Keystroke Logging Increases

JamesAlfaro writes "Hackers are likely to release more than 6000 keylogging programs this year--up 65 percent from the number in 2004--according to Reston, Virginia, security vendor iDefense." From the article: "Each variant could lead to anything from a few to several thousand infections, Ken Dunham, senior engineer at iDefense, said. Keylogger software typically tracks keystrokes on infected computers and is used to try to steal sensitive information such as user names and credit card data. The biggest problem with keyloggers, which silently relay data to attackers, is that they often go undetected, easily slipping past firewalls and antivirus software, iDefense, a division of VeriSign, said. "

Bundled with spyware?

[jawtheshark]

At least that's what the article seems to imply. So the lesson here is: protect your computer, use Firefox, Ad-Aware and Spybot.

For the moment it's fairly easy to find out when a machine has spyware. What would scare me is when a decent programmer will start to write such programs so that it is completely stealth and doesn't bring the machine to a grinding halt. After all, basically all spyware seems to be badly written and performance not an issue at all. A decent programmer, using all his skills could write a stealth spyware/keylogger that doesn't bog down the computer and goes undetected for a very long time. It shouldn't do popups, but just log the keys... A small background prcess could do this, and store locally, detect when a big download is started to camouflage its own traffic to the server by sending it while the big file gets downloaded. The day that that happens: we'll be all screwed.

Re:Bundled with spyware?

[heffay]

Rootkits are getting more and more scary. The techniques they use use to hide them are getting better as well. If you get a guy who really knows what he's doing, you'll have no idea something is even there.

Re:Bundled with spyware?

[BokLM]

For the moment it's fairly easy to find out when a machine has spyware. What would scare me is when a decent programmer will start to write such programs so that it is completely stealth and doesn't bring the machine to a grinding halt.

And what make you think it's not aldready happenned ? Maybe you're just not aware of it now.

The Sony rootkit has been running on thousands of computers for months without anyone to notice it ... It's not as easy as you say to find out when a machine has spyware.

Re:Bundled with spyware?

[ergo98]

What would scare me is when a decent programmer will start to write such programs so that it is completely stealth and doesn't bring the machine to a grinding halt. After all, basically all spyware seems to be badly written and performance not an issue at all. A decent programmer, using all his skills could write a stealth spyware/keylogger that doesn't bog down the computer and goes undetected for a very long time.

Of course there are programs out there doing exactly this - custom made, highly targeted attacks. Just because the standard "look for all the well knowns" don't see it doesn't mean it isn't there, it just means it hasn't been as widespread of an attack to make it visible to them (or it could just be relatively quiet. As we know, Sony was busy owning machines across the land for some time before someone noticed). Of course to defend against event hook detection it would have to install a rootkit, and some of the rootkit detection tools are getting better (though the rootkit people are going to adapt - soon you'll have to run rootkit detection from a bootable CD).

Hrmmm...I wonder if a non-privileged account can install a key sniffer: I do as "su" (RunAs) when I need to launch a system tool as administrator, and I wonder if a keyboard sniffer could capture my password, or whether it itself would have to be installed by an admin.

Re:Bundled with spyware?

[cwtrex]

"So the lesson here is: protect your computer, use Firefox, Ad-Aware and Spybot."

That's what I keep saying. Unfortunately, I have people above me who insist on only using Microsoft's Windows Defender (aka antispyware). Poor misinformed souls. They seem to be anti-firefox too. Must burn their bottoms everytime they see me logging a call or ordering a replacement part with good ol' Firefox. :) Anyway, more on topic, you forgot to also suggest keeping your anti-virus program up-to-date.

Re:Bundled with spyware?

I found a keylogger immediately after it had gotten installed using the following method. "Find Files" on C: modified in the last day. Then sort on date/time and look at the most recent. That found the keylog files. I then used Winhex to inspect the memory of the program that I had found running and discovered it was trying to send the information to a darksingh666@hotmail.com

Next step was to send the DarkSingh chap an email telling him what a cunt he is :-)

In any case, the method is useful for detecting unknown non-rootkit loggers that don't encrypt their data. Works on all the corporate spyware our company install to make our PCs behave like 486s.

Re:Bundled with spyware?

[general_re]

Unfortunately, I have people above me who insist on only using Microsoft's Windows Defender (aka antispyware). Poor misinformed souls.

If you're only going to use one, the one from MS is not such a bad choice, in my experience - it's really pretty thorough. Of course, when I'm being rewarded with beer for fixing machines from friends and relatives, I never use just one, because there doesn't seem to be one single product that can do it all. YMMV.

Re:Bundled with spyware?

[igny]

protect your computer, use Firefox, Ad-Aware and Spybot.

I am using Mac OS X, is there any danger for me? I mean, I don't have any antispyware tools, and several times I had to use sudo to install some open source software... I am too lazy and incompetent to check the source (or even Makefile) to be sure it is safe. Certain closed source software asked for admin privileges upon installation as well... How can I be sure I am safe from keyloggers? Yes, Mac zealots claim Macs are safe, but it may be false.

<paranoid>Could my Mac be the only Mac which is infected???</paranoid>

Re:Bundled with spyware?

[Reziac]

Actually, when some independent outfit (I forget who, but it was reported here on /.) tested the various anti-spyware/adware apps, M$'s product came out #1, with the highest percentage of finds and kills. This isn't really so surprising when you remember that it is just the old Giant antispyware, an enterprise-class product, which M$ bought and apparently changed very little prior to releasing under their own name. Not that relying on a single solution is wise, but if you've got to pick just one (as may well be the case with an average user, who needs one that -- like M$'s -- will run in the background and not make them have to deal with it) M$'s antispyware is probably the best choice at the moment.

And using Firefox and Thunderbird helps stop popups and some of the more obvious vulnerability routes (like that invention of the devil, ActiveX) but they won't save you if a keylogger does find its way aboard via some other route. Nor will a firewall stop a keylogger from phoning home, since to get around firewalls, they send their data via ordinary email in the background ... and who makes their firewall stop and query their email client each and every time it sends or receives anything??**

And imagine a keylogger that uses, say, the Sony rootkit to stealth itself... people who believe themselves safe because they did all the recommended updates and run all the "safe" apps may still encounter something this devious (Sony doubtless isn't alone, they just got caught!) and this easily exploited, that even current protection measures don't yet stop.

** Occurs to me that a good feature for an email client is a "check destination" function where if the recipient wasn't entered by some essentially manual route (address book, hit reply, type into TO field) it stops and asks if you really want to send mail to Unknown Recipient X.

Re:Bundled with spyware?

[dsci]

Next step was to send the DarkSingh chap an email telling him what a cunt he is :-)

That'll teach him. Filing an incident report with the authorities to MAYBE get him caught (so he cannot compromise other people's computers) would have had a bit more long term vision.

Re:Bundled with spyware?

[capnchicken]

I'd like to see a link to that article and whether or not it had its fair share of false positives boosting it's 'finds and kills percentage'.

Re:Bundled with spyware?

[jacksonj04]

My BIOS has a boot-sector virus guardy thing on it, which is updated whenever the BIOS is reflashed. Perhaps an antivirus/spyware/rootkit detector could be built into the motherboard?

Since more and more internet connections come over an RJ45 straight from the modem, or a wireless network, could the motherboard not switch into a 'self update' mode when the PC is off, which would connect to an update server (Since it doesn't need to involve the OS), grab the latest definitions, flash the antivirus with the new definitions, and then power down. BIOS updates could be included with this as well.

Since power buttons on modern PCs are nothing more than a hint to the BIOS that the user hit the button anyway, and the motherboard always takes power in some form, surely it could automatically start the PSU without involving booting the disks? It kicks in its own update system, downloads the updates (since it's an always-on connection), installs them and then shuts down.

Re:Bundled with spyware?

[Reziac]

If you search for the original M$ antispyware article here on /., your requested links are in the comments somewhere. Sorry, I didn't save the info (at least not anywhere I can find it again :)

Re:Bundled with spyware?

[Anakron]

...loggers that don't encrypt their data
You'd still be able to detect it, right?

Re:Bundled with spyware?

[arminw]

.....How can I be sure I am safe from keyloggers?....

First, make sure that you do your day to day computing on OSX on a standard, non-admin account. That means that if anything wants to install in the system or in the applications folder, you will be asked for a password for an admin. If you KNOW for sure where the software comes from, trust that source and it was YOU that purposefully initiated an install, then giving the password minimizes, but doesn't completely eliminate the chance of getting hit by malicious software. Of course when a supposedly trustworthy global company, such as Sony wants to install malware, ostensibly to use their product, most people will give the admin password and get screwed. There can never be a defense against being screwed over by someone thought to be trustworthy. In school, business and even in family situations it is possible to set up most computers such that most users do not even know the administrator password. A Sony style rootkit cannot invade such a computer since the users cannot give the correct password.

In Windows, if there is even one program that users need, which will not run unless everybody is an administrator, there is NO defense against the installation of malware. Sometimes the program preferences of these programs allow it to be set up to not need admin privs. Unfortunately, the number of programs on Windows that require admin status are not few.

Re:Bundled with spyware?

