In The Field: Keylogging

I've never actually had to use keyloggers out in the field on assignment - I don't normally take on the all-out 'break in' jobs because they are fraught with mishap and, if I'm going to be a bit snooty, they are usually more 'private investigator' than proper security researcher. I do however give presentations to organisations about the dangers of these wee devices and how easily they can be smuggled in and out of data centres and the workplace.



Keyloggers are a real threat because they have come of age:

• They're cheap, a pair can be had for less than GBP40.
• They are small and inconspicuous.
• They are easy to use and easy to get data from.
• Standard anti-virus software will not pick them up.
• They typically have 2Mb to 4Mb of text memory (which could be several years worth)
  

The standard MO is to plug the relevant keylogger into the PS/2 or USB port and then the keyboard into the keylogger. it acts as a man in the middle and records the input from the leyboard and also looks out for a keyword entered from the keyboard that will activate the text based user interface. They typically come with a predetermined work such as 'keylog'. When the keylogger sees that word being typed in, it sends characters to the PC and that is how the inetrface works. So long as you are in a text editor then the text will roll onto the screen. No software is required.

In fact, here is a sample from kate, the KDE text editor. This output is from a 2Mb PS/2 type keylogger used in Fedora Linux. Typing keylog into kate has automatically typed in the interface menu. The attacker can change the keyword and some of the behaviour of the data recovery. In this sample you can see a URL that has been typed into a browser. Obviously as part of the job recon, the duration of time the logger has to be carefully assessed so that drops can be organised with minimum disruption (people crawling under desks create suspicion), but also, most users will log on once a day to systems and so day start is a critical time.

For corporates protecting against this - I have only ever used one solution. Glue. One client I advised filled the USB slots with araldite and glued the PS/2 connectors in place. This may sound insane, but software based solutions won't work when the PC is switched off and also USB drop detections and so on will create huge amounts of noise.

Laptops are less risky - however, ZIF solutions that sit between the keyboard ZIF scket and the keyboard connector are not impossible and will one day be mainstream.

Secure Email solutions and Phishing Email

One of the main problems with the secure email products (Cisco Ironport, Tumbleweed, Trend Micro) is that there is still no internet wide standard for securing email. So if a large corporation wishes to send data to its consumers then it has either got to:

• Distribute identities to its customer base out of band, e.g. on the last statement or by letter.
• Invite customers to sign up (low return rates).
• Implement a shared key secure email system (fraught with danger and a big deployment cost)
• Implement a public key system like PGP/MIME (customers don't understand it + who should own the key directory?)
  
• Implement a secure pick up solution by emailing out a link
  

The problem is that many of the solutions implement the latter because of the technical and cost limitations of the other strategies. Another key problem with all of these strategies is that the Government and the Banking Industry are aquite rightly advising the public not to click on links that offer to retrieve messages etc - this flies in the face of the secure email product strategy and shows a clear weakness. A 'secure email' with a constructed link to pick up the email looks too similar to a phishing scam to be useful.


At present, only PGP/MIME is an email encryption strategy that I support because it maintains the postal metaphor in that "I send you an email" and that you can open it in your email client. All the other schemes break the metaphor by requiring the recipient to go and find a webserver to get the message with credentials 'owned' by a third party leaving the recipient with an enormous number of schemes and credentials to remember. However, until PGP public keys become ubiquitous and key management made to be usable by an ordinary user then secure email will continue to be a mish-mash of unique solutions across corporations and product providers.