Saturday, February 8, 2014

Keyloggers: A Risk Assessment

What might happen to you if someone could learn all your passwords--if they could access all your bank accounts, your e-mail accounts, your electronic tax returns, and the like? What if they could view your Internet browsing, read your e-mail and documents, follow your instant message conversations, and gain access to your calendar? What if they could connect to your VPN, order from your Amazon.com account, track when that Fedex package is due for delivery, transfer your airline miles, and contact the people in your address book? All of this could happen, and more, if someone manages to get a keylogger on your computer.

The KeyGrabber USB keylogger
A keylogger can be an actual physical object, or it may just be a bit of software code. Keyloggers log or record each keystroke you make, without you knowing. Some keyloggers will monitor not only keystrokes, but image files that are viewed, screenshots, and web browsing logs; they will store any information copied to the clipboard, and they will log any information that is submitted in a text field (so for example even if you cut and paste a password into a text field and can only see asterisks, the keylogger will record what was cut to the clipboard for pasting and the text that lays behind the asterisks).

Who uses keyloggers? It could be a competitor or a disgruntled employee in the office. It could be a suspicious spouse or a watchful parent. It could be a criminal wanting some ill-gotten gains at your expense. Perhaps it's that nosy neighbor. With the powerful encryption software that is available to end users these days, it is in most cases easier even for government-level attackers to compromise your access credentials using methods such as keylogging than it is to decipher your encrypted data without the password. Keyloggers are ubiquitous and easily available from relatively reputable sources. Many inexpensive varieties are available, for example, on Amazon.com.

A hardware keylogger is most commonly a little device that plugs into the USB or PS/2 port of one's computer; the keyboard is then plugged into the keylogger. It's quite easy for someone who has a moment of unattended access to your computer to unplug your keyboard, plug in the keylogger, and re-plug in your keyboard. The keylogger then begins storing its log of information. That keylogger could be recovered at a later time, and the information is theirs; or these days it's more likely the information is sent through the computer's existing network connection, or wirelessly directly to a router, bypassing your computer's security. You don't see any extra dongles plugged into your computer? That doesn't mean you don't have a hardware keylogger installed. If your attacker has some basic skills with a screwdriver and a few extra moments, she may install a keylogger designed for inside the computer case or inside the keyboard housing.

Someone installing a keylogger is vulnerable to discovery while they install the device, when they recover the device, or when they remotely access the information from the device. If you discover keystroke capturing hardware on your computer, you may be able to trace the culprit's IP address or e-mail address and expose his identity.

Software keyloggers may also be installed just like normal software by anyone who gains access to your computer. They may also "infect" your computer the same way viruses or trojans do, by downloading or clicking on a malicious link or infected file. Some keylogging software is easier to detect than others. Computer code can be injected into the computer's BIOS or memory, or the OS can be modified, or a small program loaded. If you're lucky, the keylogging software will interfere with your normal computer operation and you'll discover the security breach.

Because different keyloggers work on different principles, it can be difficult to make sure none are active on your system. You can help avoid keylogging on your computer by controlling physical access to your computer. Use strong passwords that are changed regularly. Keep your software updated with the latest security fixes. Practice good computer hygiene, only opening attachments and downloading software from sources you trust. Make sure your wireless transmissions are encrypted. Inspect any cables or devices that connect to your system. A good firewall will block any unauthorized network transmissions from your computer, such as data being sent from malware or a keylogger. A password manager can defeat many unsophisticated keylogger tactics.

One of the more keylogger-unfriendly ways to enter a password is to mess with any log by entering a bogus password into the field, then going over it once or twice copying and pasting characters into different positions, highlighting characters and typing over them, etc. Just know that even tactics like these (or copying your password from one location to paste in the password field) won't defeat sophisticated keyloggers which monitor the contents of the clipboard, take screenshots of the mouse pointer anytime you click the mouse, or read the text field (your actual password, not the asterisks or dots you see on your screen) as it stands when you send the password.

If you suspect your computer may already be compromised by keyloggers, it's time to employ an anti-keylogger utility, anti-malware software, or a security suite that incorporates keylogger detection. Sadly, there are fewer tools for fighting keyloggers than there are keyloggers readily available. The black-hat keyloggers and white-hat anti-malware coders are constantly engaged in a war of attrition, so don't become complacent: that anti-keylogger that worked like a charm last time may not work on the next attack.

In my assessment, for most of us the threat of keylogging comes from people we know--relatives, co-workers, and the like. Because keyloggers are so readily available, inexpensive, and simple to use, it's worth taking precautions, especially if you have significant assets to protect, could be exposed to liability, or are engaged in criminal activity. For those of you with tinfoil hats, just realize that the government has several ways to capture the information gained from a keylogger that most of us don't have the resources to combat: acoustic analysis (analyzing the subtle differences in sound each key makes), electromagnetic emissions, and optical surveillance from hidden cameras.


Considering the costs and benefits of protecting my own data, I'm choosing to take whatever preventative measures seem good (change passwords, use strong passwords, practice good hygiene, etc.), monitor my credit, and not do any shenanigans on my computer I wouldn't want others to learn. I think the idea of rock-solid security does not hold up to the rigors of real life--so better to plan for leaks than to rely completely on OPSEC. And as with home security it's probably only really worthwhile keeping casual snoopers out of your affairs; a dedicated professional could probably defeat any precautions I'm likely to take.

Have you had a personal experience with keylogging? I'd like to hear about it in the comments.

1 comment:

  1. Watch out for phone calls from people misrepresentingyour security programs saying you have problems with your computer and they are getting reports on their server that your computer needs to be fixed and cleaned,and then charging you up to 300 dollars to install fake programs and adding key logging software in your machine.

    ReplyDelete