subject:"Re\: \[Full\-disclosure\] Firefox Addon\: KeyScrambler"

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-08 Thread Dan Kaminsky

Won't work against a hardware keylogger, as it gets the strokes before the 
driver does.

Won't work against any software aware of it; thread inject into Firefox to get 
the real keystrokes and it's game over.  Or heck, simply pretend to be a 
firefox process to get the decryption key, assuming it's not fixed.

Would work against some stock, mass distributed keyloggers, I suppose?

Sent from my iPhone

On Dec 8, 2010, at 3:12 AM, mrx  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi list,
> 
> Is anyone familiar with the firefox addon KeyScrambler? According to 
> developers this encrypts keystrokes.
> 
> Quote:
> "How KeyScrambler Works:
> When you type on your keyboard, the keys travel along a path within the 
> operating system before it arrives at your browser. Keyloggers plant
> themselves along this path and observe and record your keystrokes. The 
> collected information is then sent to the criminals who will use it to
> steal from you.
> 
> KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard 
> driver level, deep within the operating system. When the encrypted
> keystrokes reach your browser, KeyScrambler then decrypts them so you see 
> exactly the keys you've typed. Keyloggers can only record the
> encrypted keys, which are completely indecipherable."
> 
> Can this be trusted? As in trusted I mean not bypassed.
> 
> Input from the professionals on this list would be much appreciated.
> 
> Thank you
> regards
> Dave
> 
> - -- 
> Mankind's systems are white sticks tapping walls.
> Thanks Roy
> http://www.propergander.org.uk
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEVAwUBTP9oJrIvn8UFHWSmAQIlVAf/T4zUGOaYiAoM/C+8ZFcMhDuOxOznvyXX
> IROHCr51aoQ6ShEIOhHLoQUaqLzZ4zrGirrnX5LFTJ0nmmr6cAG2raMiAi/BYnQb
> UnoXQkZ+9HnThkTSra59aRe8fRaG/MUlsG4lqWxvb0jGuZf2ekk83MPRlDCeXKWw
> CtMEB7YWRyay1kh6DdTAckXNMWXbfOoLAOh55ldmjhM7IN65EKW1rsQDN8Bdn3aX
> XyWWrRUTXDQfkI4mwXlVcGKuObPt8SAW1MgY8wP5q9qK8nAcGj/cig7URg4cVdYM
> Ss8/tryrPokTTGy2iSGjil3aQn21K5ANm6UYOSoNFodEq2SO0Hwyug==
> =nUTt
> -END PGP SIGNATURE-
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-08 Thread mrx

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/12/2010 11:36, Dan Kaminsky wrote:
> Won't work against a hardware keylogger, as it gets the strokes before the 
> driver does.

I guessed that, although on occasions I do miss the obvious.


> Won't work against any software aware of it; thread inject into Firefox to 
> get the real keystrokes and it's game over.  Or heck, simply pretend to be a 
> firefox process to get the decryption key, assuming it's not fixed.

I understand, So it's snake oil.

> Would work against some stock, mass distributed keyloggers, I suppose?

Protection from script kiddies only? I get the picture.

Thanks for your input Dan.

Regards
Dave

> Sent from my iPhone
> 
> On Dec 8, 2010, at 3:12 AM, mrx  wrote:
> 
> Hi list,
> 
> Is anyone familiar with the firefox addon KeyScrambler? According to 
> developers this encrypts keystrokes.
> 
> Quote:
> "How KeyScrambler Works:
> When you type on your keyboard, the keys travel along a path within the 
> operating system before it arrives at your browser. Keyloggers plant
> themselves along this path and observe and record your keystrokes. The 
> collected information is then sent to the criminals who will use it to
> steal from you.
> 
> KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard 
> driver level, deep within the operating system. When the encrypted
> keystrokes reach your browser, KeyScrambler then decrypts them so you see 
> exactly the keys you've typed. Keyloggers can only record the
> encrypted keys, which are completely indecipherable."
> 
> Can this be trusted? As in trusted I mean not bypassed.
> 
> Input from the professionals on this list would be much appreciated.
> 
> Thank you
> regards
> Dave
> 
>>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTP9wsrIvn8UFHWSmAQJz4Qf/Rfxjc9roWD58xLqaroGhfkkkclNlvjWs
D9qgctVnwvgVidhKvOxvBVLU0Nl5LLB/oNSpjEl09hUwBgdnwOIxSsgrzyniYM+V
/6qcbK4GLMUPDec7g7zxGOyQ08JyzsLL2193gwVrrX3SJF2KeMp9LLy/Sn9qTU9J
bu6DWrb57QaVqU4opmWAIQiCWSjyE7RV/SlCeiyc9MaZVEyw2j6QGtmoJlFkmewj
3B4p6Qx2AgMgzJcvBzRoO9QmzkkVH2CO5Mq4fqDeBNgkmR1DEsSTdVzTELRni0Ub
aDNKLXr8cxtO6lrOjk5giLXtqdAGsStSCtRRjnlT3aU+4s0V6nDcaA==
=atOR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-08 Thread Tim Gurney

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi

This seems to contradict itself somewhat. A plugin to firefox should
have no way to encrypt things at a driver level within the kernel, that
would require installing seperate software at the root level, a plugin
should not be able to do this and i would be VERY worried and surprised
if it could as it would mean bypassing the security of the OS.