[The+Spoonman]

the one from MS is not such a bad choice

Agreed. I've only met one person who said they had better luck with any of the other spyware killers. Every time I've used it, it's been after someone said "Oh, don't bother checking for spyware. I ran spybot and adware on it, and the machine is clean". Ten minutes later the comments are always "it found HOW MANY?!" :)

Re:Bundled with spyware?

[fireweaver]

Already been done. Company I'm no longer working for did this for the longest. Still at it AFAIK.

Re:Bundled with spyware?

[cdrguru]

The problem is that whoever owns the email account darksingh666@hotmail.com cannot be located - Microsoft can't help because the process is essentially anonymous. And, it is extremely doubtful that they would record the IP address of people accessing a given email account.

So, never fear, using Hotmail (or Yahoo, or mailasia.com or any of the other thousands of free anonymous email services) will allow people to mail keylogger files from infected machines.

Contact the authorities? Sure, as soon as you find out a name they will talk to you.

Re:Bundled with spyware?

[xappax]

Since more and more internet connections come over an RJ45 straight from the modem, or a wireless network, could the motherboard

Connecting to the internet requires a lot more than an RJ45 connection. I'm not saying it's impossible, since as you say the physical connectivity is there, but all your motherboard (or NIC) knows how to do is send and receive "layer 2" datagrams to and from MAC addresses. All the data abstraction and interpretation that follows is done by software, usually one's operating system. At the very least, the motherboard manufacturer would need to write an entire TCP/IP stack implementation and somehow squeeze it into the BIOS. I guess if the need is great enough, some manufacturer would go ahead and include something like this in a flash chip. Then again, the more complex a BIOS gets, the security flaws it's likely to have, which weakens it's status as the one stage of the computer whose integrity you can trust.

After all, if someone uses BIOS-based antivirus protection, why not just have your virus re-flash the CMOS?

Re:Bundled with spyware?

[Verteiron]

I don't have an article for you, but I can give you my thoughts on it. I see a -lot- of infected computers. From the first time I tried the MS Antispyware utility I was blown away by it. It detects and -automatically- removed more malware than Spybot and Adaware put together. It actually follows the path the spyware takes to install itself, unregisters files, deletes them, checks to make sure they aren't reappearing... it's a very decent piece of software. As with all automated software there are a few programs it can't get rid of automatically but neither can AdAware or SpybotSD. Fortunately HijackThis and my good 'ole BartPE disk can take care of the rest.

Now mind you, I'm not talking about the total number of "instances" it lists; that number is pretty meaningless in -any- spyware app. But as far as actually finding and removing bad software goes... it pains me to say it, but the MS Antispyware is the best free program of its kind out there right now. If Microsoft had written it themselves, I'd be seriously concerned about fire and brimstone from the heavens.

Re:Bundled with spyware?

[xappax]

First, make sure that you do your day to day computing on OSX on a standard, non-admin account. That means that if anything wants to install in the system or in the applications folder, you will be asked for a password for an admin.

Ok, here's an attack: I make a binary which, when run, adds a line into your users bash (or whatever shell) config file instructing it to run a phoney bash binary. So, every time you bring up a command prompt, the phoney bash runs instead, which is patched to "overlook" files with certain names. This phoney bash is also patched to record your keystrokes to a file which is named so as to be invisible. If that doesn't work, I'm sure it could be made to if a real programmer ran with it. And hey, I just came up with it off the top of my head - imagine what someone with real skills and time on their hands could do!

While your advice is certainly worth following, the factually correct and responsible answer to the question "How can I be sure I am safe from keyloggers?" is
"You can't. Not ever."

Re:Bundled with spyware?

[tchuladdiass]

> soon you'll have to run rootkit detection from a bootable CD

An alternative would be to boot up a VM first, then have that load your OS kernel. Something like a stripped-down version of VMware, or Xen. The idea being that virus / rootkit detection can go into one VM, and all your day-to-day stuff goes in a another session. Then as long as there isn't any way to breach the VM's sandbox the detection code can have it's own access to the drives without being influenced by any virus running in your main session.

Re:Bundled with spyware?

Have you ever filed such a report? From what I've seen the e-mail will have far better results. Most admins I know try filing a report once, then learn it's it wasting time. Unless you have significant damages, they don't want to talk to you.

Re:Bundled with spyware?

[jacksonj04]

Just looking for ideas. I'm aware the stack needs to be implemented, I was more referring to the fact that the modem establishes its own connection, meaning the BIOS doesn't need to bother dialing (Although this could be a good idea for a function for non-DSL connections).

As for having a virus re-flash things, just have the virus guard system switch to a read-only once the system is powered up normally. If a virus can intercept before IDE boot (Or floppy/CD boot, depending on what's in the machine at the time) then it's doing well.

Re:Bundled with spyware?

[spyder913]

In Windows, if there is even one program that users need, which will not run unless everybody is an administrator, there is NO defense against the installation of malware. Sometimes the program preferences of these programs allow it to be set up to not need admin privs. Unfortunately, the number of programs on Windows that require admin status are not few.Can you name any that REQUIRE you to be admin? I don't know of any that normal people would use, and my group runs all our users as regular users.

Re:Bundled with spyware?

[rainman_bc]

I'm surprised no one's written spyware that attacks spybot and adaware libraries so they can go on undetected.

Re:Bundled with spyware?

[jawtheshark]

Halflife 1 (and opposing forces)
Pinnacle Studio 9
Palm Desktop Software

Those are on top of my head. Yes, halflife 1 was from the 98/W2k days and one could excuse the programmers, but under XP it's a bitch to setup. Palm Desktop software: I can set it up to work under limited accounts... A normal user can't: it's pretty hard. Pinnacle Studio 9... Hehe, I still didn't find how to. Not that I use it, but my brother in law uses it and I set him up on a limited XP account. Also keep in mind that Nero needs Administrative access unless you install BurnRights. BurnRights isn't installed by default... Catch my drift? (May have changed, I never went beyond Nero 5.5)

Oh, yes, my sister has this game called "Children of the Nile". Doesn't work on a non-admin account either. The Sims 2 didn't work as non-admin either and it says so right on the box: they luckily patched it because enough people complained.

Need I go on?

Can you name any that REQUIRE you to be admin?

I think I named enough, and all those programs are things normal users want to run. Luckily I have savvy users than can use "Run As" responsibly. I admit that most programs can be run non-admin (again: Pinnacle Studio 9 and Children Of the Nile have resisted all my attempts) with a litte of work: Setting Registry and file rights... in XP Home, file rights only go with cacls... No easy graphical interface! This is beyond the normal home user... Heck many don't even understand the "All User"/"Current User" start menu concept!

Re:Bundled with spyware?

I'll get right on it.

Re:Bundled with spyware?

[theLOUDroom]

That'll teach him. Filing an incident report with the authorities to MAYBE get him caught (so he cannot compromise other people's computers) would have had a bit more long term vision.

Real vision would have been to send him what looked like a normal batch of keylogged information, but that was actually a trap.
There are all sorts of options that come to mind:

• A "web bug" (transparent gif) to find his ip address.
• Opening up a bank/CC/paypal account with a couple hundred dollars (whatever you need for felony charges) and conveniently leaking the info to him. (After notifying the authorites that anybody withdrawing money from that account should be arrested immediately.)
• Doing the above but with a phonecard or other prepaid service to find more personal info.
• Playing mind games by making it look like you actually have managed to get the FBI to do something... "Yes, I'm sure that his email address. You'll be busting down his door this Tuesday, that's great!"
• Leaking URLs to something like BO2K and calling it you company's hot new, pre-release software product.
• Pulling a 419-style scam
• Make him think he's uncovered a plot to commit murder/terroism (get him to show up at the police station for you)
• Setting up a bogus web anonymizer/IRC server/warez server/etc and leaking him the access information. (Something where he'll want lots of data so he won't use a proxy in Russia.)

If this happened to me, I would spend a few days mulling over how to best nail this guy in a way that would be both legal and effective. You want to be able to go to the autorities with more than just a Hotmail address that was probably set up with false information and accessed via proxy.

Re:Bundled with spyware?

[general_re]

Interesting - I happen to have Studio 9 on the Win2k box in front of me, and sure enough, it craps out if you try to start it from a user-level account. I got it to go further, sort of, by giving that account explicit permission to modify \Program Files\Pinnacle, but it still crapped out before starting, so my guess is that it's trying to touch something, maybe in the reg, that it doesn't have permission to touch.

Anyway, I run it successfully under a power user level account, so if you have XP Pro, you could try kicking the account up to a power user, and that should get it. Of course, there's not a heck of a lot of difference between power user and administrator privs - power users can't modify HKLM in the registry, nor can they access other users' files without explicit permission, but that's about it, so running as a power user may sort of defeat the purpose of limiting their privs in the first place. HTH - cheers! :)

Re:Bundled with spyware?

[jawtheshark]

What I didn't say is that my brother in law is a 13 year old. (I case you think I am a perv: my wife just has a 10 year younger brother) There is no way in hell that I'm going to give him Power User privs. I have seen what happened to his PC when he was Admin. *Never Again*

Re:Bundled with spyware?

