Thursday, 14 May 2009

In The Field: Keylogging

I've never actually had to use keyloggers out in the field on assignment - I don't normally take on the all-out 'break in' jobs because they are fraught with mishap and, if I'm going to be a bit snooty, they are usually more 'private investigator' than proper security researcher. I do however give presentations to organisations about the dangers of these wee devices and how easily they can be smuggled in and out of data centres and the workplace.



Keyloggers are a real threat because they have come of age:
  • They're cheap, a pair can be had for less than GBP40.
  • They are small and inconspicuous.
  • They are easy to use and easy to get data from.
  • Standard anti-virus software will not pick them up.
  • They typically have 2Mb to 4Mb of text memory (which could be several years worth)
The standard MO is to plug the relevant keylogger into the PS/2 or USB port and then the keyboard into the keylogger. it acts as a man in the middle and records the input from the leyboard and also looks out for a keyword entered from the keyboard that will activate the text based user interface. They typically come with a predetermined work such as 'keylog'. When the keylogger sees that word being typed in, it sends characters to the PC and that is how the inetrface works. So long as you are in a text editor then the text will roll onto the screen. No software is required.

In fact, here is a sample from kate, the KDE text editor. This output is from a 2Mb PS/2 type keylogger used in Fedora Linux. Typing keylog into kate has automatically typed in the interface menu. The attacker can change the keyword and some of the behaviour of the data recovery. In this sample you can see a URL that has been typed into a browser. Obviously as part of the job recon, the duration of time the logger has to be carefully assessed so that drops can be organised with minimum disruption (people crawling under desks create suspicion), but also, most users will log on once a day to systems and so day start is a critical time.

For corporates protecting against this - I have only ever used one solution. Glue. One client I advised filled the USB slots with araldite and glued the PS/2 connectors in place. This may sound insane, but software based solutions won't work when the PC is switched off and also USB drop detections and so on will create huge amounts of noise.

Laptops are less risky - however, ZIF solutions that sit between the keyboard ZIF scket and the keyboard connector are not impossible and will one day be mainstream.

No comments:

Post a Comment

Thanks for adding a comment; I moderate all posts.