Also if the driver is encrypting the key strokes and the plugin is
decrypting, what about all the keystrokes that are not in firefox, like
email, word processing, programming, there is nothing to decrypt these
so you would end up only ever being able to use firefox on the machine
and nothing else every again.

personally I would not touch this with a barge pole and I would do a lot
more more digging and checking into this.

regards

Tim

On 08/12/10 11:12, mrx wrote:
> Hi list,
> 
> Is anyone familiar with the firefox addon KeyScrambler? According to 
> developers this encrypts keystrokes.
> 
> Quote:
> "How KeyScrambler Works:
> When you type on your keyboard, the keys travel along a path within the 
> operating system before it arrives at your browser. Keyloggers plant
> themselves along this path and observe and record your keystrokes. The 
> collected information is then sent to the criminals who will use it to
> steal from you.
> 
> KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard 
> driver level, deep within the operating system. When the encrypted
> keystrokes reach your browser, KeyScrambler then decrypts them so you see 
> exactly the keys you've typed. Keyloggers can only record the
> encrypted keys, which are completely indecipherable."
> 
> Can this be trusted? As in trusted I mean not bypassed.
> 
> Input from the professionals on this list would be much appreciated.
> 
> Thank you
> regards
> Dave
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJM/2xVAAoJECz9jAxhaYr74HIH/0lBMfYk9oR1fTC5YQ51LSKq
sAWUw+GH8jdbMN/Cx7eT9Ksp1qmebSRNKUHPLW+2HB3KD/mXm8t1qzbGV7FvXjuk
h8ilY8N215VzfV4/MOcZ33+fsPFN7P4MPvA54tUAdNemIgNMPyEjeSmFFdPF0BHq
ag0aXAxsMKZ7/aZQVYVmGBjWLqt1Y02/lEWgWqYzCy7X4ZRJpjvOS+ictKvhjbS1
6cpLNQqz9ShxLbH77m2kjQ9QAWXldIrefQokOgsGCOHwzxLHTwIsSBYBTpqvNDdF
jZoNEYsSW/ZFxOim1tUpfb0iXlEFfL7XodvUiYh9LOtv2Uub9lCOu60Vmgg2gr8=
=SitF
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-08 Thread Julien Reveret

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi list,
>
> Is anyone familiar with the firefox addon KeyScrambler? According to
> developers this encrypts keystrokes.
>

What if the attacker uses a firefox plugin such as ffsnif[1] to get user's
credential ?
As Dan said, I guess this plugin will only fool some keyloggers, but not all.

[1] http://azurit.elbiahosting.sk/ffsniff/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread mrx

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/12/2010 11:30, Tim Gurney wrote:
> Hi
> 
> This seems to contradict itself somewhat. A plugin to firefox should
> have no way to encrypt things at a driver level within the kernel, that
> would require installing seperate software at the root level, a plugin
> should not be able to do this and i would be VERY worried and surprised
> if it could as it would mean bypassing the security of the OS.

I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) 
environment and it is incompatible.
I may wait for an update to the plugin and analyse its behaviour, providing my 
curiosity doesn't wane in the meantime.

I am not a professional, I do this kind of research as a hobby and for 
educational purposes, when I have some free time.


> Also if the driver is encrypting the key strokes and the plugin is
> decrypting, what about all the keystrokes that are not in firefox, like
> email, word processing, programming, there is nothing to decrypt these
> so you would end up only ever being able to use firefox on the machine
> and nothing else every again.

The devs do state that it only encrypts keystrokes in Firefox and not other 
applications, although they do sell a version that supposedly works
"in over 160 browsers and applications".
> 
> personally I would not touch this with a barge pole and I would do a lot
> more more digging and checking into this.

Yes, I am sceptical of claims, hence the post to this list.



> regards
> 
> Tim


Thanks for your input
Dave.