[general_re]

Guess I can't blame you for locking things down a bit ;)

Just for kicks, I tried firing up Ulead's Videostudio 8 under a user-level account, and it shit the bed too. Ah, well....

Re:Bundled with spyware?

[arminw]

..... make a binary which, when run, adds a line into your users bash.....

Presumeably, to make such a change, a non-admin user will be asked for a password. If they can't give that, then the malware can't install. That's why it is good if your users don't know that password. Also, most ordinary Mac users avoid the command line like the plague, if they even know about it.

Re:Bundled with spyware?

[arminw]

.....what happened to his PC when he was Admin. *Never Again*.....

We have a 16 year old and he likes to play games. On the Macs that works as a non-admin user, but on our PC most games don't. You might think about giving the kid admin access, but make sure there is no network connection to the system. That should be quite safe, at least from the malware over the network angle. Still have to watch out for malware CDs from the likes of Sony though.

Re:Bundled with spyware?

[jawtheshark]

The kid wants (needs, see how you take it) network connectivity. So, what am I'm going to say to him? Take the 500MHz P-III/256Meg RAM to surf and only use your P4 2.6GHz/512Meg RAM for games. Come one, would you "swallow" that as a kid? It's easier to teach him that being always admin is bad. I'm not in charge of his education and his mom knows next to nothing about computers. If he were my kid I could watch what he does: he is not my kid... I see him twice a month, max! It's a very different situation from you with your "your 16 year old".

Right now, he understood that he should stay in his account for everything he does, with the exception of a very few uncommon tasks (like Pinnacle Studio). Guess, what: he actually respects that! Many slashdotters would cheer for me just because I saved them many (future) workhours because I *educated* a future computer user. He's actually happy that his PC runs faster than the (newer) PC's of his friends. Guess it's a win-win situation for everyone!

Re:Bundled with spyware?

[xappax]

a non-admin user will be asked for a password
No, no - that's exactly why I said bash config file, because that's a file that almost every user has full control over. That's the vulnerability that people overlook when discussing privileges-based security. Yes, denying the user root privileges keeps them from screwing up the system and other user accounts, but the whole point of a multi-user privileged system is to give a user zero control over the system itself while giving them broad control over their own account. This means that a user has all the permissions they need to screw themselves up really bad. It's probably harder to do, and certainly harder to hide since modifying system-related binaries is off limits, but it can definitely be done.

Because of this problem, pretty much any configurable or scriptable application (such as the Mac OSX GUI) is vulnerable to similar attacks, and if one avoids the command line the deception can be even more difficult to detect, making such users doubly vulnerable.

Re:Bundled with spyware?

[arminw]

....This means that a user has all the permissions they need to screw themselves up really bad....

Of course, users can screw up their OWN accounts, but that is relatively easy to fix. Users can also have their own private program folders, fonts and custom settings. If a program, such as a keylogger, needs access to system space, a password is still needed. Since any and all user stuff is under their own account space, it is easy for an admin to create a new user account, transfer the needed, specifically user created files from the old to the new and then erase the old user account. Any surreptitiously installed and invisble crap will also disappear.
That is considerably easier than having to deal with a Sony style rootkit type of malware buried deep in the system itself.

Re:Bundled with spyware?

[xappax]

True, a "userland" rootkit - which I guess can't really be called a root-kit, is nowhere as effective as the real deal, but it's still insidious enough to be a security concern. The problem is contained to a more manageable area - when a server has been rooted, you have to re-build the whole box. When an account has been compromised, just delete and re-build the account.

The main problem with rootkits/keyloggers is not that they're a pain to remove, it's that they do bad things without the user even know they exist. Once a userland keylogger has logged all the user's passwords and secret credentials and FTPed them to the attacker, who cares how easy the logger is to remove?

Ultimately, I think the problem is that unlike most black hat-type activities, in order to steal a user's passwords, an attacker doesn't need anymore access than that user has.

Re:Bundled with spyware?

[keraneuology]

No, the day that congress is inspired with the idea that we'll all be wallowing in misery unless they pass laws regarding the security of operating systems... then we'll all be up defecation tributary in an unpowered watercraft without means of propulsion.

No matter how bad things are, congress can always make them worse.

I'm gonna...

Hackers are likely to release more than 6000 keylogging programs this year

Will there be a firefox plugin for one of those babies? Or am I still gonna be missing out on all the fun this year also?

Re:I'm gonna...

[Tri0de]

Perhaps I'm too old school; I reserve the title 'hackers' for people who do creative and interesting 'hacks', indeed when seeing it used in a disparaging way I know I'm dealing with the ignorati.

Re:I'm gonna...

[Varun+Soundararajan]

Why:Hackers are likely to release more than 6000 keylogging programs this year

all your keystrokes belongs to us!

Re:I'm gonna...

I was going to post the same remark, but I use Dillo as my browser of choice. But I thought people would get the wrong idea....

Will there be a dillo plugin for one of those babies? Or am I still gonna be missing out on all the fun this year also?

Re:I'm gonna...

I reserve the term "elitist ass" for those who call everyone who doesn't use the same terminology "ignorati."

At least those ignorati know how to use correct punctuation.

Phew...

[lukewarmfusion]

Good thing I type everything in with charmap.

ßöôÝà!

Re:Phew...

[Dukael_Mikakis]

Or you could use Dvorak. Keys still logged, but would look like a mess unless they expect it.

Re:Phew...

[BushCheney08]

That's why I mentally rot13 everything and type it into rot13.com. Hit the cypher button, copy, paste and nobody will ever capture what I've written (except for the people who run rot13.com).

Re:Phew...

[xtracto]

I prefer using The Dasher it is way faster than the charmap approach.

Re:Phew...

[jimbolauski]

I wonder if you could remap the keyboard with your own rootkit. I bet this would work for most keyloggers although I would have to go back to hunt and peck.

Re:Phew...

I just use "331t3" speak. Only ubergamers and hak0rz would know what I was typing.

I am Jack's Beans

[GigsVT]

easily slipping past firewalls and antivirus software, iDefense, a division of VeriSign, said.

But for $99.95 per system per day you can buy magic beans from iDefense that protect you against them, right?

In other news...

[patio11]

"Next year to be really, really scary on the computer security front", says a company which makes money from designing Comprehensive Solutions to Security Threats yet cannot decide whether keyloggers are silent but lethal or whether they have observable symptoms like a system slowdown (because you KNOW your 1 GHz Pentium just crawls when it tries to do processor-intensive tasks like parsing keyboard input). Honestly, these kind of folks give security research a bad name. Its like the doctor down the street who says "Hey, AIDS cases are likely to increase next year -- symptoms include coughing or feeling less energetic than you usually do. Be afraid!"

Re:In other news...

[GigsVT]

My wife tested out the "open source" keylogger from sourceforge because one of her clients requested she find a keylogger for their systems to catch suspected abuse. After 8 hours it used up every bit of virtual memory. I put open source in quotes because last I checked there was a question whether the source had ever been released.

So yeah, it's entirely possible a keylogger could fuck up your system and make it slow or unusable. Just look at how adware and spyware (which do extremely simple things, really) can really screw your system.

Password Security

[TubeSteak]

Password Security doesn't mean a damn when you're getting logged or someone is sniffing them over a network

Change your passwords regularly.

If that's too much trouble, rotate easy to remember (yet secure) passwords

While you're at it, change the password on your luggage.

Re:Password Security

[BokLM]

If your computer is full of keyloggers, no matter how often you change your password, they will still get it.

No, if you want something secure, just avoid installing any shit on your computer, and keep your software updated.

Re:Password Security

[blahplusplus]

"Change your passwords regularly. If that's too much trouble, rotate easy to remember (yet secure) passwords"

Better yet use Roboform's random password generator and save your passwords to encrypted key files, and back them up often, then you do not have to remember your passwords ever, just backup your keycards

Re:Password Security

[s4ck]

How did you know?

I've used the same ATM PIN, luggage, login numbers series since the days of Spaceball.

No breach of security yet!

Re:Password Security

[hackstraw]

Password Security doesn't mean a damn when you're getting logged or someone is sniffing them over a network

Exactly. So changing them, and using "good" ones don't mean shit if you're just going to give it away to someone.

People seem to think that this password security crap is something real, but they rarely if ever change the PIN on their bank card, they rarely if ever change the locks on their car and/or house, or the combination on their fireproof safe. Its cool that everybody is so much into their password habits, that in itself will defeat the war on terror.

OK. Now back on topic.

This guy seems like he isn't a regular here. In fact he seems brand new. Oh, and what is the advertising believe in saying the product or company name? At least 3 times in a commercial. iDefense was repeated 3 times in the blurb that says little more.

On TV, they say before the infomercial that it is an infomercial and that the network is not responsible for anything they say, blah, blah. Are there no requirements or ethics for an online publication to do the same?

Just curious.

Re:Password Security

[mustangdavis]

For everyone out there that doesn't understand good security, I have found something that people tend to relate to ...

