Are keyloggers a threat to us?

[hazel]

There was an item on the BBC news this morning about a new sort of criminal activity. A keylogger installs itself from a fake news site (or a genuine site that's been compromised) and it harvests your passwords and security information and passes them to its owner, who can then take over your bank account, credit card, etc.

Of course they gave the usual advice: use anti-virus, anti-spyware and a firewall to prevent programs phoning home, and always install the latest security patches (though funnily enough they didn't say "don't use Internet Explorer").

And I wondered if there is something like that which could be a threat to Linux users. Obviously the programs they were talking about were written for Windows but are there Linux equivalents? Could something like that install itself in $HOME/bin and be a threat to us?

[waterhead]

I noticed that the latest version of Firefox has the option to run it as a separate isolated user. I think that choosing this option will defeat something like a keylogger. That option popped up when it updated to the newest version, so I don't know how to configure it after-the-fact.

[GNU-Fan]

And I wondered if there is something like that which could be a threat to Linux users. Obviously the programs they were talking about were written for Windows but are there Linux equivalents? Could something like that install itself in $HOME/bin and be a threat to us?

Absolutely.
Just think about the number of browser plugins the average user has. Many of them even as proprietary as Windows.

Statistical likelihood and heterogeneity are on our side still, but I do not see any inherent security in the Linux software to prevent such a thing.
(The first trojans and keyloggers popped up on multiuser UNIX systems, mind you.)

[bigvoo]

I gave up on the idea of " computer security" long ago, I just figure that , if someone can hack into the worlds government weapons systems they won't have much problem getting into my meager little box. Ironically I logged in this morning to ask around about an email address that got returned to me this week; not that I'm worried about my machine, but that email addy is work related and there is much drama at my work right now.

[bigtomrodney]

Your risk of getting one is about the same as getting any Windows virus/trojan/worm etc.

Even Firefox plugins will only install if they are from mozilla.com, and even then only with your authorisation and a browser restart. It's good to be aware of these things but I really wouldn't lose a second's sleep over it.

Could something like that install itself in $HOME/bin and be a threat to us?

Thankfully there are too many "if's" there. It'd have to get into ~/bin, it'd have to set itself chmod +x and would then have to execute itself. If it had any of those powers in the first place, it wouldn't have a need to even put itself there

Good oul Unix, eh!

[elija]

I thought I understood umask. I did.

My default umask is 0022 which should mean that any files created on my system have their permissions as 666 - 022 which is 644. That is world readable,, writeable by me and executable by no-one.

This is why a chmod +x is required to make it runnable.
This is what protects against malware. See, I told you I'd get to the point

Why then did Firefox 3.5 beta 4 have a shell script that was automatically executable?
Isn't this a vulnerability that could be exploited by malware?

How do I stop it from happening?

[hazel]

Thankfully there are too many "if's" there. It'd have to get into ~/bin, it'd have to set itself chmod +x and would then have to execute itself. If it had any of those powers in the first place, it wouldn't have a need to even put itself there

Good oul Unix, eh!

I don't see anything insuperable here. An install script could copy a keylogger binary into ~/bin with the execute bit already set, using cp -p to preserve permissions (incidently that could be the answer to Elija's question too). It could then search for startup files with names like .xinitrc, .Xsession or .XClients and write the name of the keylogger into them so that it executed each time you started a session. It wouldn't actually have to execute itself.

[elija]

(incidently that could be the answer to Elija's question too)

Could be... would that work when extracting from an archive?

And how do I stop it?

[Hal343]

I believe that a good hacker can install just about anything on my computer. It only takes one vulnerability that hasn't been found and keyloggers or rootkits could be installed. The only question is: is it worth it to do the amount of work necessary to have it work under most distros? I tend to believe that if they are that good, they will likely be attacking more lucrative targets.
All that aside, I keep all financial information off my computer.

[Jonathan183]

I have less confidence in my ability to keep hackers out ... my approach in outline at the moment ...

separate install for banking info only ... one user with strong password for banking, one user for online ordering with a strong password. Minimum install ... fluxbox, firefox with noscript, rkhunter, router firewall, no swap, sshd disabled, local login only, keep the system up to date - system admin can do straight system update only - chroot in if more complex tasks needing root rights required.

This is about as good as I can do at present ... and anyway is better than the place of birth, mothers name crap that banks call security information ...

This is about all I think I can do at the moment ... encryption determined by bank, and need to trust ISP not to implement things like phorm .

... and the final protection ... don't have any money to steal