GuardedID

[TOF]

Anyone try out this software yet? I like the fact that it works well with most desktop applications and browsers. It even works with Roboform when typing the master password. I know that Roboform has a virtual keyboard, but with this application you can just use a regular keyboard and your password is encrypted. I just got it and it seems to work very well. Anyone else tried it?

GuardedID® – Next Generation Security - Keylogger Protection, Keystroke Encryption, Anti Keylogger

 

[H2SO4]

It must be good! Armand Assante says "I wouldn't use my computer without GuardedID", and he's doing Blue Steel while he says it

First, I don't work for that company, its competitors, or anybody in that industry. Hence, my comments will be free from commercial bias, if not free from personal prejudice. I've never used the product, and up until 90sec ago I'd never heard of it either.

Having said that, in my opinion the product is far more marketing than substance. This is based on their architecture diagram: http://www.guardedid.com/images/GID_Graphic_r2.gif

As presented, the operation of the product can be summarised as replacement of the standard keyboard driver with an alternative which communicates with an in-app plug-in via a secure 128-bit SSL channel. Good enough. No malware is going to bother doing on-the-fly brute force crypto attacks to compromise that secure link.

What they don't mention is that just as they've replaced the keyboard driver and/or "layered" themselves above or below it in the keyboard hierarchy, so too can any malicious driver that finds itself on the system do the same to the GuardedID driver. In kernel-mode, all drivers are equal in terms of privilege. Each of them can implant itself in such a way as to inspect info being passed to or from any other driver. Hence, assuming an infected machine (why else use the product?), it is relatively trivial for the malware driver do simply go through this decision:

IF ( GuardedID detected ) THEN { layer myself underneath it }

The malware driver gets each stroke first, records it, then dutifully passes it on to the GuardedID driver so the (by now utterly pointless) work of spending processor cycles on keystroke encryption and decryption can commence.

Up at the application layer, their driver's encrypted messages are received and processed by the driver's counterpart component whose job is decryption. Should any malware manage to infiltrate the (say) browser process, it can simply wait until after the keystroke is decrypted to grab it in plain text.

Some of their other marketing "heifer dust" comments are downright misleading too:

- "Eliminates time-consuming hard disk or memory scans." No, it does nothing of the sort, given it does not replace anti-virus software or make it redundant.

- "Protects against 'NEW' and 'EXISTING' keyloggers." No, as per the rant above, a GuardedID-aware keylogger would make mincemeat of it.

- "CryptoColor - visually displays all browser ecrypted fields." It cannot do that, for the simple reason that it really has no idea what happened to the data within the browser process after it was decrypted, or underneath its driver.

The fundamental problem is that they're aiming to fight against malware which is already on the machine and running with administrative privileges - as a driver no less. From a security theory standpoint, that's a nonsense.

Still, it's relatively cheap, and if you don't mind sacrificing a bit of performance (for its SSL tunnel), it'll probably make the box a little more secure against some forms of malware which are not aware of its presence. It is certainly not the security panacea touted by the marketing department.

 

[TOF]

The product is endorsed and used with Trend Micro Internet Security Pro 2010. They have a free "standard" version that can be upgraded to a fully featured version with a subscription. I chose to get it through the Strikeforce website though because they offer two licences for one key for only a few more bucks. Trend Micro's offer is only good for one computer.

The "white page" as they call it will dispel some of your ideas about the product. http://www.guardedid.com/pdf/GuardedID white paper4.pdf

The idea around this product is to create a secure separate path so that key loggers cannot capture any text that can compromise security. The software self monitors itself for unauthorized changes as well. The product doesn't attempt to detect key loggers. It leaves that to the security software to do. Security software can't remove a keylogger until it is discovered so GuardID prevents the key logger from being successful in the mean time.

 

[H2SO4]

I'm happy that you're happy with your purchase.

The "white page" as they call it will dispel some of your ideas about the product. http://www.guardedid.com/pdf/GuardedID white paper4.pdf

The idea around this product is to create a secure separate path so that key loggers cannot capture any text that can compromise security. The software self monitors itself for unauthorized changes as well. The product doesn't attempt to detect key loggers. It leaves that to the security software to do. Security software can't remove a keylogger until it is discovered so GuardID prevents the key logger from being successful in the mean time.