Passwords are like toothbrushes:

Don't share

Change yours regularly

Just about everyone can relate to this - and if the sys admin hangs up a sign saying this in her/his office, then people tend to remember this (that is for those unfortunate souls that work somewhere where the boss thinks it is too much of a pain to require people to change their password every 30 to 90 days)

You're welcome :)

Possible market for a secure e-commerce appliance?

[TripMaster+Monkey]

I've been considering building some sort of e-commerce appliance for my less technically-inclined family members...essentially a low-end PC that will only boot off a Puppy Linux CD. All online financial transactions would take place only over this PC. Since the whole OS is on CD, it's fairly immune to the traditional spyware strategies (being Linux helps a bit as well ;) ). With this latest news, I'm thinking such a 'e-commerce appliance' might make a dandy and well-appreciated Christmas gift.

How do they know?

"Hackers are likely to release more than 6000 keylogging programs this year

How do they know you say?
By infecting the hackers with keyloggers offcourse!

That's Open Source for you...

[meringuoid]

... 6000 incompatible platforms. How are customers meant to establish a standard that way?

Fortunately, Microsoft Keylogger 2006 will be included with Vista, and will report all your passwords to Redmond in a convenient and user-friendly way, establishing a de-facto industry standard in modern keylogging solutions.

Re:That's Open Source for you...

[TheSpoom]

C:\Documents and Settings>net stop keylogger
System error 1060 has occurred.

I'm sorry Dave, I'm afraid I can't do that.

C:\Documents and Settings>

Re:That's Open Source for you...

[TimeCr0ss]

I registered *just* to say that that comment was the funniest thing I've read on /.

Reading the keys

[Billosaur]

The first line of defense against these things is avoiding the trap of downloading things that may contain them. Same old saw: don't download anything from people you don't know or trust. Don't open suspicious emails. Problem is, no matter how much you say it, the common computer-user doesn't heed the warnings. People are too gullible for their own good and there are so many get-rich-quick, boy-that-sounds-interesting types out there that its only a matter of time before one of these things spreads

Of course, what the article fails to mention is the corporate use of keyloggers, to see just what you've been saying on Slashdot, or worse, the number of people who install them on purpose to trap an unwary spouses or their mischievous kids.

Ultimately, we should all be installing anti-keylogging software right along with our anti-virus. That will work, until the forces of evil come up with the next generation of spyware.

Re:Reading the keys

[BokLM]

Ultimately, we should all be installing anti-keylogging software right along with our anti-virus. That will work, until the forces of evil come up with the next generation of spyware.

And what about anti-anti-keylogging software ?

Re:Reading the keys

[Reziac]

You have to wonder about a "free keylogger" that claims to be the best in the business... what is *it* bundled with??? [reads linked page] Sounds like it's actually a specialized rootkit.

Well, if Sony did nothing else for the world, they did get the AV companies in an uproar about detecting rootkits, which hadn't previously been in their purview.

Re:Reading the keys

[happymark]

You do not need Anti-Keylogger, you can use MS Onsreen Keyboard.

Re:Reading the keys

[arminw]

.....don't download anything from people you don't know or trust.....

It seems that you should not trust global corporations, such as Sony, any more either. In the end, who can you trust? Your own fart?

Re:Reading the keys

[Thundersnatch]

The software you linked appears quite dodgy. The vendor's main site provides no description whatsoever of how it works. There's no FAQ, or support forum. Other that the description that it "doesn't rely on signatures". And "It became possible due to the newly developed solutions and algorithms that allow distinguishing spy program activities from those of any other application installed in the system." That sounds like Snake Oil to me.

If you're going to continue shilling for RaySoft, you should let them know that reputable software vendors don't hide information from their customers. They will tell you openly how their software works, and what behavior to expect. They typically and rely on patents and copyrights, not a "super-secret formula", to protect their intellectualy property.

Re:Reading the keys

[Firefly1]

Of course, what the article fails to mention is... the number of people who install them on purpose to trap an unwary spouses or their mischievous kids.

I think we, as a society, need to take a long hard look at ourselves if we seem to think it all right to spy on our own spouses or children. Really, what message is that sending? Never mind that such spying is likely illegal in most jurisdictions.

Re:Possible market for a secure e-commerce applian

[patio11]

Why spend actual money (even a low-end PC costs you what, a couple hundred dollars) just because of the hype, especially when you know darn well the likelihood of it ever getting booted up is zilch (particularly if technologically less-than-savvy people get an urgent "Don't wait, update your account information today!" email in their inbox -- which, incidentally, leaves them 100% as screwed no matter what Linux distribution you're using)

Charmap?

[TubeSteak]

http://en.wikipedia.org/wiki/Keylogger

It is also said that using an onscreen keyboard is a way to combat these, as it only requires clicks of the mouse. That is, however, false information, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text typed with onscreen keyboard.

Re:Charmap?

[lukewarmfusion]

Character map is an onscreen keyboard which sends the text to a field inside itself - not to an external program. You then copy and paste from that field into whatever you want. Since you're not sending keystrokes, the keylogger would need to also intercept any copy-paste that you do.

I was trying too hard to be funny, I know... but I figured I'd toss that out there.

Re:Charmap?

[TubeSteak]

No, you win.
You're +5 funny.

While my quote still matters to the discussion at large, I woulda stuck it somewhere else if I had seen that tidbit of information while googling.

some enterprising mod should give you a +1 informative to go with all those +1 funnies

Re:Charmap?

I have seen something similar on the signon page for ING Direct. They want you to press your password into a webpage keypad image instead of typing it in. I guess they are worried about keyloggers. It is a good idea, I hope they don't patent it cause it would certain help other web providers out there.

But of course in the following year we will see mouse and video logger programs being generated, I will make your 3.0Ghz Pentium perform like a Commodore 64.

--anon

Re:Possible market for a secure e-commerce applian

[bhtooefr]

Actually, it could be argued that AMD makes one heck of an appliance.

Yes, it runs Windows. However, it's a rather obscure variant of Windows, blending WinCE and XP. Hopefully that doesn't mean that it's open on BOTH sides, instead of none.

It's $300 at RadioShack.

News stories like this...

[ylikone]

... make me glad I'm a Linux user. A quick ps auwx will show me if there are evil deeds afoot.

Re:News stories like this...

[meringuoid]

A quick ps auwx will show me if there are evil deeds afoot.

Unless the attacker has replaced ps with a version that will not show the keylogger. And, of course, you always run 'ps' first of all when you log in and before you type in any important passwords, don't you?

Re:News stories like this...

[drooling-dog]

A quick ps auwx will show me if there are evil deeds afoot.

Unless /bin/ps gets replaced with a version that is blind to the evil deeds, as any reasonable rootkit would do. I was rooted back in 2001 and that's one of the very first things that it did.

Re:News stories like this...

[dsci]

A quick ps auwx will show me if there are evil deeds afoot.

Unless, of course, you've been rooted. It's very common for rootkits to copy hacked versions of ps, ls and other system tools that hide themselves.

A couple of years ago, I got a little behind on upgrading ssh on one of our servers. It got a rootkit installed, and ps did not show anything. It was discovered when the system rebooted (so we caught it RIGHT AWAY).

chkrootkit is your friend in the Linux world.

Re:News stories like this...

[Reziac]

For the *NIX-impaired, what's ps?

And... if you have to log in to run it, doesn't any resident keylogger already have the single most important password?

Re:News stories like this...

[BushCheney08]

ps = process status

Here's a man page for a version of it.

Re:News stories like this...

[Reziac]

Thank you! answered my question entirely. In fact, thanks for the link -- lots of good stuff on that site.

Re:News stories like this...

[meringuoid]

And... if you have to log in to run it, doesn't any resident keylogger already have the single most important password?

Well, ps lists all the processes running on the computer, and in theory should reveal any keylogger lurking in memory.

However, regarding the login password itself: in order to install the keylogger, the attacker has presumably already compromised your own machine. Thus he doesn't need your login password for that box - he already has full access there, otherwise he couldn't have installed the keylogger. What he wants are the passwords that get into your online services. Your bank. Your email account. Amazon. eBay. Your card numbers and secret identifiers for all your online activity. For those, he needs to quietly install a keylogger, install a rootkit to cover it up (which would compromise ps, and so make the keylogger invisible) and then sit back and wait for you to unwittingly hand over all those juicy details.

Re:News stories like this...

[Reziac]

Good points. Yeah, you'd think a well-designed keylogger would account for obvious checks by the host OS, including ps, mem, etc.

Now I'm wondering... are there attacks that can install on *NIX at a point before the system reaches any login point at all?

Re:News stories like this...

[ThaFooz]

I fail to see how that is any different than a quick taskmgr->processes. Simply viewing the processes (and their owner/status/etc) on either platform offer little insight as to if a legit process (or ps/taskmgr itself) is rooted.

Re:News stories like this...

Guess you never heard of a rootkit???

Think before you type.  Since Linux isn't as succeptable to petty exploits as Windows is, the box is generally rooted first.  Duh.

Re:News stories like this...

[Marc2k]

It depends what you mean by login point (I'm not sure if you meant at system startup, or simply before a given user logs in), but either way, the answer is yes. Once an attacker has gained superuser access, which is not an unreasonable assumption, with an intimate knowledge of the operating system, they could easily replace a driver, insert hidden malware (which would again go along with cleaning the logs and replacing utils like ps), or even create and install a new kernel, rife with malicious code.