> 
> On 08/12/10 11:12, mrx wrote:
>> Hi list,
> 
>> Is anyone familiar with the firefox addon KeyScrambler? According to 
>> developers this encrypts keystrokes.
> 
>> Quote:
>> "How KeyScrambler Works:
>> When you type on your keyboard, the keys travel along a path within the 
>> operating system before it arrives at your browser. Keyloggers plant
>> themselves along this path and observe and record your keystrokes. The 
>> collected information is then sent to the criminals who will use it to
>> steal from you.
> 
>> KeyScrambler defeats keyloggers by encrypting your keystrokes at the 
>> keyboard driver level, deep within the operating system. When the encrypted
>> keystrokes reach your browser, KeyScrambler then decrypts them so you see 
>> exactly the keys you've typed. Keyloggers can only record the
>> encrypted keys, which are completely indecipherable."
> 
>> Can this be trusted? As in trusted I mean not bypassed.
> 
>> Input from the professionals on this list would be much appreciated.
> 
>> Thank you
>> regards
>> Dave
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTQCuDrIvn8UFHWSmAQIgqAf9GJ6zNdmPxhCCsxJ10gmsBl5KixH6Wmi4
oSJs309oRg5sBgBWmuXxTDE7cOlnzeW9BYMf/j2IepKPIKhrO4PO0u001yMlLd0K
Jn0dG9wvEyyUiua5zeiHVB8ff1w2Op/AlDA3i3JK5GZrcnBZulh0dn9zpfIcRtW9
RhYNA0DTYLX72840s7uTCItKtLHRqKfuSakPmaX+J+9xci6/SM38YdMCul+d54CU
EayoJYjURXYG4GtFUUQA6uOqmn4pbQfSkP2/hAB04kNCghzY0TkDhP2VWQ24/dgj
CKqxM3vTcXrjcdM3k13WpRaIMgjZnBiklGJ0ZhE0gxRYACTfPJLolw==
=a6QP
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread Christian Sciberras

> I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3)
environment and it is incompatible.
> I may wait for an update to the plugin and analyse its behaviour,
providing my curiosity doesn't wane in the meantime.

Alternatively, you can just decompress the XPI (it's in fact a zip) and
inspect the js files and/or decompress any binaries.
I suppose they are distributing some form of driver, so you'd find
IDA/ollydbg useful.



Chris.



On Thu, Dec 9, 2010 at 11:23 AM, mrx  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 08/12/2010 11:30, Tim Gurney wrote:
> > Hi
> >
> > This seems to contradict itself somewhat. A plugin to firefox should
> > have no way to encrypt things at a driver level within the kernel, that
> > would require installing seperate software at the root level, a plugin
> > should not be able to do this and i would be VERY worried and surprised
> > if it could as it would mean bypassing the security of the OS.
>
> I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3)
> environment and it is incompatible.
> I may wait for an update to the plugin and analyse its behaviour, providing
> my curiosity doesn't wane in the meantime.
>
> I am not a professional, I do this kind of research as a hobby and for
> educational purposes, when I have some free time.
>
>
> > Also if the driver is encrypting the key strokes and the plugin is
> > decrypting, what about all the keystrokes that are not in firefox, like
> > email, word processing, programming, there is nothing to decrypt these
> > so you would end up only ever being able to use firefox on the machine
> > and nothing else every again.
>
> The devs do state that it only encrypts keystrokes in Firefox and not other
> applications, although they do sell a version that supposedly works
> "in over 160 browsers and applications".
> >
> > personally I would not touch this with a barge pole and I would do a lot
> > more more digging and checking into this.
>
> Yes, I am sceptical of claims, hence the post to this list.
>
>
>
> > regards
> >
> > Tim
>
>
> Thanks for your input
> Dave.
>
>
> >
> > On 08/12/10 11:12, mrx wrote:
> >> Hi list,
> >
> >> Is anyone familiar with the firefox addon KeyScrambler? According to
> developers this encrypts keystrokes.
> >
> >> Quote:
> >> "How KeyScrambler Works:
> >> When you type on your keyboard, the keys travel along a path within the
> operating system before it arrives at your browser. Keyloggers plant
> >> themselves along this path and observe and record your keystrokes. The
> collected information is then sent to the criminals who will use it to
> >> steal from you.
> >
> >> KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> keyboard driver level, deep within the operating system. When the encrypted
> >> keystrokes reach your browser, KeyScrambler then decrypts them so you
> see exactly the keys you've typed. Keyloggers can only record the
> >> encrypted keys, which are completely indecipherable."
> >
> >> Can this be trusted? As in trusted I mean not bypassed.
> >
> >> Input from the professionals on this list would be much appreciated.
> >
> >> Thank you
> >> regards
> >> Dave
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> - --
> Mankind's systems are white sticks tapping walls.
> Thanks Roy
> http://www.propergander.org.uk
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEVAwUBTQCuDrIvn8UFHWSmAQIgqAf9GJ6zNdmPxhCCsxJ10gmsBl5KixH6Wmi4
> oSJs309oRg5sBgBWmuXxTDE7cOlnzeW9BYMf/j2IepKPIKhrO4PO0u001yMlLd0K
> Jn0dG9wvEyyUiua5zeiHVB8ff1w2Op/AlDA3i3JK5GZrcnBZulh0dn9zpfIcRtW9
> RhYNA0DTYLX72840s7uTCItKtLHRqKfuSakPmaX+J+9xci6/SM38YdMCul+d54CU
> EayoJYjURXYG4GtFUUQA6uOqmn4pbQfSkP2/hAB04kNCghzY0TkDhP2VWQ24/dgj
> CKqxM3vTcXrjcdM3k13WpRaIMgjZnBiklGJ0ZhE0gxRYACTfPJLolw==
> =a6QP
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread mrx