A keylogger which was GuardedID-aware wouldn't need to crack the SSL tunnel, nor would it need to somehow modify the GuardedID modules. It would simply insert itself below or above the new tunnel, and thus grab the keystrokes in clear text.

This falls into a particular class of "wishful thinking" security software which aims to do battle with malware that is already on the machine with full admin rights. Sometimes it'll work, and sometimes it won't - mostly against newer malware which is aware of the obstacle and knows how to avoid it. Hence, it's a small improvement on no keylogger protection at all, but it's not nearly as good as focusing all efforts on staying malware-free in the first place.

Once a box has been pwned, all bets are off. A full nuke+reinstall is the only way to be sure that no backdoors have been left behind. You're a braver person than I if you'd contemplate accessing your internet banking site, confident in the knowledge that GuardedID will manage to defeat that malware driver down in kernel-mode.

Happy slightly-more-secure-but-slower computing

 

[TOF]

Not all computers are laced with malware. However, strikeforce claims that no key logger can get personal info with their technology so a compromised computer is guarded against key loggers at the kernel level. This software is being sold in an enterprise package for deployment into corporate facilities such as banks and the government as well so it must be an effective tool when it comes down to identity theft.

Here is another interesting read that I found from GuardedID
It is the top 10 secrets that hackers don't want you to know.http://www.sftnj.com/products/pdf/toptensc.pdf

 

[TOF]

Protects against 'NEW' and 'EXISTING' keyloggers." No, as per the rant above, a GuardedID-aware keylogger would make mincemeat of it.

It seems that they are already aware of this and have this as they, "GuardedID constantly monitors the keyboard device driver stack to detect un-trusted drivers (which could potentially be keyloggers). If an un-trusted driver is discovered, GuardedID warns the user by showing the "Unknown Driver Warning" dialog. The name of the suspect driver is displayed in the dialog. The GuardedID state indicator will turn orange instead of green to indicate warning. Details are logged into the event log which can be viewed." So not only does GuardedID monitor the keyboard device driver stack, but it monitors itself as well as a defense.

 

[TOF]

Here is a link to Trend Micro Freebies where anyone can try the standard version out.

Trend Micro Free Tool Center

 

[H2SO4]

Protects against 'NEW' and 'EXISTING' keyloggers." No, as per the rant above, a GuardedID-aware keylogger would make mincemeat of it.

It seems that they are already aware of this and have this as they, "GuardedID constantly monitors the keyboard device driver stack to detect un-trusted drivers (which could potentially be keyloggers). If an un-trusted driver is discovered, GuardedID warns the user by showing the "Unknown Driver Warning" dialog. The name of the suspect driver is displayed in the dialog. The GuardedID state indicator will turn orange instead of green to indicate warning. Details are logged into the event log which can be viewed." So not only does GuardedID monitor the keyboard device driver stack, but it monitors itself as well as a defense.

Thanks for an interesting discussion.

So GuardedID (GID from now on) "constantly monitors the keyboard device driver stack to detect un-trusted drivers"? Do you believe that statement is compatible with this previous one: "Eliminates time-consuming hard disk or memory scans"?

Also, how effective do you think GID's "monitoring" is going to be, given it has no regularly-updated definitions database? It might be effective against known keyloggers the day it's released, but what about a week later? How will it detect a new, GID-aware keylogger driver which was made after GID with full knowledge of how GID "monitors"?

How will it detect user-mode malware which grabs the keystrokes after they've been decrypted?

I'm not questioning the integrity of their SSL tunnel. No malware author in their right mind is going to try to attack that "secure pipe" between the kernel-mode and user-mode GID components. What they'll do is to simply bypass it, "Maginot Line" style. Once you're aware of a static and immutable obstacle, you can go around it

Without intending to sound cynical, just because something is being "sold in an enterprise package for deployment into corporate facilities" doesn't necessarily mean it's effective.

 

[Mercurial]

lawl @ this

 

[TOF]

Why would it need to be updated on a regular basis? It's a patented encrypted tunnel from the keyboard to the application. The software doesn't need to update any definition list because all it has to do is check and see if the drivers are signed by Microsoft or not. If it's not signed, it will send out a warning.

I read an old review from 2007 from an editor who stated that it didn't protect information on the clip board so I don't know if that has changed since. But what security software is 100% This software toghether with good security suite will go a long way.