Re:News stories like this...

[Reziac]

Nasty thoughts, indeed.

Side thought: does *NIX have a way to manually step through everything that loads? (as can be done in DOS/Win)

Re:News stories like this...

[lachlan76]

You can start by passing init=/bin/sh to the kernel (on Linux at least). That *only* starts /bin/sh, so you are in complete control as to what you run (provided they haven't modified /bin/sh). The only foolproof way is to run from read-only media (ie. Knoppix) and check every binary.

Re:News stories like this...

[Reziac]

Thanks, saved for reference.

The foolproof method sounds like way too much work for everyday, unless you're either handling burn-before-reading data, or trying to work from a known-compromised system, in which case progressive paranoia is definitely in order, no matter how inconvenient!

The most undetectable keylogger

[Saint37]

Obviously software keyloggers are a huge threat. But there are also hardware keyloggers that hardly ever get mentioned. They get plugs in usually between your ps2 port and your keyboard. They are very small and can store MB's of data. Since people hardly ever look back there, they are very hard to detect. Of course physical presence is required to use this, but I'm sure some of my coworkers would love to play with one of these.



http://www.stockmarketgarden.com/

Re:The most undetectable keylogger

[JustNiz]

I think a hardware keylogger would be a lot easier to spot than a software keylogger to the average 'non-tech' user.

Furthermore, you can't remotely install hardware keyloggers.

Re:The most undetectable keylogger

[jawtheshark]

Not really: there are hardware keyloggers that can be built into the keyboard. Nobody is going to see that one. Of course, everybody here knows that once you've got access to the hardware, you've essentially have access to the machine.

Re:The most undetectable keylogger

[dsci]

But there are also hardware keyloggers that hardly ever get mentioned. They get plugs in usually between your ps2 port and your keyboard.

Once again emphasizing that if you don't have physical security of the system, little else matters.

I've been doing some network consulting for a Dr's office (to help their HIPAA compliance), and the physical security of their systems is completely out of their heads. The hardest thing to do in the whole project is convince them to (and how to) harden the boxes in case the black hat is sitting RIGHT THERE (or steals a box to take with them).

Re:The most undetectable keylogger

[ThaFooz]

I think a hardware keylogger would be a lot easier to spot than a software keylogger to the average 'non-tech' user.

Then you sir, have never helped a non-tech friend/relative 'fix their broken computer' only to discover that something was unplugged. Its mind boggling, but the sheer volume of cables behind the average PC (despite being simple and color-coded) means that the user pays little attention to them. Though I haven't seen one, I don't imagine a hardware key logger is hugely different in size/shape than a PS/2-USB converter. Plenty of people have those on their machines, don't know what they are, and don't question them.

Re:The most undetectable keylogger

[Scoth]

Bravo! I can't count the number of times this has happened to me too. Plus, non-tech users aren't likely to know what a keylogger is even if they found the box. I'm reminded of a time I was helping someone fix some spyware problems, and I noticed they had a USB -> dual PS/2 HID adapter plugged into a USB port, with a USB mouse plugged into its USB to PS/2 adapter plugged into that. She told me that that was how her regular techy guy set it up and so she'd left it and didn't want me to mess with it.

I've never quite understood why, but the same person that insists on having every detail of their car explained to them, or even their cell phones, simply refuse to understand anything about their computers. Even though they're a lot more ubiquitous, I think people still have the "Computers are complicated and fragile, I couldn't ever understand them and they might break if I mess with them too much" mentality.

Re:The most undetectable keylogger

[John+Courtland]

If you've ever seen a PS/2 to AT keyboard connector, that's pretty much exactly what one looks like. Thinkgeek has a hardware logger here: http://www.thinkgeek.com/gadgets/electronic/5a05/ 128K or memory only though. There are more sophisticaed models that have more memory.

Re:The most undetectable keylogger

[xappax]

Of course, if you're using a wireless keyboard, you'll never know you're being hardware logged, 'cause all the attacker needs is a receiver with a big directional antenna attached. They've released a few wireless keyboards that use encryption between the keyboard and "base station", but for the sake of speed, it's generally pretty simplistic stuff that could either be cracked or defeated simply by using the same brand of proprietary receiver.

It's also theoretically possible to make equipment sensitive enough that it could detect the electromagnetic interference generated by your keyboard/monitor cables, allowing a remote attacker to record your keyboard input or screen output. This, I've heard, is why the military requires shielded cables on their computers.

Re:The most undetectable keylogger

[HermanAB]

Hmm, well, MS Outlook is a very good email program, but I doubt that it can rematerialize a hardware key logger from a bit stream and plug it in too. So, untill all PCs are fitted with Ixian Universal 3D Pantographs, I'm not going to worry much about this hardware keylogger threat.

Re:The most undetectable keylogger

[fbartho]

http://www.keyghost.com/images/closeup_sx_sm.gif :) they be tiny if you want them to be... Perfect for places like universities and the like... :( bad for me because I feel prompted to look around the back of every machine I ever use... The university does a great job of providing clean environments for its users, but something like a hardware logger would trap 50 users all powerful passwords in a single day in one of the university comp labs on a single computer...

Has anybody checked...

[Overzeetop]

The Sony rootkit for a keylogger? Then we'd only have to worry about 5999 others!

Re:Possible market for a secure e-commerce applian

Since the whole OS is on CD, it's fairly immune to the traditional spyware strategies (being Linux helps a bit as well ;) ).

Fortunately I do my keylogging with a keyboard dongle, which is cross-platform and supports linux.

SetWindowsHook()

[crashcodesdotcom]

Beware windows apps with calls to SetWindowsHook() with WH_KEYBOARD or WH_KEYBOARD_LL as the idHook

Enjoy

Re:SetWindowsHook()

as seen by what Windows utility, exactly?

Re:SetWindowsHook()

[Bill+Dog]

C:\Program Files\Microsoft Visual Studio\VC98\Bin\VCVARS32.BAT, then
dumpbin /all <EXE or DLL or other executable file name> | find "SetWindowsHook"

For example.

The WH_*'s are #defines, so they don't show up/can't be searched for in the binary.

Secure against memory resident snoopware?

[TubeSteak]

While I'm not sure how common they are on Linux, lots of spy/snoop/etc programs are memory resident.

So even if there's no fixed disk for the prog to store itself on, it can do its dirty deeds until the next reboot. /side question: whatever happened to encrypted meta/polymorphic viruses, trojans and worms?

Re:Secure against memory resident snoopware?

They are trembling, shocked by a low-quality shit that can infest Windows.

unix admin passwords

I was told once that on unix based systems (unix, linux, OSX), when a window pops up asking for an admin password to do something, software keyloggers can't capture what you type in because that window process is a root process.

Is that true?

Re:unix admin passwords

[Andrewkov]

You're probably thinking of Windows NT where you had to hit CTRL-ALT-DEL before entering your password.

Re:unix admin passwords

[tendays]

x-windows permits this - to have a process request to be the exclusive recipient of all keystrokes (no matter what window is selected). I don't know about os x.

But to my knowledge there are few programs that actually do it. I am aware of three: xterm - when you ctrl-click on the window you can ask for "secure keyboard" which does that. gpg-agent's passphrase request window can also activate that feature.
And xscreensaver, when asking for your password to unlock the screen (other screensavers probably too)

One reason why you don't want to keep your xterm on "secure keyboard" all the time is that your screensaver can't detect keyboard activity anymore (and of course you can't type to other windows)

Idea

[Andrew+Tanenbaum]

Let's all automatically use a keylogger that posts to Livejournal.com. Of course, it will be called "Keyblogging".

Re:Idea

[Carthag]

That's the best & worst idea I've heard all day.

no worry for the paranoid...

[borawjm]

all you need is your mouse and the "Character Map" program. No need to use your keyboard.

Sure this post took me 10 minutes to type (or copy and paste I should say), but those hackers won't have a clue!

Re:no worry for the paranoid...

[grubbymitts]

unless they start using screen grabbing too, which sometimes happens.

Re:no worry for the paranoid...

Sure this post took me 10 minutes to type

That sounds like a perfect chance to reference Dasher, the swiftest new way to enter text with the mouse! Or an eye-tracker.

It's in Debian, as well as offering downloads for Windows, Mac OS X, Pocket PC and even Solaris. This is the sort of software that a slow typist could use to really improve their work! That and it looks really cool.

They have this quote in their website: "Dasher is like an arcade game: `Attack of the killer alphabets', perhaps."

Re:no worry for the paranoid...

[__aaercy5451]

...you don't need the keyboard to click on pr0n sites all day. And a mouse only requires one hand to use it...

Re:no worry for the paranoid...

[patonw]

First year of college, my roommate spilled coffee on his keyboard and busted it so I told him to do exactly what you described until he got a new one. So funny to IM him from the same room and actually see him take the time to reply using charmap and cut & paste.

Likely?

[Gothmolly]

Hackers are likely to release more than 6000 keylogging programs this year.

They're also likely to release more than 6,000,000 keylogging programs this year. They're also likely to release more than 1 keylogging program this year.