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/12/2010 13:40, Julien Reveret wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hi list,
>>
>> Is anyone familiar with the firefox addon KeyScrambler? According to
>> developers this encrypts keystrokes.
>>
> 
> What if the attacker uses a firefox plugin such as ffsnif[1] to get user's
> credential ?
> As Dan said, I guess this plugin will only fool some keyloggers, but not all.
> 
> [1] http://azurit.elbiahosting.sk/ffsniff/
> 

Thanks for the link.

Looking through the code of ffsniff was an eye opener.
I would hope that such an addon would be instantly recognised as malicious by 
Mozilla.
I am a curious hobbyist and pretty much a noob when compared to real 
professionals.
Perhaps in five years or so I might actually be able to contribute to the 
community :-)

Thanks for your response

regards
Dave
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTQCvzbIvn8UFHWSmAQIibwgA4XwD9OmqEmogqG4oqrMPsGMML5Wnw7HC
H3kYfXbRVJWMoWHHAcKwP6qSmddCGBLl+In3sifoybyEJvh0ceu92o9GpDJVytbi
adOP5jnlJWu595Ff2tPY6tRuLOb4YVH7GkhPL5N3Lj340JR4rlTzYKuisqC6OPyk
1qzf05XtZZRDqdr9XrYzFdEcfbFQJ+/zGGhfWiSU38d2bYRjo56ujcfo4asb5ojb
QpgCUo9wP5OlSHz+A+pCcDKcFjPCeNV2i2Qqgx1DVFHlrEafdAQ2sFKoewxPW4oX
Tm1zrYeRsW1rmVrWgbEjJZOQRCLMsVqunhjQ4Jp2klU4eRX+fGCOzw==
=C9qt
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread mrx

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/12/2010 10:26, Christian Sciberras wrote:
>> I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3)
> environment and it is incompatible.
>> I may wait for an update to the plugin and analyse its behaviour,
> providing my curiosity doesn't wane in the meantime.
> 
> Alternatively, you can just decompress the XPI (it's in fact a zip) and
> inspect the js files and/or decompress any binaries.
> I suppose they are distributing some form of driver, so you'd find
> IDA/ollydbg useful.
> 
> 
> 
> Chris.
> 

I extracted the files (various .js files and an exe) from the xpi.
The .js files version check and create an instance of keyscrambler.sys with the 
current firefox window passed to it as an argument.

I also extracted the contents of the executable; setup.exe.
Setup.exe contained various dll's and one sys file. I presumed this sys file; 
keyscrambler.sys, is the driver and main component of this addon.
To confirm I monitored the running of setup.exe.

My preumption was correct keyscrambler.sys is installed in system32 folder and 
is registered as an autostarting service, although it is hidden
from the services pane in computer management.

This is where my "skills" bottom out. ASM is something I have not yet got my 
head around.
I have a clue, but that's about all I do have... in time ;-)

Thanks for your advice and input
regards
Dave

> 
> On Thu, Dec 9, 2010 at 11:23 AM, mrx  wrote:
> 
> On 08/12/2010 11:30, Tim Gurney wrote:
 Hi

 This seems to contradict itself somewhat. A plugin to firefox should
 have no way to encrypt things at a driver level within the kernel, that
 would require installing seperate software at the root level, a plugin
 should not be able to do this and i would be VERY worried and surprised
 if it could as it would mean bypassing the security of the OS.
> 
> I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3)
> environment and it is incompatible.
> I may wait for an update to the plugin and analyse its behaviour, providing
> my curiosity doesn't wane in the meantime.
> 
> I am not a professional, I do this kind of research as a hobby and for
> educational purposes, when I have some free time.
> 
> 
 Also if the driver is encrypting the key strokes and the plugin is
 decrypting, what about all the keystrokes that are not in firefox, like
 email, word processing, programming, there is nothing to decrypt these
 so you would end up only ever being able to use firefox on the machine
 and nothing else every again.
> 
> The devs do state that it only encrypts keystrokes in Firefox and not other
> applications, although they do sell a version that supposedly works
> "in over 160 browsers and applications".

 personally I would not touch this with a barge pole and I would do a lot
 more more digging and checking into this.
> 
> Yes, I am sceptical of claims, hence the post to this list.
> 
> 
> 
 regards

 Tim
> 
> 
> Thanks for your input
> Dave.
> 
> 

 On 08/12/10 11:12, mrx wrote:
> Hi list,

> Is anyone familiar with the firefox addon KeyScrambler? According to
> developers this encrypts keystrokes.

