Keystroke logging

From Wikipedia, the free encyclopedia

Keystroke logging (often called keylogging) is a diagnostic tool used in software development that captures the user's keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. However, keyloggers are widely available on the Internet and can be used by private parties to spy on the computer usage of others.

Contents

[edit] Application

Keystroke logging can be achieved by both hardware and software means. Hardware key loggers are commercially available devices which come in three types: inline devices that are attached to the keyboard cable (see picture), devices which can be installed inside standard keyboards, and actual replacement keyboards that contain the key logger already built-in. The inline devices have the advantage of being able to be installed instantly. However, while they may go unnoticed for quite some time, they are easily detected visually upon closer inspection. Of the three devices available, the most difficult to install is also the most difficult to detect. The device that installs inside a keyboard (presumably the keyboard the target has been using all along) requires soldering skill and extended access to the keyboard to be modified. However, once in place, this type of device is virtually undetectable.

[edit] Hacking

Writing software applications for keylogging is trivial, and like any computer program can be distributed as a trojan horse or as part of a virus. What is not trivial however, is installing a keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker.

[edit] Trojan

Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper[1] (their paper from '96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging trojan is installed using a virus (or worm). An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board (e.g. Usenet).

[edit] Ciphertext

Young and Yung also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as unused. This can be done using a USB token. So, the trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as cryptovirology.

[edit] Federal Bureau of Investigation

The FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr. He pleaded guilty to running an illegal gambling operation in 2002 ("Mobster's son pleads guilty of gambling; computer spying helped seal case" Associated Press, 1 Mar 2002). The FBI has also reportedly developed a trojan-horse-delivered keylogger program known as Magic Lantern.

[edit] Use in surveillance software

Some surveillance software have keystroke logging abilities and claim to monitor the internet use of minors. However, this has been criticized that these software can be used maliciously to gain unauthorized access to users' computer systems.

Contrary to common understanding, software keyloggers are simple to write. With a working knowledge of C or C++ and a knowledge of the API's provided by the target's operating system it is straight forward do this. Software keyloggers fall into the following categories :-

1) Kernel based: This method is most difficult both to write, and combat. Such keyloggers reside at the kernel level and are thus practically invisible. They almost always subvert the OS kernel and gain unauthorised access to the hardware which makes them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the Operating System.

2) Hook based: Such keyloggers hook the keyboard with functions provided by the OS. The OS warns them any time a key is pressed and it records it.

3) Creative Methods: Here the coder uses functions like GetAsyncKeyState, GetForegroundWindow, etc.

[edit] Keylogger prevention

Currently there is no easy way to prevent keylogging. In the future it is believed that software with secure I/O will be protected from keyloggers. Until then, however, the best strategy is to use common sense and a combination of several methods.

[edit] Monitoring what programs are running

Users should constantly observe the programs which are installed on his or her machine. Also, devices connected to PS/2 and USB ports can be used to secretly install a keylogger and then remove it (along with the user's data) by the perpetrator.

[edit] Anti-spyware

Anti-spyware applications are able to detect many keyloggers and cleanse them. Responsible vendors of monitoring software support detection by anti-spyware programs, thus preventing abuse of the software.

[edit] Firewall

Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission of the logged material over the net.

[edit] Network monitors

Network monitors (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from "phoning home" with his or her typed information.

[edit] Automatic form filler programs

Automatic form-filling programs can prevent keylogging entirely by not using the keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. (Someone with access to browser internals and/or memory can often still get to this information; if SSL is not used, network sniffers and proxy tools can easily be used to obtain private information too.)

It is important to generate passwords in a fashion that is invisible to keyloggers and screenshot utilities. Using a browser integrated form filler and password generator that does not just pop up a password on the screen is therefore key. Programs that do this can generate and fill passwords without ever using the keyboard or clipboard.

[edit] Alternative Keyboard Layouts

Most keylogging hardware/software assumes that a person is using the standard QWERTY keyboard layout, by using a layout such as DVORAK captured keystrokes are nonsense unless converted. For additional security custom keyboard layouts can be created using tools like the Microsoft Keyboard Layout Creator.

[edit] On-screen keyboards

[edit] Program-to-program (non-web) keyboards

It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not true, because for most on screen keyboards (such as the onscreen keyboard that comes with Microsoft Windows XP), a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text sent as typed characters from one program to another with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

[edit] Web-based keyboards

Web-based on-screen keyboards (written in Javascript, etc.) may provide some degree of protection. At least some commercial keylogging programs do not record typing on a web-based virtual keyboard. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Notably, the game MapleStory uses, in addition to a standard alphanumeric password, a 4-digit PIN code secured by both on-screen keyboard entry and a randomly changing button pattern; there is no real way to get the latter information without logging the screen and mouse movements; another MMORPG called RuneScape makes a similar system available for players to protect their in-game bank accounts with.

[edit] Non technological methods

Most keyloggers can be fooled by alternating between typing the login credentials and typing characters somewhere else in the focus window.

[edit] References

  1. ^ A. Young, M. Yung, "Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage," IEEE Symposium on Security & Privacy, pages 224-235, May 4-7, 1997.

[edit] See also

[edit] External links

[edit] Software (Anti-keylogging)

  • PSM Antikeylogger - Free software (GPL) antikeylogger that block hook based keyloggers. For Windows 98, ME, 2000, XP.
  • Snoopfree Privacy Shield - Freeware antikeylogger that block hook based keyloggers as well as screen captures. For Windows XP.
  • I hate keyloggers - Freeware antikeylogger that block hook based keyloggers. For Windows 2000, XP.
  • MyPlanetSoft Anti-Keylogger - Freeware antikeylogger that block hook based keyloggers. For Windows 2000, XP.
  • Keyscambler - Protects information entered in browser (Firefox and Internet Explorer) from keyloggers. Free lite version available. For windows 2000,XP.
  • Neo Safekeys - Free virtual keyboard that can fool keyloggers.
  • Mouse-Only Keyboard - Free virtual keyboard with protection against hook based keyloggers and clipboard protection.
  • KL-Detector v1.3- Freeware on demand keylogger scanner.
  • wssecure Application Monitor Realtime process monitoring with signature verification.