What a stupid statement. oh wait, its from a vaporous, dot-bombish, DC-metro "computer security" company looking for page hits, blogs, and "press release" publicity on Yahoo! Finance.

Re:Likely?

They're also likely to release more than 6,000,000 keylogging programs this year. They're also likely to release more than 1 keylogging program this year.

Looks a lot like Dogbert http://www.dilbert.com/comics/dilbert/archive/imag es/dilbert2005113320118.gif.

Re:Likely?

[httptech]

iDefense is hardly a vaporous dot-bomb company - they actually put out very good intelligence, although most of it is stuff you're not likely ever to see unless you are a paying customer. And they've contributed a substantial number of their internal tools for malware analysis to the community. I have a great deal of respect for the analysts working there - maybe you should look into some of the research they've done over the years before you discount them as yet-another snake-oil security company.

As to the number of keystroke loggers increasing, I'd say from my experience in malware analysis they are about right on the numbers - it is becoming a more and more popular method of phishing account data from unsuspecting users, and people aren't often aware of just how much of it is going on. These are real trends that people who are watching the constant flood of malware can see. Now, how would you prefer they get that message out?

FCheck or anti-keylogger may help?

[digitaldc]

More info here:
http://security.resist.ca/keylog.shtml
Anti-Key logger:
http://www.anti-keylogger.net/
FCheck: http://www.geocities.com/fcheck2000/fcheck.html

I don't know if will stop a keystroke logger, but it is a cool idea, nonetheless: http://www.kittytech.com/defaultx.html

Re:FCheck or anti-keylogger may help?

[Bevan+Collins]

Anti-Key logger:
http://www.anti-keylogger.net/

LOL check the links at the bottom of that page... they also sell Key logging and Spy software.

Its about the exploit

[TubeSteak]

A decent programmer, using all his skills could write a stealth spyware/keylogger that doesn't bog down the computer and goes undetected for a very long time. It shouldn't do popups, but just log the keys...

Part of the problem with computers getting bogged down and popups coming out the wazoo is that more than one program can (and probably will) slip in through the same IE exploit.

So it doesn't really matter how many uber-l33t pieces of crapware are out there, because there will always be people exploiting the same holes but doing it with buggy programs.

to be effective

[jessecurry]

To be effective don't keystroke loggers written for windows need to use system hooks that should make them all relatively easy to detect? I'm not sure what OSs they will be released for, but I would assume that Windows would be the major target.

Re:to be effective

[ergo98]

To be effective don't keystroke loggers written for windows need to use system hooks that should make them all relatively easy to detect?

Or they could hook into the keyboard driver itself, or using Detours from Microsoft Resource they can hook themselves into many other system calls (either in memory or on disk). SetWindowsHook(Ex) would pretty much be the most-noob way of doing this.

Of course even doing that, I don't think there's a way to enumerate currently installed hooks - The API doesn't provide that. The best you could do is add a debug hook (that gets informed of all other hooks installed) and try to get it executed first.

Re:Possible market for a secure e-commerce applian

[ThaFooz]

I really like the idea and could have some very cool applications. But I'm not sure less-tech savy users would be one of them.

I mean, it seems like a bit of a catch 22 to market an active security solution (ie, think about security before every transaction, instead of a one-time install) to a group who has security problems precicely because they don't want to concern themselves with security 24/7.

The real question...

[secureboot]

The real question is how many keyloggers are actually installed and reporting back now, as opposed to last year or 5 years ago. Just becuase there are more, doesn't mean there are more actually running. This would be an interesting statistic, if someone has it.

Does exactly what it says on the tim

Ken Dunham, senior engineer at iDefense, said, "Keylogger software typically tracks keystrokes on infected computers..."

He's a sharp cookie, that Ken.

Obligatory Spaceballs reference

King Roland: The combination is: one . . .
Dark Helmet: One.
Col. Sandurz: One.
King Roland: Two . . .
Dark Helmet: Two.
Col. Sandurz: Two.
King Roland: Three . . .
Dark Helmet: Three.
Col. Sandurz: Three.
King Roland: Four . . .
Dark Helmet: Four.
Col. Sandurz: Four.
King Roland: Five . . .
Dark Helmet: Five.
Col. Sandurz: Five.
Dark Helmet: So, the combination is: one, two, three, four, five. That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!

After the interrogation

Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?
Dark Helmet: 1 2 3 4 5.
President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
Dark Helmet: Yes, sir!
President Skroob: And change the combination on my luggage!

No laughing matter...

[ChePibe]

I work for a university and supervise multiple public computer labs for students.

One of our employees decided it would be a brilliant idea to install a key logger on a handful of our computers. Our security software would have easily detcted/prevented the installation, but this employee had administrator passwords, allowing him to bypass the security software (since then, passwords have been restricted, which leads to massive inefficiency but higher security). He quietly disabled the security - especially anti-virus - software on these computers and let the program do its work.

The key logger was discovered approximately 6 weeks later when an icon for it randomly popped up on the desktop (I do not know the name of the key-logger software). A patron reported the strange icon, and the lab assistant reported it to management.

All 600 people who had used these computers in the last 6 weeks were notified almost immediately of the breach and instructed to change all their passwords and monitor their credit reports for suspicious activity. A lengthy FBI investigation began, and finally one employee was singled out. Luckily, there is no evidence he used any of the information he had gleaned from these computers.

This employee faced jail time, but ended up accepting a plea bargain for 5 years probation and a $5,000 fine. He has since fled the country.

Moral of the story - these things are quite serious when installed on the right computer, and those that install them in person could receive jail time. Now, even one hint of a key logger appearing on a computer in the labs is enough to drag in all of our technical staff at any hour to heavily investigate and reimage all nearby computers. We'd rather not have to go through any more investigations with the FBI.

Re:No laughing matter...

[Gadgetfreak]

You bring up a good point, in terms of damage to people's personal identity and information. What's the risk for corporations, or perhaps government sensitive information? It might lead to the kind of backlash where places that don't absolutely need internet access for the required work to be disconnected, or on a separate internal network. I just think there may be too many companies going low tech to avoid this kind of threat, and pulling the plug if they have anything serious to risk.

Obvious solution

[daranz]

An obvious solution is setting input to right-to-left, and then typing backwards!

Alternatively, you may just simply store all your passwords in a .txt file on your Windows desktop. Additional security can be provided by storing the file in Shared Documents instead, but just make sure your WiFi AP is unencrypted and broadcasting its SSID.

Re:Obvious solution

[shish]

Alternatively, you may just simply store all your passwords in a .txt file on your Windows desktop

A surprisingly good idea, in a way; sure it allows anyone who has physical access you your machine to get access to your passwords, but all the keyloggers'll detect is "ctrl-c, ctrl-v"

Yawn!

What difference does it make whether there are six, six thousand or six million? They all work in basically the same way, and only the one that's installed on /your/ PC is the one you should be worried about. This is just frighten-hype to sell some kind of product or service. An increase in the supply of these programs (which is highly doubtful - see below) isn't proportional to their successful application.

Honestly, the FTC should ask them to list all six thousand programs, with a code sample for each and an explanation why one is different from the next, along with all known information about the authors. They'd be hard pressed to find sixty.

Pest Patrol

Check out Pest Patrol's online scanner.

I used it to find a keylogger that my sister's dipshit boyfriend put on her computer.

Egress rules

[Alioth]

This is why you should use strong, default-deny egress rules on your network - especailly if you have confidential data.

Especially at small organizations, people think they are protected if they just have some ingress rules that (supposedly) stop the bad people getting in. However, you've got to stop your PCs from making connections *out* to random addresses.

Re:Egress rules

Thats not really practical for most offices.

It is far more practical to keep users from opening executable attachments and/or prevent unauthorized software from being installed onto machines.

Re:Egress rules

Are you kidding me?

What sort of "Egress rule" would you use for a keylogger that uses standard HTTP POSTs to send updated information? Or maybe even one that uses HTTPS?

Would you limit the user traffic to a white-list of websites? Good luck on that.
Would you log all of the outbound traffic via a proxy/whatever else? Do you have a policy for that in place? Are the users aware that their surfing is being monitored? Who has access to the logs, and why? And most importantly, would YOU KNOW that it was something out of place, a standard HTTP request to a random site? I mention access to the logs and so on because even though the users are using "company property" and "company resources", they must be made aware of the fact they are being monitored, and YOU have to ensure that you will protect their privacy. (ie: you shouldn't be looking through the logs, seeing what they're doing just because you can. There has to be a reason for it).

Re:Egress rules

[Alioth]

No, I'm not kidding you in the slightest.

If you want any semblence of security, you don't even route to the internet from your normal office especially where there is confidential information. You absolutely use a proxy *with authentication*. The fact it's authenticated will frustrate all but highly targeted and determined attackers. They are very difficult to defend from (especially as the achilles heel is more likely your staff's susceptibility to social engineering).

We have a network at work where financial details are processed. I have it locked down to a strict default deny policy for both ingress and egress. _No_ web access is allowed on that network, and the only access to internet sites is to other organizations we deal with - and all traffic is encrypted. The policy is default deny to other networks within the organization too. Every single host outside the network must be documented. All transfers are logged.

