This month, hackers in China attempted to place keystroke loggers onto UK Parliament systems via email messages. Phishing attacks in which keystroke loggers are installed on PCs are becoming more frequent. Keystroke loggers are also popular among hackers whose attack vector of choice is instant messaging. Because of the growth in the rate of keystroke logger attacks, I thought it might be a good idea to take a look at what a keystroke logger is, why this technology is a serious threat to your organization, and what you can do to protect your information assets.
A keystroke logger is software or hardware that captures each key pressed by a user. In this way, it can obtain user IDs, passwords, banking and credit card information, social security numbers, employee IDs, etc. The following is a list of other possible keystroke logger capabilities:
- Invisible to the user and to network defenses, like the perimeter firewall
- Invisible to support personnel viewing the Windows task list or startup list
- Remote installation and update
- Capture of screen information when the mouse is clicked
- Logging of web sites visited by the user
- Capture of instant messaging chat sessions
- Monitoring of the Windows clipboard
This information is then sent to the attacker for use in identity theft, theft of intellectual property, theft of national defense secrets, or other types of cyber crime. It’s important to point out that not all users of keystroke loggers are criminals. Keystroke logging is often used in testing software or in cyber crime investigations.
The threat to your organization is painfully obvious. An attacker can obtain critical and sensitive information about your business, your customers, and your employees without having to break into a database or having to crack a strong data center perimeter.
Protecting yourself against a keystroke logger attack is not easy. Due to the potential invisibility of the malware once it’s on one of your PCs, neither the user nor your support personnel may have any idea it exists. Further, anti-virus applications often fail to identify keystroke loggers. Finally hardware keystroke loggers that sit between the keyboard and the computer are completely undetectable by AV tools. Even more disturbing is the possibility that an attacker has replaced a user’s keyboard with one that has integrated keystroke logging. However, physical access to the system is necessary to mount a hardware-based attack. This makes capturing your data a little more challenging for the attacker. So what can you do to protect your critical assets?
Your defense against keystroke logging lies within two areas: technology and user awareness. In the area of technology solutions, applications like SpyCop and SnoopFree are designed to detect software keystroke loggers. But again, these applications won’t work against hardware-based attacks.
To protect your organization against hardware keystroke loggers, and to provide a first layer of defense against any type of logging attack, an organization must educate its users on the dangers associated with certain activities. Examples of steps users can take include:
- Locking their computers when they leave their work area
- Don’t surf the Internet with an account that has administrative rights; this provides an attacker with the rights necessary to install software on the system
Keystroke logging is just one threat facing organizations in this era of global networking. The best defense against this and other types of attack is a strong layered defense. Because no one safeguard is sufficient to protect your environment, design your network defenses so that multiple safeguards support each other. The only other option is to isolate your network from the outside world – hardly a wise business decision.
Author: Tom Olzak