 

[H2SO4]

Why would it need to be updated on a regular basis? It's a patented encrypted tunnel from the keyboard to the application. The software doesn't need to update any definition list because all it has to do is check and see if the drivers are signed by Microsoft or not. If it's not signed, it will send out a warning.

That logic is clearly unsound: "we'll check for the presence of kernel-mode malware by using a mechanism which would have to fail for kernel-mode malware to be present."

In fact, their description (which you quoted) does not directly imply that they're using driver signatures to detect "untrusted" drivers. It just says they "constantly monitor the keyboard driver stack" (although they also "eliminate time-consuming memory scans"!).

My point is that such a game of detection one-upmanship with malware drivers would be pointless without a constantly evolving definition of just what it is that they're looking for, hence the need for regular updates.

 

[TOF]

H2SO4

I was looking at the following pdf.

• Does Not require any spyware database updates (page 5 or 6)
• MSI installer includes update service with automatic updates (page 15 and 16)

The software does not depend on spyware definitions like most other anti-keyloggers because it protects the user using a different mehtod. I'm assuming that these are the updates you were talking about?

http://www.guardedid.com/pdf/GID_30.pdf

 

[H2SO4]

H2SO4

I was looking at the following pdf.

• Does Not require any spyware database updates (page 5 or 6)
• MSI installer includes update service with automatic updates (page 15 and 16)

The software does not depend on spyware definitions like most other anti-keyloggers because it protects the user using a different mehtod. I'm assuming that these are the updates you were talking about?

http://www.guardedid.com/pdf/GID_30.pdf

I don't think I'm explaining my concerns regarding GID very well. Let me try another angle.Think of all software running on the machine as belonging to one of two categories:

1) PRIVILEGED - includes the OS kernel, most modules called "drivers", and malware in the "rootkit" category on sufficiently unfortunate machines.

2) UNPRIVILEGED - everything else. The vast bulk of all apps, including browsers, media players, services, yadda yadda, all runs as unprivileged code which requires the cooperation of something in the first category in order to have access to hardware and to run at all.

There is no hierarchy within the PRIVILEGED category. Once a code module somehow manages to get down there, courtesy of the administrator installing it, or through some underhanded trickery (a rootkit), it is all-powerful. If it's malware, it can subvert the kernel itself, install whatever it likes, deactivate or fool all software firewalls, communicate via the network... anything it wants to do.

What GID does is to place a tunnel from a particular point in the PRIVILEGED area to browsers and other similar apps. Its achilles heel is the fact that malware which has successfully gained the ability to work as privileged code can "peek" at the data as it enters the secure tunnel - if it knows the tunnel exists!

That's why I'm harping on about the importance of updates. Because of a lack of hierarchy, privileged code which would seek to prevent other privileged code from doing certain things must constantly evolve in response to the changing nature of the threat. Otherwise, if the "good" privileged code remains static, "bad" privileged code can be written to work around any and all obstacles put in front of it.

The GID brochures seem quite vague on the topic of how their checks for privileged malware are implemented. That's partially because they don't want to make it too easy for the bad guys, but probably also because it's ####ing hard to win that game, especially if you don't regularly provide updates! Creating a static secure tunnel is relatively easy. Keeping privileged malware from interfering with the tunnel's entry is much harder. That's why they're coy about their update strategies, including those phrases from the PDF you linked to (I had a look through it).

About the best thing you could say would be that few malware authors would bother to specifically circumvent GID, especially if its own profile kept on changing. The cartels which develop phishing scams and keyloggers are into the theory of large numbers - they throw their stuff out there and enough people get hit by it to make the venture commercially viable (somebody has to pay the competent nerd to code the keylogger). The fact that GID would be found on <<1% of all machines makes it more trouble than it's worth to bother circumventing.

But they could. If they wanted to.

 

[TOF]

I see what you are saying. So in order to keep the product effective, they would need to monitor and patch any discovered vulnerabilities.

 

[H2SO4]

I see what you are saying. So in order to keep the product effective, they would need to monitor and patch any discovered vulnerabilities.

Yes, exactly. In privileged mode, all software is equal in terms of authority. Constant metamorphosis is the only way to stay ahead if you're hoping to detect or prevent something that doesn't want to be detected and prevented.

That's why the AV companies spend so much of their time and effort on updates. It's an expensive game though, and my guess is that GID doesn't really feel thrilled about having to play it. They'd rather de-emphasise that aspect of the problem, as would I in their place.