get on the phone to The Times and ask them why they were so irresponsible in running the story without giving Trusteer a reasonable amount of time to plug the hole
Trusteer has downplayed the significance of reports that it might have been possible to bypass its anti-keylogger online banking protection technology. Digit Security presented research at the 44Con conference last month suggesting that Trusteer's Rapport technology could be ‘switched-off’ and ‘bypassed’ using functionality …
It is quite common for proof of exploit code to have further restrictions than any malware in the wild would have. After all, a security researcher doesn't want to just hand over everything to the world only to see their work pop up as the next 0 day virus/trojan. In fact, while the proof of concept code was demonstrated at a conference, it was withheld from the public (in complete contradiction to Trusteer's self-serving and blatantly misleading PR release) to provide time for a fix to be implemented.
In other words, this was responsible security disclosure. If Trusteer can't keep up with the speed the real world moves at, then they should get out of the digital security business.
One the one hand, he complains that the exploit code was released, and on the other admits that the code which was actually released was useless as actual malware and was really just a proof of concept... Make your mind up?
The same attack targeting windows was also demonstrated at 44con, but code was not released for this specifically because it would have been useful for incorporating into malware.
Despite their claims to the contrary, rapport is basically just another AV product, but with a more limited scope in that it specifically targets a particular kind of malware. It cannot prevent 0day attacks, all it does is change the target parameters slightly. Think of it like Windows 7, when it was new malware couldn't cope with it, but as it becomes more widespread malware authors simply need to update their code.
The presentation at 44con talks specifically about the "anti keylogger protection" provided by rapport, it doesn't go into anything else.
The purpose of the anti keylogger protection is to prevent a keylogger from capturing your keystrokes even if one has gotten installed, and it works by capturing keystrokes at a low level, obfuscating them and then deobfuscating them by way of a browser plugin before sending it to the remote site. The intention is that given the location where known keyloggers hook into the system they will receive the obfuscated keystrokes instead of the real ones. This only works however, providing keyloggers continue playing by the same rules. What if keyloggers attempt to capture the keystrokes *before* rapport gets them, or similarly since rapport clearly has the capability to deobfuscate the keystrokes, what if the malware simply uses the same approach (as is the case in the proof of concept code linked in the article).
Sure, the keylogger protection breaks the method existing known keyloggers use, but it doesn't stop keyloggers it just forces keylogger authors to take a new approach, and you can guarantee that the more widespread rapport becomes and the more banks that push it onto their customers sooner or later malware authors will adapt, just as they have already adapted to different os versions, different browsers, different av products etc.
I took one look and decided I'd rather have the bloody trojan.
Anything squirreling itself that far into the guts of the OS is asking for trouble come patch time IMHO. Also appears to lack that all important "load on request only" option, so that for the 99.99% of the time I'm *not* talking to a bank it's not loaded, not chewing resource in the background and not providing yet another reason for things to go titsup unexpectedly.
Worst part was that the bank punting this said I didn't have to have it, but once it had been seen in use once they'd never allow another connection without it. At least you can remove malware.....
Couldn't agree more - I installed it because my bank wouldn't let me access my business banking service and it slows down _everything_: absolutely bloody awful. Particularly annoying when the same bank's internet banking doesn't work properly with anything apart from IE...
What worries me though, is if I choose not to use it (ie: for home accounts or whatever) then if I were to have a problem, the bank would kick back responsibility to me because I hadn't installed this bloatware. It's not in their Ts&Cs specifically but I wouldn't be surprised if there was some clause or other to that effect... Damned if you do, damned if you don't...
I worked for one of the banks that rolled Trusteer out to their customers.
We had to issue an urgent message to all staff NOT to install it on Bank machines as it broke the build. There were sufficient staff with high enough desktop privilege to have caused quite a lot of rebuilds.
It certainly stopped me from installing it at home.
I was at 44con when the vulnerability was shown. It was cracked wide open in 10 minutes and looked like it'd been written in 5.
My bank (First Direct) used to recommend it but I haven't seen it recently so I think they no longer do. I'll move from any bank which insists I install it.
Biting the hand that feeds IT © 1998–2019