IT Employment

Be aware of the threat of hidden keystroke-logging devices


Keystroke loggers are a particularly dangerous security threat because users typically don't realize they're even there. Learn about the different versions of keystroke loggers, and get tips for protecting your organization and your users from this threat.

More and more people have made the switch to using the Internet for personal tasks -- online bill paying and shopping are just two examples. But while companies tout the convenience of using the Web for such purposes, the security threats continue to mount.

That's why user education is so important. Teaching users best practices for being safe on the Web can help mitigate some of these threats. But it's also important that users understand the full extent of the risks.

For example, using an encrypted link (i.e., HTTPS rather than HTTP) to access bank or e-mail online is a good way to encrypt the transmission of private information as it flows across the Internet. However, it's vital to remember that the encryption process doesn't take place until the information leaves the machine. This creates a vulnerability that some people may not be aware of -- keystroke logging.

Keystroke loggers are a dangerous security threat, particularly because -- like other forms of spyware -- the user can't detect their presence. Let's look at the different versions of keystroke loggers and discuss what you can do to protect your organization and your users from this threat.

Keystroke loggers are available in either software or hardware versions. They can store everything a user types without the user ever knowing they're even there.

Some of the more clever software versions can even operate without antivirus or antispyware tools, such as AD-Aware or Spy Sweeper, flagging them. Even worse, nothing can detect a hardware keystroke logger, which can capture usernames and passwords as you log into your machine.

Software keystroke loggers, such as CyberSpy Software, intercept data as the user types. They typically store that data in hidden encrypted files on the user's computer.

When malicious hackers want to access this file, all they have to do is start the program, which allows them to read everything the user has typed since the program activated. Some of these programs even sort the data according to the active window at the time of data entry and then categorize the information (e.g., Web sites, e-mail, etc.).

Most antivirus and antispyware programs will miss software keystroke loggers, so how can you protect against these sneaky devices? Fortunately, there are some programs designed for this specific task. For example, SpyCop and SnoopFree Software are both software programs specifically designed to detect software keystroke loggers.

On the other hand, hardware keystroke loggers, such as KeyGhost, are undetectable by any software. These keystroke loggers are physical devices that sit between the keyboard and the computer -- connecting the keyboard with the keyboard port on the computer.

Some companies actually sell keyboards with built-in keystroke loggers, which means there's no way to visually detect them. These keystroke loggers have built-in memory chips that can capture a year or more of typing. Retrieval of that information requires typing a preset random-character sequence that brings up a menu of commands.

While there's no available software to detect hardware keystroke loggers, you can take steps to defend your systems. Tell users to always lock their computers when they're away, and ask that they don't surf the Internet with an account that has administrative rights -- i.e., the rights to install software on the computer.

Final thoughts

Keystroke logging is an invasion of privacy and stands on questionable legal grounds. However -- just like viruses, worms, and rootkits -- that doesn't stop their availability and distribution.

That's why it's more important than ever to arm your users with knowledge and best practices. In addition, tell them to think twice about using a public computer to access private information.

For a comprehensive list of keystroke loggers, Keyloggers.com maintains an updated list of both hardware and software versions sold by a multitude of companies.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

51 comments
ra
ra

I'm not an IT professional, so can someone offer advice: I use MS On-Screen Keyboard (which I run using quick-launch) to enter passwords. I've always hoped that logging software can't pick this up, but is there anything out there that can do so? Rob

maclaren
maclaren

That's been always a real worry for those of us who handle everything from our financial data to our personal calendar online. My best bet, so far is using some kind of password manager software that fills out ID and password fields on online forms just by clicking the mouse once. Since nothing is actually typed key loggers, either hardware or software cannot intercept your data. It works fine for the vast majority of the sites and for those where it doesn't work you can cut and paste your information using just mouse clicks, as well. Of course, a malware that checks for clipboard use would threat the latter. Furthermore, at least once one will have to type his personal data when configuring the password manager program. However, that happens only once and it can be done at a safe, non networked machine. I have been using PasswordSafe, a free software that can be download at http://passwordsafe.sourceforge.net for many years. Good luck out there!