Re:Egress rules

[Alioth]

It's eminently practical for most offices. A simple policy is to not even route to the internet, all access must go via a proxy such as Squid for web access. It isn't hard to set up a proxy. All but the tiniest of offices can practically implement that kind of policy - and should if they are dealing with confidential information.

That is in addition to blocking all executable attachments and not allowing unauthorized software installation.

*Hem-hem*

[Eli+Gottlieb]

Those people are called "crackers". Hackers are an entirely different breed who can be learned of from ESR's website.

Re:*Hem-hem*

A hacker can be evil. A cracker is just someone who uses scripts/programs someone else made to do his dirty work.

See "black hat" vs "white hat".

also LOL @ ESR.

Re:*Hem-hem*

Thank you for your insightful and original contribution, user 917758.

Re:*Hem-hem*

[xappax]

Ok, I've gotta know...am I the only one who thinks it's really funny that the geek community has totally obliviously adopted a racial slur to describe computer criminals? I mean, I'm not offended or anything, I just think it's really telling about the uniform cultural background of hackers when we can all go around debating about "hackers vs. crackers" with a straight face. Try to go down to the bar and tell everyone about the difference between hackers and crackers, and I'm pretty sure all the non-white people will bust out laughing at you. ;-)

Someone needs...

[InterestingX]

... to create a program that simulates all the keystrokes to "War and Peace"

No way will my Grandma will be hip to this...

[Tikicult]

Do you really think that the non-geek members of your family will actually bother to boot to a CD and use a completely unfamiliar Os and web browser??

My Grandma probably hasn't even rebooted her computer in months... Let alone run critical updates or checked her Antivirus!

Hackers? Crackers? - The difference explained.

[romiir]

Yes, hackers are not destroyers of lives... Idiots in the media make hackers look bad. Ethical hackers are the people doing this security research. Hackers test computer system security, sometimes illegally yes, but they never destroy data or intentionally cause problems. Crackers are the ones making the keyloggers, and breaking into systems on the internet just to abuse them or destroy data. People need to hear this message, and quit frowning upon hackers.
---
Ignorance may be bliss, but knowlege is power.

Who needs software?

[Sierpinski]

If you have access to a computer (or more specifically behind a computer) just add one of these:

for PS/2 Keyboards

or for USB Keyboards

Anti-virus and anti-spyware won't protect you from this kind of technology.

Re:Who needs software?

[OneFix+at+Work]

Yes, but these aren't cheap (~$100 for a cheap one) and they are easily identified by a cursory look at the back of the machine. $100 is a bit much to lose if you are "found out", so these will mostly be installed by machine owners. I know there have been incidents when these were installed, but most of these are put in high traffic, high risk areas. In some way, these are easier to detect than software keyloggers. Not only that, but most of these (all that I know of) use a standard set of "wake" commands and they will then dump their guts...I'm sure there aren't that many commands to try...now if they made a keyboard that had a keylogger built-in that looked normal otherwise, then that would be a problem...

Re:Who needs software?

[Ph33r+th3+g(O)at]

now if they made a keyboard that had a keylogger built-in that looked normal otherwise, then that would be a problem...

You mean like this?

No breach of security yet

[TubeSteak]

"yet" being the key word here.

Now that the trolls know your /. password
Your karma is going straight to hell

meh

I will belive it when i see it.

Did these people know there would be a major increase in zombies? or smtp worms? or even IM worms. i dont belive so. So im not going to belive what bullshit they say.

Defeat all known keyloggers!

[BlargGlarb]

Simply pry up the keys from your keyboard and put them back in a different order! It's foolproof! Arwvbnst bsforssd msscoidgs!

Help from Microsoft

[Sierpinski]

In trying to assist the average Windows user, I think Microsoft could do something to help aid fight against unauthorized spyware/viruses:

When I open the task manager to view all my running processes, there are usually a ton of programs running. Some I recognize (explorer.exe, System, firefox.exe, etc.) but some I have no idea what they are. Some are from my firewall (BlackIce), some are anti-virus (mcshield.exe), some are other system processes (mdm.exe: the machine debugger), and some I just plain do not know what they are. There are various sites where I can search for these programs, but when there are 50-60 in the list, it gets quite tedious. What would be nice is if the task manager actually produced a mouse-over popup (much like an 'alt' tag in HTML) that gives information about the process. Now this would have to be part of task manager, and not a factor of the application, or malware could just say that its some important legitimate file. I don't know if this is possible, feasible, or even necessary, but I know it would make it a whole lot easier for me to examine all of my currently running processes.

Just a though in light of the keystroke logging article.

Re:Help from Microsoft

[J.R.+Random]

Of course any self respecting rootkit modifies the Task Manager code so that it doesn't show the keylogging process at all.

Re:Help from Microsoft

[Sierpinski]

Just the simple fact that windows even allows programs to manipulate the task manager goes to show how much farther Windows needs to go. After my wife went on a 'deal hunting' spree on my laptop, I showed her exactly what she had done to the computer. I disconnected it from the internet, ran various anti-virus and spyware programs (luckily no viruses, but tons of spyware). When I went to show her the task manager list, the task manager was actually disabled. Of the various methods to view the task manager (right-clicking taskbar, cntl-alt-delete, etc.) none of them were enabled. Just the simple fact that Windows allowed a program to disable the task manager proved to me that Windows is truly an inferior product.

No technology in the world is going to protect a user who doesn't want (or care, or know) to be protected.

Re:Help from Microsoft

Instead of using MS Taskmanager, then try using the process viewer built into Hijackthis! or, even better, IceSword.

Between the 3 choices, I would recommend Icesword for 2000/XP, Hijackthis! for Windows 98.

Re:Help from Microsoft

A M$-solution is on its way. It's called "trusted computing".

Re:Help from Microsoft

[Shad_the_protector]

Damn in the .NET framwork, there is class that represent the list of task running on the comp. You can make a program that just run through the different task and KILL them. o_0. That, that is a considerable flaw, cause as you all know some running task that you kill will just begin the reboot sequence for fatal error and reboot your comp. Now just imagine you put something like that run at window's start.

By the way, if you want more information than the task manager already gives try to check spybot search & destroy. In the advance mode, in Tools, process list. you see in it at least the fullpath of the process and also it will point out the parent process or child. There is also a screen to change the startup.

Re:Help from Microsoft

[drsmithy]

Just the simple fact that windows even allows programs to manipulate the task manager goes to show how much farther Windows needs to go.

Yeah, because it's not like unix rootkits ever install their own versions of ps, top, et al, right ?

Stopped Reading When I Saw IDefense Said...

[Evil+W1zard]

This company is all about making sales pitches and has been spreading FUD since at least 1999. I remember all the way back to the sensationalization of the so-called Israeli-Pakistani Cyber War... Which was more like a couple script kiddie hacker groups defacing web pages.... Ohhhh but they called it a Cyber War.... I would take anything you hear from these guys with a very big grain of salt.

--Remember when they were in hot water for simply rewriting other people's materials and not citing original author or when Jericho and the Attrition crew started to campaign against them...

(I will give them credit for a few decent vulnerability discoveries though, but I tend to stay away from their reporting of cyber news...)

Move along people... Nothing to see here...

[McFadden]

So some guy makes a purely speculative guess about what might (or might not) happen in the next year, and then goes on to explain that a keylogger actually logs keystrokes.

And this is all it takes these days to get a front page mention on Slashdot.

Important research

[striiiker]

These keyloggers have actually been released by the University of Arts and Technical Studies in order to test the age old myth that a million monkeys at a million keyboards will eventually type the entire works of Shakespeare...

Re: Make sure you use famd then!

[SolitaryMan]

Make sure you use File Alteration Monitor Daemon then. Attackers often replace ps, top, login etc. with alternate, infected versions, so you don't see their software working. Of course that famd data can be replaced too, but just another security tool won't do any harm.

Firefox

[lostraven]

Ok. I'll bite. I've been using Opera as an alternative to IE for two years now (in conjunction with Ad-Aware, Spybot, and AVG). For a few websites, I still had to use IE last year but it seems that Opera has become supported enough that with the updates, I don't hardly ever need to use another browser. I can't say that I've investigated Firefox much at all. Where does Firefox rank security-wise with your Operas and other alternative browsers?

Who needs Carnivore!?

[ediron2]

6000 brands of keyloggers on countless machines, all collecting passwords. Who needs Carnivore and the backdoor key with this mess?

Gilmore's law ('The internet treats censorship as damage and routes around it') apparently also applies to free-market pressures to subvert security, even if it is white-hat security goals that are preventing something like Carnivore's back-door.

Copy-Paste

[lostraven]

Ok. Let me preface this by saying that I probably wouldn't recommend keeping an unsecured text file full of passwords and financial data.
That said, in theory, could the same concept be applied by creating such a text file, say on a laptop you never connect to the internet, saving to floppy and then opening the file from the floppy on your desktop. When you want to enter such data, open the file, copy-paste. Would this accomplish the same thing? I'm ignorant to the concept really. Thanks.

