Trojans & KeyLoggers - a powerful combinationMuch has been made of keyloggers in the press in recent times. Keylogging (or keystroke logging) is the capturing of what is typed into a keyboard by a computer user. Historically, keystroke logging has proven useful in determining sources of errors in computer systems and in the measurement of user productivity. Of course, there are also additional uses that it can be used for, such as spying on users actions. Typically, once implemented, the user’s actions are saved to a file and sent at regular intervals to the attacker. This surreptitious kind of keystroke logging can be achieved in a number of inventive ways. Take the very recent case of Tamara Mellon, the Jimmy Choo shoes entrepreneur. London’s Southwalk Crown Court heard that her former husband had paid a private detective agency to spy on her during the couple’s divorce. The allegation is that Matthew Mellon hired the company to send an email to his estranged wife. The email purported to offer ‘inside information’ on Mr Mellon and was duly opened, but this email was a Trojan horse which allegedly installed a keystroke logger onto her machine. Techniques like this play on conning the victim using a combination of what we in the information security industry term ‘social engineering’ and technology. This example is used more frequently than the general public may realise, especially by organised crime. Evading antivirus software is also highly achievable, particularly when using a new strain of malicious software to perform the dirty work. Although we often look for technological solutions to such dilemmas, how often does your firm conduct security checks involving a person crawling under a desk and checking that the computer itself has not been physically tampered with? This is not common practice for many, however doing so could avert potential security breaches. Hardware keystroke loggers are devices that are much less likely to be detected by antivirus style software as they don’t install code onto a machine, hence their increasing popularity amongst the criminal community. One type of physical keystroke logger is a small device that connects into the back of the computer where the keyboard normally plugs in. The keyboard is then plugged into the device and is unlikely to be detected by the casual observer. With this kind of device, the attacker also needs physical access to the computer to install and retrieve the device (which stores the keystrokes internally). This type of device was used in an attempt to access sensitive information inside the London branch of Japan’s Sumitomo Bank a few years ago. Installed by attackers masquerading as cleaning staff and aided by a security guard, it was fortunately uncovered before any fraud was committed. It has been mentioned that some firms’ countermeasure for such attacks is to actually super-glue the keyboard connection to the back of the PC! Yet another type of hardware keylogger relates to the keyboard itself, either by replacing the entire keyboard or dismantling the existing keyboard. The latter is obviously more difficult to detect. On the positive front, users can protect themselves from these devices, by regularly checking them and by receiving IT security awareness training from their employers. More likely to be used, however, are two factor authentication solutions where two separate methods can assist. This increases security levels as the user has to not only know something (e.g. the password), but they also have to have something (e.g. a security token). Examples are smart cards (often inserted into the PC to produce logon credentials), USB tokens and one-time password generators. Of course, two factor authentication means more investment, but if a security breach of the thing being protected means that the cost is justified, it should be considered. It certainly helps many IT Security Managers sleep better at night. Although security is often viewed by companies as a luxury item, one argument is that companies can ‘gain by not losing’ money as a result of a security breach. Companies put a lot of effort into making a profit and then they must pay tax on that profit. When they lose money through theft or subsequent related fines, the impact is therefore vast. Just ask TK Maxx, who seemingly did not adequately protect millions of credit card details and whose reputation has since taken a very public battering. Alan Phillips MBCS |