Nicodemo Scarfo Jr, a well-connected member of the New York and Philadelphia organised crime families, knows all about keylogging. But rather than using the technique to steal or launder money, he was brought down by the Magic Lanternkeylogger that the FBI installed on his computer via a Trojan.
It might not be the typical bullets and bloodshed picture of gangland America, but it was enough to indict him for running an illegal gambling ring and loan sharking. The Magic Lantern recorded every keystroke made and sent the information to the Feds - who were then able to piece together the evidence.
At the time the story raised a number of concerns about computer privacy. Now it serves as a useful reminder that there is a positive side to keylogging.
As well as serving the interests of law enforcement agents, keyloggers can help employers maintain productivity, protect valuable bandwidth and ensure optimum use of networked resources by monitoring employee activity online. Parents can even use them to check their children's computer activities.
But it is the darker side to these surveillance technologies that is more familiar to the majority of IT and security professionals.
By discovering user names, passwords and encryption codes from innocent users, keyloggers open up a whole world of extremely valuable information to thieves, who can plunder at will with very little chance of detection. Email addresses, instant messaging usernames, financial data and other sensitive details are all vulnerable to a keylogging attack.
Keyloggers are, therefore, ideal tools for industrial espionage or for accessing confidential corporate data. They can damage business relationships, financial standing, and reputation as a result. They can even cause an organisation to breach major pieces of legislation such as the Data Protection or Sarbanes Oxley Acts.
And it's not just large corporates that experience keylogging attacks. As more and more of us conduct our financial transactions online, our personal details are at risk from a carefully located keylogger. In fact, any individual or organisation that accesses, inputs or stores private information is at risk.
Logging the Keylogger
So how do keyloggers end up on our machines? Traditionally, keyloggers have been pieces of software, which can be installed on a computer through a virus or as spyware.
More recently, fake e-greetings cards were used to infect computers with keyloggers. When opened, the 'card' directed browsers to an exploit server that checked for web browser patches to find vulnerabilities, then downloaded a keylogger accordingly.
For the criminals concerned, the advantage of the software keyloggers is that they can infect a huge number of machines and gather the data quickly, easily and remotely.
Fortunately, it is also pretty straightforward to detect them. Anti-virus software that is kept up to date can prevent Trojans and spyware entering the system in the first place, particularly when anti-adware capabilities are added. And should a keylogger slip through the net, standard protection tools that monitor the status of a computer can detect and remove them.
Unfortunately, as software keyloggers get easier to identify, criminals find new ways to breach security measures.
The latest breed of hardware keyloggers are much harder to detect since they do not install any code onto the machine and cannot be spotted by traditional anti-virus or anti-spyware tools. They are, therefore, becoming more common as determined criminals realise that the returns to be gained from software versions have diminished.
Hardware keyloggers take two main forms. The first, and probably the most common, is a small device installed at the back of a PC between the keyboard and its connection to the machine.
As with all hardware keyloggers, it requires the attacker to have physical access to the computer in question, both to install and later retrieve the device. With social engineering growing in sophistication, this doesn't pose a problem to the determined individual, particularly as it takes a matter of seconds to install, and requires no technical skill.
These kinds of keyloggers may only be approximately 1.5 inches long, but they have a memory capacity that allows up to two million key strokes to be recorded - which represents about five year's worth of typing for the average computer user.
Happily, this type of hardware keylogger is also the easiest to detect visually - provided you know what to look for.
More insidious forms of keyloggers are built into the keyboard. Thieves will either replace the keyboard completely or dismantle it, insert a keylogging device, and re-assemble it. Naturally this requires a greater degree of skill on the part of the criminal, and takes more time to complete. But the chances of visual or manual detection are almost zero.
The good news is that companies can protect themselves from keyloggers. First of all they should ensure that regular checks are conducted and comprehensive employee IT training is given to raise and maintain awareness of the issue.
Certainly in large organisations it isn't practical for the IT security manager to manually check the back of every single box and every single keyboard. However, if users are able to carry out basic monitoring of their own equipment, the chances of detecting these rogue devices are greatly enhanced.
Secondly, they should consider the type of equipment that is used in the organisation. Although not immune from hardware keyloggers, laptop computers with their inbuilt keyboards are far harder to tamper with. However, greater use of mobile devices brings new security challenges, which must be balanced against the reduced threat from keyloggers.
In addition, secure tokens and similar devices that are used to provide a second authentication factor, after user names and passwords, have a role to play. Because the token’s passcode constantly changes, any data that is gathered by a keylogger is immediately ineffectual. It cannot be used again to gain access to the system.
Organisations should also consider increasing the use of drop down menus for gathering information. Instead of typing in information with trackable keystrokes, drop downs enable users to select characters or words with the mouse, which a keylogger cannot record.
However, there are also a number of products that have recently come on to the market that automatically identify keyloggers. These software solutions can then disable the devices by intercepting and blocking communications to it from the targeted computer. The software also alerts the IT department to the presence of keyloggers, which can then be removed.
Keyloggers are important because they highlight two key weaknesses of many IT security policies. The first is the reliance on passwords. No amount of sophisticated intrusion prevention or segmented access authorisation can counter a malicious user armed with a legitimate password.
The second area is that of old-fashioned physical security, a factor that can often be forgotten when devising strategies to protect virtual assets.
Although software keyloggers can be downloaded remotely and require no physical access to the machine to be infected, hardware keyloggers require the criminal to be in the presence of the targeted computer, even if it’s only for a matter of seconds.
Organisations therefore have to give the broadest possible definition to IT security to counter keylogging attacks. That means policies to help employees recognise social engineering attacks, and even conducting thorough background checks on auxiliary staff who have access to the building.
After all, if you think your data is important and worth protecting, the chances are that someone else will think it is worth stealing.