Re:Copy-Paste

[lukewarmfusion]

Well, by the time someone plants a keystroke logger on your machine, I'd guess they could do a lot more.

But technically I think it works the same way.

PR Plant

[CupBeEmpty]

this really seems to be a PR plant by iDefense (they seem to be spending a little marketing cash to get us worried about keyloggers)

Other planted articles that are startlingly similar:
The actual verisign press release with a cute graph
PC World with a seemingly verbatim copy of the press release
Again from Tech News World
And C|Net's news.com.com even copies the fun and [extreme sarcasm]ever so statistically meaningful[/extreme sarcasm] graph

It is nice to note that VerisSign's Nasdaq abbreviation appears in all of these articles within the first sentence. So I wouldn't be too worried because its not surprising that VeriSign wants us to fear keyloggers.

In Other News

[ajs318]

Chip Pan Fires on the Increase, says Chief of new Privatised Fire Brigade.

Anti-virus companies have a vested interest in there being malware out there. It wouldn't surprise me if they were encouraging the script kiddies. Dunno about anybody else, but I expect for software just to work, as it comes, and that goes double for software that you pay for. Imagine if you bought a phone, and then had to pay extra for the charger! Sure, you could use a laboratory power supply, if you already had one ..... like you can be careful with Windows if you know how. But the real problem is that Windows, as it needs to be configured to work with certain applications, is insecure by design.

I find no link to an online scanner.

[Futurepower(R)]

I find no link to an online scanner at pestpatrol.com

Easy way to defeat KeyLoggers

[schlick]

I just scraped all the letters off my keys! Ha! Try and see what I'm typeing now!!! This I saw this kewl keyboard. It comes with the letters already scraped off. SWEET!

Already Happening

[willisbueller]

We are starting to see variants of CoolWebSearch popping up on computers at work (I work for my residence computer service). Anyone who has dealt with CWS knows it's a pain; few virus/spyware detectors find it. It blocks windows registry editor from showing values that give it's existence away (you need to use reglite or autoruns(which misses some). The variants are becomming even more tricky as silentrunners and CWShredder aren't catching them.
That and they don't noticably kill performance. As far as spyware goes, it's really best in class right now.

Use a tablet PC then :)

[-Harlequin-]

I have a tablet PC, I normally use the keyboard for text entry, and use the pen as a mouse and for art, since I type quicker than I write, but hey, maybe I should start using handwriting more often. Keylog that! :-)

Re:Use a tablet PC then :)

[jabelar]

Handwriting recognition may still be keylogged, depending on how the recognition software interacts with the computer's input buffers.

Re:Use a tablet PC then :)

[-Harlequin-]

I may be wrong, but it doesn't seem like tablet edition works that way. If a keylogger could capture the data contents of a cut and paste, then it would probably grab ink, but AFAIK keyloggers don't do that, they'd just log the keypresses that triggered the paste proceedure.

That's innovation!

[just_another_sean]

Say that sounds great!

So as corporate customer of Microsoft's, how do I leverage this new, service oriented architecture they are developing? I would like to have access to an API that allows me to track my company's users and also see what my competition is up to. Will I be able to utilize my existing legacy infrastructure or will I have to upgrade every other installed service at my company to use this wonderful service you speak of?

Natural progression

[drdewm]

It is just so much easier to key log a half asleep non computer literate person than to try and break the gazillion bit encryption schemes available. Its the weakest link that's going to get you every time.

Re:Bundled with spyware? Newbie Question

Question: How do you "Find Files" on C: modified in the last day?

Re:Possible market for a secure e-commerce applian

Why not just give them a live CD, and telling them to use that with their existing computer? That should be good enough, unless you really suspect that someone is breaking into their place and installing a hardware keylogger onto their machine.

Re:Bundled with spyware? Newbie Question

Windows:

Start - Search - Find Files

Linux:

Install Windows.

I have seen those in a computer parts catalogue

[Rick17JJ]

I have seen a small keystroke logger for PS2 cables listed in a computer parts catalogue for many years. According to the catalogue it needs to be attached to the end of of the PS2 cable on the keyboard. If I remember correctly, it suggested that it would be a good way for parents to keep track of what their children are doing on the Internet. How many people buy them for other purposes? Someone could stick one of those on someone elses computer for a few days and then retreive the device later. I was surprised that they could legally sell something like that.

How often do people bother crawling under their desk to look for something like that? On my computer there is a PS2 to AT keyboard adapter which looks very similiar. Some people do online banking while they travel at Internet Cafes, public librarys or other computers that are open to the public. Is that is safe or not? Remember the incident a couple of years ago where someone had secretly installed keystroke logging software at 14 Kinko's stores. He used software instead of hardware. According to one article "he captured more than 450 user names and passwords, using them to access and even open bank accounts online." He is the article:

http://castlecops.com/article2568.html

If I am not mistaken, employers are legally allowed to used keystroke loggers to monitor what their employees are doing and are also allowed to read employees email. It is best to be careful what you say about the boss in email messages at work. When you get to work perhaps you should crawl under your desk and check the end of the cable on your keyboard. Perhaps a co-worker or the boss might have installed one of those. Of course if software is being used you still might not know.

Re:Bundled with spyware? Newbie Question

Thanks

Re:Bundled with spyware? Newbie Question

[Phillup]

Linux:

Install Windows.


Because that is the only way 'C: drive' has any meaning.

That's MS Passport for you...

[HermanAB]

Sending all your paswords to a central authority - wasn't that what MS Passport was all about?

Oblig. Simpsons Quote

Passwords are like toothbrushes:

Marge: Ooh! A punchbowl like that just screams good taste. Wouldn't it
              be perfect for the dinner party.
Homer: Oh, we can't afford that. Who do you think I am, Liz Taylor?
Marge: Well, maybe we could use it once, and then return it.
Homer: Marge, we're not talking about a toothbrush here.

They keep stats

[TigerTime]

If they can store terabytes upon terabytes of email, I'm sure they keep track of the last several IPs that the user logged in with. The government works especially hard with companies on stuff like this just so they can have access if they need it. They don't like it when it's impossible to find out info on someone.

You'd be suprised at how much is kept on users with the free *anonymous* email accounts.

My guess is that if you sent an email out using Hotmail/Yahoo to several news outlets saying that you were going to kill the president or someone, you would get a knock on the door by the FBI/CIA within a day or two.

Re:They keep stats

[theLOUDroom]

If they can store terabytes upon terabytes of email, I'm sure they keep track of the last several IPs that the user logged in with.

Which is all but useless if he's using a proxy.

The trick is to get him to connect to something without using a proxy or to do something traceable by other means. (Like ordering a pizza to his house with your credit card number.)

Re:They keep stats

[netsharc]

The mail providers may record the IP, which will lead you to the ISP, but what if the ISP's in a country that doesn't care? Even in the US, you'd need to get the appropriate authorities excited enough so they subpoena both providers, chances are they won't care.
Unless of course it's something to do with ewil awab tewwowists!

more sneeky

[kevstar31]

http://www.keyghost.com/securekb.htm

Answer to thwarting Keyloggers!(Albeit tiring...)

[Mikey123]

The mouse truly *is* your friend. I haven't seen anybody suggest another rather *obvious* way to make sure your password is not being logged properly(at least by a keylogger): (1) When typing a password, type a "Cloaked" password. That is, add (groups of) characters that don't belong in your password (2) Before submitting your password, delete the groups of characters that don't belong AS BLOCKS. (3) IMPORTANT! Make sure the superfluous groups of characters added to your password is exactly the same *every* time (read on...) So, for example, if your password is really, "Star9!", get used to always typing something like: "Star123456789!" Then, before hitting enter, highlight with your mouse and delete the superflous characters AS ONE BLOCK in the appropriate place (in this case, a single block of eight characters, starting from the third leftmost). In this case, all what the keylogger will log is: Star123456789! *DeleteKey* So, for the person who reads you keylog file, his/her first impression will be that your password is "Star123456789". Then, even if they catch on to the fact that you are cloaking your password, they will have to try deleting every combination of keys, and GROUPS of keys, from your pre-DEL password. Good Luck to them. Chances are, unless the person trying to get your password is targeting you specifically, they will give up and move on to the next person for whom they have a keylog file. But even if it your husband/wife spying on you, with this method their goal of figuring out your password is at least encumbered somewhat. As for the "IMPORTANT" part in step (3), consider the case that for the password "Star9!", one day you use the cloak "Star123456789! *DeleteKey* ", and another day you use the cloak "Star987654321! *DeleteKey* ". The bastard reading the keylog file would have to be an idiot to not figure out, from those two cloaks, what your password is. So, memorize your "cloak" as well as you memorize your password, and you should be safe from keyloggers. Cheers, Mikey123

CTRL-ALT-DEL

[LunaticTippy]

I have to hit C-A-D to enter my passwords here at work. (windows XP)

Damn corporate security policies!

kylggr.exe

[trigggl]

Program: kylggr.exe
Alt text: Windows automatic spell checker

I'm thinking your idea could easily be defeated by someone who knows how to get the keylogger installed on a remote computer.

That's just my opinion.

s/et al./etc.

et alli means "and other people." You want et cetera which means "and other things."