> Quote:
> "How KeyScrambler Works:
> When you type on your keyboard, the keys travel along a path within the
> operating system before it arrives at your browser. Keyloggers plant
> themselves along this path and observe and record your keystrokes. The
> collected information is then sent to the criminals who will use it to
> steal from you.

> KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> keyboard driver level, deep within the operating system. When the encrypted
> keystrokes reach your browser, KeyScrambler then decrypts them so you
> see exactly the keys you've typed. Keyloggers can only record the
> encrypted keys, which are completely indecipherable."

> Can this be trusted? As in trusted I mean not bypassed.

> Input from the professionals on this list would be much appreciated.

> Thank you
> regards
> Dave


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
>>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
>>

- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (Mi

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread Christian Sciberras

Dave,

That's ok. Glad to have helped out :)

Cheers,
Chris.



On Thu, Dec 9, 2010 at 1:07 PM, mrx  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 09/12/2010 10:26, Christian Sciberras wrote:
> >> I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> >> I may wait for an update to the plugin and analyse its behaviour,
> > providing my curiosity doesn't wane in the meantime.
> >
> > Alternatively, you can just decompress the XPI (it's in fact a zip) and
> > inspect the js files and/or decompress any binaries.
> > I suppose they are distributing some form of driver, so you'd find
> > IDA/ollydbg useful.
> >
> >
> >
> > Chris.
> >
>
> I extracted the files (various .js files and an exe) from the xpi.
> The .js files version check and create an instance of keyscrambler.sys with
> the current firefox window passed to it as an argument.
>
> I also extracted the contents of the executable; setup.exe.
> Setup.exe contained various dll's and one sys file. I presumed this sys
> file; keyscrambler.sys, is the driver and main component of this addon.
> To confirm I monitored the running of setup.exe.
>
> My preumption was correct keyscrambler.sys is installed in system32 folder
> and is registered as an autostarting service, although it is hidden
> from the services pane in computer management.
>
> This is where my "skills" bottom out. ASM is something I have not yet got
> my head around.
> I have a clue, but that's about all I do have... in time ;-)
>
> Thanks for your advice and input
> regards
> Dave
>
> >
> > On Thu, Dec 9, 2010 at 11:23 AM, mrx  wrote:
> >
> > On 08/12/2010 11:30, Tim Gurney wrote:
>  Hi
> 
>  This seems to contradict itself somewhat. A plugin to firefox should
>  have no way to encrypt things at a driver level within the kernel,
> that
>  would require installing seperate software at the root level, a plugin
>  should not be able to do this and i would be VERY worried and
> surprised
>  if it could as it would mean bypassing the security of the OS.
> >
> > I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> > I may wait for an update to the plugin and analyse its behaviour,
> providing
> > my curiosity doesn't wane in the meantime.
> >
> > I am not a professional, I do this kind of research as a hobby and for
> > educational purposes, when I have some free time.
> >
> >
>  Also if the driver is encrypting the key strokes and the plugin is
>  decrypting, what about all the keystrokes that are not in firefox,
> like
>  email, word processing, programming, there is nothing to decrypt these
>  so you would end up only ever being able to use firefox on the machine
>  and nothing else every again.
> >
> > The devs do state that it only encrypts keystrokes in Firefox and not
> other
> > applications, although they do sell a version that supposedly works
> > "in over 160 browsers and applications".
> 
>  personally I would not touch this with a barge pole and I would do a
> lot
>  more more digging and checking into this.
> >
> > Yes, I am sceptical of claims, hence the post to this list.
> >
> >
> >
>  regards
> 
>  Tim
> >
> >
> > Thanks for your input
> > Dave.
> >
> >
> 
>  On 08/12/10 11:12, mrx wrote:
> > Hi list,
> 
> > Is anyone familiar with the firefox addon KeyScrambler? According to
> > developers this encrypts keystrokes.
> 
> > Quote:
> > "How KeyScrambler Works:
> > When you type on your keyboard, the keys travel along a path within
> the
> > operating system before it arrives at your browser. Keyloggers plant
> > themselves along this path and observe and record your keystrokes.
> The
> > collected information is then sent to the criminals who will use it to
> > steal from you.
> 
> > KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> > keyboard driver level, deep within the operating system. When the
> encrypted
> > keystrokes reach your browser, KeyScrambler then decrypts them so you
> > see exactly the keys you've typed. Keyloggers can only record the
> > encrypted keys, which are completely indecipherable."
> 
> > Can this be trusted? As in trusted I mean not bypassed.
> 
> > Input from the professionals on this list would be much appreciated.
> 
> > Thank you
> > regards
> > Dave
> 
> 
>  ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >>
>

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread Gary Baribault

Call me paranoid, but that sure would be a good way to spread a key logger!