Oigen
Oigen

Try this. Enter the first one or two digits of your password. Then click some blank spot on the page and enter random digits. Return to the password entry box and enter the rest of your password. Do this randomly each time you enter your password. Result for keystroke loggers: Nonsense.

michael_orton
michael_orton

Keystroke loggers are easy to get, easier to install, and fairly easy to write. The results can easily be hidden in a .dll file and then can be retrieved with a Knoppix CD, as can your 500 digit PGP pass phrase for you 4000 digit keys! Really if anybody can get access to a system, data recovery becomes a trivial matter. After having been into computing since IBMs STRETCH in 1961, I just don't believe that security and IT go together. Most of us get away with it because there is no enemy out there with enough time, effort and resources to spend to copy our secrets, and our secrets are not worth the effort anyway.

records
records

What happens if we use programs like Roboform to complete certain info - can that still be intercepted?

malbadr
malbadr

Nice article, thanks

oreste.romei
oreste.romei

Recently I ran SnoopFree and I got Skype as keystroke-logger, what do you think about?

catseverywhere
catseverywhere

I looked at many of the products linked in the article, they all appear to run on windows (the software varieties) I'm sure the access to data contained in the hardware loggers is windows based as well. I have to conclude then that running Linux or Mac render this a non-issue, unless someone can point me to a Linux/Mac key logger...

JCitizen
JCitizen

I have never got an answer to this on any forum including Tech Republic. Back in the 286 days a lot of programs used to record all keystrokes entered for use with their programs; so you could troubleshoot problems later. What about now? Is this practice no longer done ( I don't mean undo recording either); if it is, the bad guys wouldn't even need a key logger. He could just read the keyrecord file of a particular application and process the important stuff for export. Of course once SnoopFree Privacy Shield is installed; I assume it would detect this process for any given application; but you would have to shred any previous old information from application files. I suppose CCleaner could do this very well for the very popular applications; anyone suggest a better third party cleaner that recognizes such data? Some AV suits prevent specific data from being shipped out by HTTP, IM, and email. But the hacker could use FTP or some other port couldn't they? Is there any information source out there that lists the record file names of popular applications that keep files such as this? P.S. Some AV products block access to the SpyCop link you provide. Are you sure it is legit?

jimdrvr99
jimdrvr99

Can a person phyically open a keyboard and find the device and remove it.

catseverywhere
catseverywhere

Contents of video output have long been readable. I even read, a this many years back, that there were systems available that could reassemble your screen remotely, using the radio frequency (rf) output that leaks from your monitor. BTW same with key strokes. The "south bridge" has distinct rf characteristics that clearly delineate when it's interrupt is being handled, then ascii characters that flow have their unique rf signature while being processed by the bridge. If you have a short wave radio, you can tune it to unused frequencies and hear your typing, and changes in the screen when they occur. Put the antenna up close to the motherboard or monitor and do some work, you'll be able to hear patterns, which do contain a ton of information, discernible with the right software. While on the subject, I am pleased to see the "I have nothing to hide" ruse hasn't reared it's ugly head in this discussion. I do not have anything to hide myself, and actually don't care if someone out there hears what I have to say. The more the merrier, in fact a lot of the work I do I HOPE there's some paycheck-blinded spook listening in. My aim is to wake such people up. But there is a fundamental matter of freedom, and lines I have never, nor will ever, cross. (eg "national ID") I have long witnessed and publicly decried the slippery slope into what is basically becoming a "brave new world" high-tech global command and control slave grid. Just because 'we' can do something doesn't mean 'we' should. Not in the least. But most folks dream on, unawares of such as human history and human nature. I want to leave a better world for my two young men now beginning their lives in the wild. (ages 25 and 23) A broad, institutionalized and blatant intrusion into privacy, anywhere it is encountered, is to be rejected summarily. Once those institutions get a toe-hold, they never go away and only get worse. May you live in interesting times. cat

WhiteHat5555
WhiteHat5555

If you type random characters in the blank space of the website, when the strokes are examined in a string, an easy way to isolate the pw is to eliminate any string of non-such characters or search for same string of characters that will make your pw stand out like a sore thumb. ALWAYS use the same random characters so the comparison is the identical 'read'. Another tool to use is a notepad keyboard. Just replicate all keyboard characters on the notepad and copy/paste the letters to a file in the flash drive, floppy, or CD(usually not a good place to save, CD's can get buried and/or lost somewhere, for that matter so can floppys or flash--flash can be stuffed in your wallet). Some logins do not allow copy/paste pw, so one way or the other above should solve the keylogger problem.

catseverywhere
catseverywhere

Is there no way to follow the focus? If the computer can do it, it would seem software running on the computer (aka key logger) could do the same... I wonder.

dirtylaundry
dirtylaundry

Notepad and Wordpad are great for this - I read this suggestion on a similar thread. Good to have it posted here.

bigredbird
bigredbird

My thoughts exactly. I use RoboForm2Go, which resides on a U3 flash drive. It seems to me that the best a keystroke logger could do is to intercept my master password for RoboForm, which will do them no good unless they can access my computer directly. Some risk when entering the information for the first time, of course... But I think should be more secure than entering every time, right?

