In the recent 44con security conference held at The Grange Hotel in London UK, Neil Kettle of Digit Security Ltd gave a presentation detailing the design of just one of the protections that Trusteer claim their product, namely Trusteer Rapport is capable of providing users.
The information disclosed detailed both the design and implementation of the anti-keylogger protections that Trusteer claim are an integral part of Trusteer Rapport and in doing so revealed the ease with which said protections can be both ‘switched-off’ and ‘by-passed’ by using functionality provided by Trusteer Rapport itself. As a corollary, it is quite clear that the information disclosed represents a flaw in the design of the protection itself and is not merely a ‘software issue’ or ‘bug’. The flaw affects both the Apple Mac OSX and Microsoft Windows versions of Trusteer Rapport, presumably for all versions up to and including Emerald Release 3.6.1105.54 (OS X).
This research is to our knowledge, the first attempt made to discover the internal mechanisms utilised by Trusteer Rapport to “protect[...] web communication between enterprises, such as banks, and their customers and employees.”  Previous attempts at testing Trusteer Rapport have only sought to prove the efficacy of Rapport against known and existing malware that Trusteer presumably have specifically designed Rapport to protect users against . We believe therefore that this research constitutes the first potential disinterested review of the internal mechanisms of just one aspect of the protection that Trusteer claim Rapport provides users. Suffice to say, given the results obtained thus far, it will be interesting to see what else can be “turned-up” or is still waiting to be found inside Trusteer Rapport or indeed how Trusteer will attempt to mitigate the design flaws identified by Digit Security. In the absence of a detailed design document, which only Trusteer themselves can possibly possess, the prospect of reverse engineering Trusteer Rapport may be the only effective avenue available to people for whom marketing claims are simply not enough to convince them that a solution or offering is secure or even fit for purpose.
Finally, whilst the flaws provide a means to effectively by-pass the anti-keylogger protections of Trusteer Rapport, it is important to understand that no current malware is known to utilise said flaws and as such uninstalling Trusteer Rapport on your system is not a solution nor is it advisable. Until such a time as malware developers take into account the presence of Trusteer Rapport, Rapport is still effective against existing malware. However, one thing is clear, the more prevalent Trusteer Rapport becomes, the more likely a target it will be for financial malware developers.
The first vulnerability advisory, albeit covering many vulnerabilities in and of itself, affecting Securstar DriveCrypt has been released.
The vulnerability in question exists due to the improper validation of a user-supplied pointer within a structure passed as argument to the IOCTL interface exported from the globally accessible “\\.\DCR” device. An attacker exploiting this vulnerability may execute arbitrary code with kernel mode privileges, or cause a Denial of Service attack via a page fault caused by an invalid pointer dereference. All versions of Securstar DriveCrypt <= 5.2 are affected.
Whilst Digit Security typically waits for vendors to release verifiable patches for the issues and vulnerabilities we discover, the following comment from Securstar should be noted with respect to some of the fixes applied in the latest version of DriveCrypt:
“The user mode app still leverages the driver for some of the I/O, but in a way which cannot be exploited as easily as before, without some prior transient elevation to admin level. I am still checing [sic] a couple of aspects to be sure it is reasonably secure, IE less easy to exploit.”
The exploit targeting the recently released vulnerability in DESLock+ has been updated to target later versions of DESLock+. The exploit can be found on the research page! or, if you prefer, by visiting digit-labs.org.
The first vulnerability advisory affecting Data Encryption Systems DESlock+ has been released in the hope that a two and a half year old vulnerability will finally be fixed.
The vulnerability in question exists due to the improper validation of a user-supplied pointer within a structure passed as argument to the IOCTL interface exported from the globally accessible “\\.\DLPTokenWalter0” device. An attacker exploiting this vulnerability may execute arbitrary code with kernel mode privileges, or cause a Denial of Service attack via a page fault caused by an invalid pointer dereference. All version of DESLock+ are affected, including the CESG CCTM (http://www.cctmark.gov.uk/) approved version (v3.2.7), however, it should be noted that whilst Data Encryption Systems Ltd continue to tout the CCTM accreditation, the accreditation itself expired in May 2010.
Data Encryption Systems Ltd received the best “Encryption Solution of the Year” at “The Computing Security Awards 2010″ (http://www.computingsecurityawards.co.uk/).