Gary B


On 12/09/2010 07:25 AM, Christian Sciberras wrote:
> Dave,
>
> That's ok. Glad to have helped out :)
>
> Cheers,
> Chris.
>
>
>
> On Thu, Dec 9, 2010 at 1:07 PM, mrx mailto:m...@propergander.org.uk>> wrote:
>
> On 09/12/2010 10:26, Christian Sciberras wrote:
> >> I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> >> I may wait for an update to the plugin and analyse its behaviour,
> > providing my curiosity doesn't wane in the meantime.
>
> > Alternatively, you can just decompress the XPI (it's in fact a zip) and
> > inspect the js files and/or decompress any binaries.
> > I suppose they are distributing some form of driver, so you'd find
> > IDA/ollydbg useful.
>
>
>
> > Chris.
>
>
> I extracted the files (various .js files and an exe) from the xpi.
> The .js files version check and create an instance of keyscrambler.sys
> with the current firefox window passed to it as an argument.
>
> I also extracted the contents of the executable; setup.exe.
> Setup.exe contained various dll's and one sys file. I presumed this
> sys file; keyscrambler.sys, is the driver and main component of this
> addon.
> To confirm I monitored the running of setup.exe.
>
> My preumption was correct keyscrambler.sys is installed in system32
> folder and is registered as an autostarting service, although it is hidden
> from the services pane in computer management.
>
> This is where my "skills" bottom out. ASM is something I have not yet
> got my head around.
> I have a clue, but that's about all I do have... in time ;-)
>
> Thanks for your advice and input
> regards
> Dave
>
>
> > On Thu, Dec 9, 2010 at 11:23 AM, mrx  > wrote:
>
> > On 08/12/2010 11:30, Tim Gurney wrote:
>  Hi
> 
>  This seems to contradict itself somewhat. A plugin to firefox should
>  have no way to encrypt things at a driver level within the
> kernel, that
>  would require installing seperate software at the root level, a
> plugin
>  should not be able to do this and i would be VERY worried and
> surprised
>  if it could as it would mean bypassing the security of the OS.
>
> > I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> > I may wait for an update to the plugin and analyse its behaviour,
> providing
> > my curiosity doesn't wane in the meantime.
>
> > I am not a professional, I do this kind of research as a hobby and for
> > educational purposes, when I have some free time.
>
>
>  Also if the driver is encrypting the key strokes and the plugin is
>  decrypting, what about all the keystrokes that are not in
> firefox, like
>  email, word processing, programming, there is nothing to decrypt
> these
>  so you would end up only ever being able to use firefox on the
> machine
>  and nothing else every again.
>
> > The devs do state that it only encrypts keystrokes in Firefox and
> not other
> > applications, although they do sell a version that supposedly works
> > "in over 160 browsers and applications".
> 
>  personally I would not touch this with a barge pole and I would
> do a lot
>  more more digging and checking into this.
>
> > Yes, I am sceptical of claims, hence the post to this list.
>
>
>
>  regards
> 
>  Tim
>
>
> > Thanks for your input
> > Dave.
>
>
> 
>  On 08/12/10 11:12, mrx wrote:
> > Hi list,
> 
> > Is anyone familiar with the firefox addon KeyScrambler? According to
> > developers this encrypts keystrokes.
> 
> > Quote:
> > "How KeyScrambler Works:
> > When you type on your keyboard, the keys travel along a path
> within the
> > operating system before it arrives at your browser. Keyloggers plant
> > themselves along this path and observe and record your
> keystrokes. The
> > collected information is then sent to the criminals who will use it to
> > steal from you.
> 
> > KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> > keyboard driver level, deep within the operating system. When the
> encrypted
> > keystrokes reach your browser, KeyScrambler then decrypts them
> so you
> > see exactly the keys you've typed. Keyloggers can only record the
> > encrypted keys, which are completely indecipherable."
> 
> > Can this be trusted? As in trusted I mean not bypassed.
> 
> > Input from the professionals on this list would be much appreciated.
> 
> > Thank you
> > regards
> > Dave
> 
> 
>  ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>
> > ___
> > Full-Disclosure - We believe in it.
> > Cha

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Just lightly scratching the surface, KeyScrambler.sys is signed by
GlobalSign, strings reveals nothing interesting other than OpenSSL
0.9.8a is used.

