what does it take to get a key logger on to OSX? i am more looking at this from a hardening exercise, for high security workflows. what would be
best practices in this space?
key logger protection?
anyone?
ok, some more details; of the two types of software key loggers, a kernel mode key logger would need admin rights or an admin elavation. what about a
user mode key logger?
What specifically are you wondering about? How to create a key logger or how to protect against one?
protection against one
specifically, i am looking for high security workflows, protecting against key loggers (kernel mode and user mode), and localized password types of attacks
such as the local account DB, and password caching, etc.,
Well, that's something I can't really help you with. Good luck though 🙂
Let's face facts. You're posting a question about OS X security software, and the way you've presented that post is leaving people to wonder, "Is this someone who's actually doing what they say they're doing, or someone who's trying to do the opposite but doesn't want to do the necessary research." And, given that it's 2016, and the Internet exists, most of the information you're looking for is accessible if you know where to look for it.
So, what have you read, and what difficulties have you encountered understanding what you've read?
I specifically, said "protection", and looking for best practices for high security workflows. this should not be that esotaric a question, nowadays, the biggest
threats are attacks against credentals, such a creds in memmory, cached creds, any local DBs for storing such creds and finally the "keyboard" which is vulnerable to key loggers. A hardware key logger requires phyiscal access, a kernel mode one requires it to be installed with admin rights or as root, but that leaves a user mode logger is it even possible? would a user mode logger have access to anything?
also, what sorts of stuff eg best practices do others use or deploy who have already done or are doing this sort of stuff. from what I gathered,
so far (dont know about the user mode question), locking the Mac down and no admin rights and use a decent end point/AV software seems to about it
deep security stuff on mac is a easter egg hunt,,,,,,
GhostInShell
Well said - I'd hope anyone working around me as a 'high security workflow' type could at least use more technical/professional terms than creds and sort(s) of stuff, all while knowing how to use spell check and search engines.
Just because someone leans heavily on social engineering, buzz words and urban slang doesn't mean everyone falls for it.
GhostInTheMaChine
After some research i have gather a partial answers to this, question. SIP, offers some protection for some key logging software. Also, kernel mode
key loggers require the kext file to be loaded or some other sort of system level insertion. so for those types of loggers running as non admin, and enabling
gatekeeper is a good start, also security software (AV) are said to have key logger blocking.
the only outstanding question, is: is a user mode key logger possible? ie, if someone is able to load some code in userspace and by pass the sandbox but its
running only in user mode would it have access to anything?
Ghostinshell
the only outstanding question, is: is a user mode key logger possible?
Yes. There are several Cocoa and Carbon APIs that allow this.
ie, if someone is able to load some code in userspace and by pass the sandbox...
Any user-space key logger would have to rely on the accessibility APIs, which aren't available to sandboxed-applications, anyway. However, Developer-ID-signed applications for OS X aren't required to be sandboxed. The easiest way to ensure that such OS X applications aren't mis-using the accessibility API to read your keystrokes is to periodically audit System Preferences > Security & Privacy > Privacy > Accessibility.