such as Snowden, or Lavabit’s founder, to stand up against those threats where they are willing to stand up for values other than money.

4 Likes

I thought it was about keeping us safe!

Simple: 2FA.
Allow Yubikeys as a complementary medium of authentication:
Use the Password as a salt (Knowledge factor) + Yubikey (Ownership factor).

This way it is impossible to get into your account, even if your computer is ridden by nasty keyloggers.

1 Like

Why should a program like “LifeStuff” use a box to type in your PIN. Why not use a matrix with graphs containing the numbers 0 to 9 in a random way. Every time you start the sofware the numbers are differently organised. Even with a keylogger, people may know your login or pass, but because you click on the numers to enter the pin (instead of typing them in), they will not all the details. It makes it a lot harder for them to hijack your account.

2 Likes

Wondering if this software actually protects against keyloggers. http://download.cnet.com/KeyScrambler-Personal/3000-2144_4-10571274.html?tag=bc

Haven’t seen any real technical analysis on it. Curious what you guys think. Could keystrokes be encrypted at the driver level, as they say. Then decrypted in the browser?

I’m not a programmer, so forgive me if I’m missing something obvious:)

I have thought previously of a tool to collect your typing speed (like the old ssh hack a while back) and fill in blanks with keycodes to at least fill up or confuse a keylogger. It needs to be open source though and therefor the bad guys can analyse weaknesses timings etc. so it is a hard problem. The most effective answer seems to be a separate hardware device / fob etc. so far. I dislike all these though, but it may be best to look at trezor type devices for apps.

1 Like

Keystroke biometrics could be trivially bypassed with more advanced keyloggers that also logs the timings of keystrokes.
The only way to secure the credentials in the most hostile environment imaginable with successfully deployed ring 0 rootkits is with a 2FA. In the case of Yubikeys allow two different keys to be generated, short press and long press. The first short press could be used for read only properties, and the long press for read and write privileges.

2 Likes