elazar

On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
 wrote:
>Call me paranoid, but that sure would be a good way to spread a
>key logger!
>
>Gary B
>
>
>On 12/09/2010 07:25 AM, Christian Sciberras wrote:
>> Dave,
>>
>> That's ok. Glad to have helped out :)
>>
>> Cheers,
>> Chris.
>>
>>
>>
>> On Thu, Dec 9, 2010 at 1:07 PM, mrx > wrote:
>>
>> On 09/12/2010 10:26, Christian Sciberras wrote:
>> >> I tried installing this plugin to Firefox 3.6.12 in a
>virtualbox
>> XP32(SP3)
>> > environment and it is incompatible.
>> >> I may wait for an update to the plugin and analyse its
>behaviour,
>> > providing my curiosity doesn't wane in the meantime.
>>
>> > Alternatively, you can just decompress the XPI (it's in fact a
>zip) and
>> > inspect the js files and/or decompress any binaries.
>> > I suppose they are distributing some form of driver, so you'd
>find
>> > IDA/ollydbg useful.
>>
>>
>>
>> > Chris.
>>
>>
>> I extracted the files (various .js files and an exe) from the
>xpi.
>> The .js files version check and create an instance of
>keyscrambler.sys
>> with the current firefox window passed to it as an argument.
>>
>> I also extracted the contents of the executable; setup.exe.
>> Setup.exe contained various dll's and one sys file. I presumed
>this
>> sys file; keyscrambler.sys, is the driver and main component of
>this
>> addon.
>> To confirm I monitored the running of setup.exe.
>>
>> My preumption was correct keyscrambler.sys is installed in
>system32
>> folder and is registered as an autostarting service, although it
>is hidden
>> from the services pane in computer management.
>>
>> This is where my "skills" bottom out. ASM is something I have
>not yet
>> got my head around.
>> I have a clue, but that's about all I do have... in time ;-)
>>
>> Thanks for your advice and input
>> regards
>> Dave
>>
>>
>> > On Thu, Dec 9, 2010 at 11:23 AM, mrx > > wrote:
>>
>> > On 08/12/2010 11:30, Tim Gurney wrote:
>>  Hi
>> 
>>  This seems to contradict itself somewhat. A plugin to
>firefox should
>>  have no way to encrypt things at a driver level within the
>> kernel, that
>>  would require installing seperate software at the root
>level, a
>> plugin
>>  should not be able to do this and i would be VERY worried
>and
>> surprised
>>  if it could as it would mean bypassing the security of the
>OS.
>>
>> > I tried installing this plugin to Firefox 3.6.12 in a
>virtualbox
>> XP32(SP3)
>> > environment and it is incompatible.
>> > I may wait for an update to the plugin and analyse its
>behaviour,
>> providing
>> > my curiosity doesn't wane in the meantime.
>>
>> > I am not a professional, I do this kind of research as a hobby
>and for
>> > educational purposes, when I have some free time.
>>
>>
>>  Also if the driver is encrypting the key strokes and the
>plugin is
>>  decrypting, what about all the keystrokes that are not in
>> firefox, like
>>  email, word processing, programming, there is nothing to
>decrypt
>> these
>>  so you would end up only ever being able to use firefox on
>the
>> machine
>>  and nothing else every again.
>>
>> > The devs do state that it only encrypts keystrokes in Firefox
>and
>> not other
>> > applications, although they do sell a version that supposedly
>works
>> > "in over 160 browsers and applications".
>> 
>>  personally I would not touch this with a barge pole and I
>would
>> do a lot
>>  more more digging and checking into this.
>>
>> > Yes, I am sceptical of claims, hence the post to this list.
>>
>>
>>
>>  regards
>> 
>>  Tim
>>
>>
>> > Thanks for your input
>> > Dave.
>>
>>
>> 
>>  On 08/12/10 11:12, mrx wrote:
>> > Hi list,
>> 
>> > Is anyone familiar with the firefox addon KeyScrambler?
>According to
>> > developers this encrypts keystrokes.
>> 
>> > Quote:
>> > "How KeyScrambler Works:
>> > When you type on your keyboard, the keys travel along a
>path
>> within the
>> > operating system before it arrives at your browser. Keyloggers
>plant
>> > themselves along this path and observe and record your
>> keystrokes. The
>> > collected information is then sent to the criminals who will
>use it to
>> > steal from you.
>> 
>> > KeyScrambler defeats keyloggers by encrypting your
>keystrokes at the
>> > keyboard driver level, deep within the operating system. When
>the
>> encrypted
>> > keystrokes reach your browser, KeyScrambler then decrypts
>them
>> so you
>> > see exactly the keys you've typed. Keyloggers can only record
>the
>> > encrypted keys, which are completely indecipherable."
>> 
>> > Can this be trusted? As in trusted I mean not bypassed.
>> 
>> > Input from the professional

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread mrx

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/12/2010 19:33, Elazar Broad wrote:
> Just lightly scratching the surface, KeyScrambler.sys is signed by
> GlobalSign, strings reveals nothing interesting other than OpenSSL
> 0.9.8a is used.
> 
> elazar

Yes I noticed the RSA source code references in the disassembly.

