Enterprise security has traditionally been centered around gateway protection, preventing unauthorized access from the outside and securing access to the Internet from inside the company. The last few years have seen the industry’s attention extending to include endpoint security, which shares some of the same security threats as the gateway, but also presents new concerns.
Enforcing endpoint security is made more difficult due to attackers having physical access to the target machines. Beside negligent or disgruntled employees, an organization’s computers can be completely accessible to outsiders. For example, bank PCs are often positioned on a teller’s desk, with the computer’s backside and wiring exposed to customers. Even PCs inside locked offices are accessible to outsiders during off hours.
Employees may also snoop around in corporate data which they shouldn’t have access to, such as other employees’ e-mails or financial records. Common methods include connecting USB flash drives and copying data or adding network access points (a practice known as “bridging,’ where new connection points are opened into a previously isolated network). A subtler but more powerful attack entails leaving behind keyboard eavesdropping modules, known as keyloggers.
Keyloggers are software or hardware modules primarily meant to steal passwords and other sensitive inputs as they are typed into a terminal. They have evolved from easy to detect resident programs, to more powerful rootkit-style kernel components, and finally to small hardware plugs, which are undetectable to the target system. Their use as a tool for industrial espionage is described in the Joseph Finder novel “Paranoia” in which an attacker installs a keylogger on the target computer and collects them days or weeks later, with megabytes of sensitive data logged inside their flash memories.
Commercially available keyloggers may plug into USB or PS/2 keyboard ports which look similar to a keyboard adapter and go unnoticed unless the user searches for them. Installing them is extremely simple, requiring the same amount of technical knowledge as plugging in a keyboard. Other form factors allow surreptitiously installing keyloggers on the inside of a keyboard, or inside the body of a laptop.
Keyloggers are hard to detect and lead to embarrassing break-ins and because of these considerations most incidents go unreported. The incidents which do become public show that passwords stolen using keyloggers lead to large-scale attacks with huge losses.
Beside keyboard inputs, keyloggers can target credit card swipes, which usually share the same interfaces as keyboards. Once a magnetic card such as a credit card or an access card is swiped, a keylogger will record that data. A keylogger on a bank PC will obtain passwords entered using access cards and a keylogger installed on a cashier’s machine can gather thousands of valid credit card numbers per day. Cybercrime networks are willing to buy these records for hard cash, using them for unattended purchases over the Internet and telephone, or creating replicate credit and access cards. Until commercial organizations harden their requirements to include endpoint security, this threat will remain prevalent. Government and corporate regulation bodies like the Payment Card Industry Security Standards need to address the issue by mandating a higher level of endpoint security.
Once a keylogger is logged in, it can run applications such as an Internet browser or an IM session, or it can run queries on a database. It can even mount itself as a flash drive and copy data from local and network storage to internal memory, or it can install malware, spreading infection the internal network. Finally, the device can wait until the attacker collects it. As flash drive capacities increase every year, attackers can walk away with many gigabytes of sensitive information.
To summarize, keyloggers and other similar devices have not yet become the focus of attention for the security industry, but they have already caused severe security miscues with great costs and strong ramifications in the areas of retail and banking. Any industry which stores sensitive data on corporate networks – and today that’s every industry – will eventually be forced to upgrade its infrastructure to defend against attacks on its endpoints.