Solving the Keylogger Conundrum

The geek shall inherit the earth! This is the slogan that has reverberated out from Silicon Valley from the mid-90s, as we all realized that technology was, actually, fun, interesting, essential. Geek chic took over the worlds of film, fashion – and even finance. Suddenly it was cool to be into computers.

But the rise of the geek didn’t just confine itself to the light-hearted entertainment, start-ups that went stratospheric, or successful transformations of “old economy’ businesses. Computers and crime have come together. Mobsters are no longer the fast-talking, pin-striped, gun-toting caricatures of Hollywood legend. Criminal organizations are just as likely to be behind hacking and phishing networks as illegal gambling rackets and gun-running operations – with the same levels of profitability.

These days the weapons of choice are not sawn-off automatics, or revolvers fitted with silencers. It’s much more likely to be illicitly gathered passwords, user-names and dates of birth. And of the armory at their disposal, keyloggers are an increasingly popular choice.

Available in either software or hardware form, keyloggers record every stroke made on a keyboard, and compile the data gathered to reconstruct login details, PINs, encryption codes, mothers’ maiden names or any other form of security information. From there it is but a short journey to inviting vistas of identity theft, industrial espionage, blackmail, or simple credit card misappropriation.

Successful surveillance
In an age when CPUs are increasingly central to so many aspects of our lives, and the quality of information is a key differentiator between businesses, it is not surprising that keyloggers have proved to be so attractive to criminals.

Despite this, the keylogger/criminal connection has on occasion worked in the interests of the good guys. In one of the earliest examples of cyber-crime fighting, Nicodemo Scarfo Jr, a well-connected member of the New York and Philadelphia mobs, was brought down by the Magic Lantern keylogger that the FBI installed on his computer via a Trojan. Certainly not be the typical bullets-and-bloodshed take-down of popular imagination, it was still enough to indict him for running an illegal gambling ring and loan sharking.

At the time the story raised a number of concerns about computer privacy. Now it serves as a useful reminder that there is a positive side to keylogging. As well as serving the interests of law enforcement agents, keyloggers can help employers maintain productivity by ensuring that staff are working on appropriate projects. They can protect valuable bandwidth, by spotting when unnecessary applications have been downloaded and ensure optimum use of networked resources by encouraging personal web or system use is kept to appropriate levels.

Keyloggers can even be used in the interests of child protection, enabling parents to check their children’s computer activities, while giving those children a degree of independence and privacy.

Keyloggers and criminals
Nonetheless, it is still the darker side to these surveillance technologies that is more familiar to the majority of IT and security professionals. Using keyloggers gives thieves a veil of anonymity: they can plunder the treasure-trove of inter-connected corporate systems and storage devices at will, with very little chance of detection.

In the wrong hand therefore, keyloggers can damage business relationships, financial standing, and reputations. They can even cause an organisation to breach major pieces of legislation such as European Data Protection and Human Rights Acts, or the Sarbanes-Oxley Act in the States.

Nor is it just large corporates that experience keylogging attacks. They may well be the most attractive targets, but individuals’ personal details are at risk from a carefully located keylogger – and far less likely to be adequately protected. In fact, any individual or organization that accesses, inputs or stores valuable information is at risk.

Software or hardware
Nicodemo Scarfo was caught out by a Magic Lantern, software keylogger that infected his machine through a Trojan, and this is the way that the majority of keyloggers work. The advantage of the software versions is that they are easy to install – despite the constant warnings, too many people lose the war between curiosity and caution and open up spyware, Trojan or virus-infected files and emails. Software also enables thieves to infect a huge number of machines and gather the data quickly, easily and remotely.

Fortunately, detection is becoming much easier. The attractions of the bigger corporates are tempered by the increasing awareness of IT security managers, who keep machines protected with the latest anti-virus software to prevent Trojans and spyware entering the system in the first place. Should a keylogger slip through the net, standard protection tools that monitor the status of a computer can detect and remove them.

Unfortunately, security managers are locked in a game of one-upmanship with criminals who have followed the lead of the most successful businesses and taken the maxim “innovate or die’ to heart. As security measures improve, so criminals find new ways to breach them. In this case that means hardware keyloggers. These devices are much harder to detect than software since they do not install any code onto the machine and cannot be spotted by traditional anti-virus or anti-spyware tools.

Installing the hardware
Hardware keyloggers take two main forms. The first, and probably the most common, is a small device installed at the back of a PC between the keyboard and its connection to the machine.

As with all hardware keyloggers, it requires the attacker to have physical access to the computer in question, both to install and later retrieve the device. With social engineering growing in sophistication, this doesn’t pose a problem to the determined individual, particularly as it takes a matter of seconds to install, and requires no technical skill. These kinds of keyloggers may only be approximately 1.5 inches long, but they have a memory capacity that allows up to two million key strokes to be recorded – which represents about five years’ worth of typing for the average computer user. Happily, this type of hardware keylogger is also the easiest to detect visually – provided you know what to look for.

More insidious forms of keyloggers are built into the keyboard. Thieves will either replace the keyboard completely or dismantle it, insert a keylogging device, and re-assemble it. Naturally this requires a greater degree of skill on the part of the criminal, and takes more time to complete. But the chances of visual or manual detection are almost zero.

Self-defense
The good news is that organizations can defend themselves against determined keyloggers. The first step, as with all effective security measures, is to educate and train users to raise awareness and create a culture of individual responsibility. The number of PCs in large companies makes it impractical for the IT security manager to check the back of every single box and every single keyboard manually. Users who carry out basic monitoring of their own equipment greatly increase the chances of detecting any rogue devices.

Secondly, organizations should look at alternatives to desktop PCs. Although still susceptible to hardware keyloggers, the inbuilt keyboards of laptop computers are far harder to tamper with. However, greater use of mobile devices brings new security challenges, which must be balanced against the reduced threat from keyloggers.

Then there are the secure tokens, smart cards or other devices that are used to provide a second layer of authentication after user names and passwords. These work by having a constantly changing passcode, meaning that any data gathered by a keylogger is immediately invalid, and cannot be used to sneak into the system.

Organizations should also consider increasing the use of drop down menus for gathering information. Instead of typing in information with trackable keystrokes, drop downs enable users to select characters or words with the mouse, which a keylogger cannot record. However, in addition to these more general security tools, there are a number of applications, recently on the market, that can automatically identify hardware keyloggers. These software solutions disable the devices by intercepting and blocking communications between it and the targeted computer. The software also alerts the IT department to the presence of keyloggers.

The secure organization
Keyloggers are such a potent source of danger because they exploit the gap created by not one but two notoriously weak areas of IT security. The first is our ongoing reliance on passwords. Sophisticated intrusion prevention or segmented access authorization do add extra layers of protection to corporate networks, but they still cannot distinguish between a legitimate user with the right password and a malicious one.

The second is old-fashioned physical security, often forgotten when devising strategies to protect virtual assets. Since hardware keyloggers require physical access to the targeted machine the criminal must be in the presence of that computer, even if it’s only for a matter of seconds. If they are to protect themselves against keyloggers, organizations have to give the broadest possible definition to IT security. That means policies to help employees recognize social engineering attacks, and even conducting thorough background checks on auxiliary staff who have access to the building.

After all, if you think your data is worth protecting, then someone else will think it is worth stealing.