Now I am curious if this implementation of OpenSSL is vulnerable to the various 
CVE's that have been issued against 0.9.8a.

CVE 2007-4995:Off-by one error in DTLS vulnerability
CVE 2007-5135:One byte buffer overflow in the SSL_get_shared_ciphers function
CVE 2007-3108:BN_from_montgomery side-channel attack.

And how it could be exploited if this is the case. I am not skilled enough to 
know.
However, if I was developing this software I would update it.

Cheers
Dave


> On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
>  wrote:
>> Call me paranoid, but that sure would be a good way to spread a
>> key logger!
> 
>> Gary B
> 
> 
>> On 12/09/2010 07:25 AM, Christian Sciberras wrote:
>>> Dave,
>>>
>>> That's ok. Glad to have helped out :)
>>>
>>> Cheers,
>>> Chris.
>>>
>>>
>>>
>>> On Thu, Dec 9, 2010 at 1:07 PM, mrx > > wrote:
>>>
>>> On 09/12/2010 10:26, Christian Sciberras wrote:
> I tried installing this plugin to Firefox 3.6.12 in a
>> virtualbox
>>> XP32(SP3)
 environment and it is incompatible.
> I may wait for an update to the plugin and analyse its
>> behaviour,
 providing my curiosity doesn't wane in the meantime.
>>>
 Alternatively, you can just decompress the XPI (it's in fact a
>> zip) and
 inspect the js files and/or decompress any binaries.
 I suppose they are distributing some form of driver, so you'd
>> find
 IDA/ollydbg useful.
>>>
>>>
>>>
 Chris.
>>>
>>>
>>> I extracted the files (various .js files and an exe) from the
>> xpi.
>>> The .js files version check and create an instance of
>> keyscrambler.sys
>>> with the current firefox window passed to it as an argument.
>>>
>>> I also extracted the contents of the executable; setup.exe.
>>> Setup.exe contained various dll's and one sys file. I presumed
>> this
>>> sys file; keyscrambler.sys, is the driver and main component of
>> this
>>> addon.
>>> To confirm I monitored the running of setup.exe.
>>>
>>> My preumption was correct keyscrambler.sys is installed in
>> system32
>>> folder and is registered as an autostarting service, although it
>> is hidden
>>> from the services pane in computer management.
>>>
>>> This is where my "skills" bottom out. ASM is something I have
>> not yet
>>> got my head around.
>>> I have a clue, but that's about all I do have... in time ;-)
>>>
>>> Thanks for your advice and input
>>> regards
>>> Dave
>>>
>>>
 On Thu, Dec 9, 2010 at 11:23 AM, mrx >> > wrote:
>>>
 On 08/12/2010 11:30, Tim Gurney wrote:
>>> Hi
>>>
>>> This seems to contradict itself somewhat. A plugin to
>> firefox should
>>> have no way to encrypt things at a driver level within the
>>> kernel, that
>>> would require installing seperate software at the root
>> level, a
>>> plugin
>>> should not be able to do this and i would be VERY worried
>> and
>>> surprised
>>> if it could as it would mean bypassing the security of the
>> OS.
>>>
 I tried installing this plugin to Firefox 3.6.12 in a
>> virtualbox
>>> XP32(SP3)
 environment and it is incompatible.
 I may wait for an update to the plugin and analyse its
>> behaviour,
>>> providing
 my curiosity doesn't wane in the meantime.
>>>
 I am not a professional, I do this kind of research as a hobby
>> and for
 educational purposes, when I have some free time.
>>>
>>>
>>> Also if the driver is encrypting the key strokes and the
>> plugin is
>>> decrypting, what about all the keystrokes that are not in
>>> firefox, like
>>> email, word processing, programming, there is nothing to
>> decrypt
>>> these
>>> so you would end up only ever being able to use firefox on
>> the
>>> machine
>>> and nothing else every again.
>>>
 The devs do state that it only encrypts keystrokes in Firefox
>> and
>>> not other
 applications, although they do sell a version that supposedly
>> works
 "in over 160 browsers and applications".
>>>
>>> personally I would not touch this with a barge pole and I
>> would
>>> do a lot
>>> more more digging and checking into this.
>>>
 Yes, I am sceptical of claims, hence the post to this list.
>>>
>>>
>>>
>>> regards
>>>
>>> Tim
>>>
>>>
 Thanks for your input
 Dave.
>>>
>>>
>>>
>>> On 08/12/10 11:12, mrx wrote:
 Hi list,
>>>
 Is anyone familiar with the firefox addon KeyScrambler?
>> According to
 developers this encrypts keystrokes.
>>>
 Quote:
 "How KeyScrambler Works:
 When you type on your keyboard, the keys travel along a
>> path
>>> within the
 operating system before it arrives

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

Re: [Full-disclosure] Firefox Addon: KeyScrambler

12 matches

Site Navigation

Mail list logo

Footer information