Mond0
Mond0

Be aware that there is currently a very bad worm/virus going around on the Skype system!

JCitizen
JCitizen

of whether an application is a logger or not. It does tell you whether or not a program is reading your keyboard or screen; and acts like a firewall for input devices such as these. To be safe I would set it to block Skype and see if you lose any functionality. I assume you have a good antispyware utility that should scan for and remove any keyloggers. Just recently Skype was found to have serious security vulnerability published by Securia. I would check the site of origin for Skype regularly in anticipation of a patch for this vulnerability.[preferably a legitimate site] Other than that the program probably does read your keyboard although I have never heard of a legitimate installation doing any logging. There are a lot of nefarious download sites out there that do load keyloggers along with a bogus copy of Skype; user beware.

dirtylaundry
dirtylaundry

google linux keylogger and you get your answer

dirtylaundry
dirtylaundry

Has anyone actually used these? I didn't even like the look nor feel of either site. I installed SnoopFree Privacy Shield on a 3rd system I use to test OSes, programs and apps before I even consider using them for my main box. It didn't give me the QQ eyes in the taskbar nor inform me that I had to reboot for it to work until I manually rebooted. Also, there is no uninstall feature (aside from manually uninstalling it via remove programs in control panel). It did question Zonealarm Pro access and SpyBot S&D, warning me both were trying to capture/read my screen. Is there any background check or legitimate code check on this program to verify that it is NOT in and of itself a keylogger?

Mond0
Mond0

If the keyboard is manufactured with a keylogger built into it, you'd probably damage the keyboard trying to remove it. Also, I have to question the inclusion of the keylogger site at the end of the article. It was moderately informative without that tidbit. I realize that this is a forum of mostly professional IT geeks, but I don't know of a single situation where I'd need a keylogger. There are so many other tools available for controlling the domain. Not the least of which is, as mentioned, educating the users! Unfortunately, the bad guys peruse forums such as this (directly or indirectly) for just such information. Delete one line from this article and it goes from weapon to usable defense information.

JCitizen
JCitizen

although I'm sure their is probably some sophisticated hackers that can workaround this or any other input/output firewall; at least it seems to dupe the usual bots that I occasionaly catch. Most of them use ieframe.exe or some file in adobe reader to collect information. When I see blocks to this I know I have some adaware or something more serious in the present session. I usually update and scan with my anti-male ware to remove the culprit. If it is a p2p or chat session I just avoid that site from then on; and warn the site administrator of the problem. It won't help with the James Bond extraneous rf spy methods you site of course, though. Good input catseverywhere.

WhiteHat5555
WhiteHat5555

The best part of waking up...is that we are waiting for the rest of us to wake up. The other fact is that 99.99% of everything on the Internet is never read by anyone, I think you're safe. Not enough eyes, not enough time...I for one am glad that the Patriot Act, (i.e., DHS, etc.), are in place making our neighborhood safe since 9-11, and sincerely hope they continue to do so...toe-hold or not. Real-ID is just an earmark away from being a globalists dream.

Mond0
Mond0

... of the Patriot Act or even of Carnivore (or whatever the FBI is calling it now). PS You didn't see me here (it's for your own good)

Oigen
Oigen

I should think yes, catseverywhere. There are routines in C++ libraries and in Java and in other languages to monitor mouse behaviour whereby one can establish mouse screen coordinates. I should think it wouldn't be difficult for the hackers to incorporate a thread in a key logger to constantly monitor the mouse to overcome the ruse. Of course if all key loggers do have such a routine then the "trick" won't work. Who knows if any do?

JCitizen
JCitizen

and left retrievable info in either of those utilities and didn't shred the document the logger program could retrieve the data from the undo file. I don't know if newer versions of Office have protection for this file or not. Of course you wouldn't make such a mistake; but I supply the argument for other readers.

catseverywhere
catseverywhere

I still don't see any Linux key logger that can be loaded and this fact is hidden from the user... Not having been specific, I sure deserved the "duh." But I was coming from (what I assumed to be correct) knowledge there's no stealth Linux key logger. Other words, there doesn't appear to be such an animal that a normal user would be unaware of...

JCitizen
JCitizen

I agree with your concerns; my allegiance to security products only lasts as long as my paranoia holds out. I can only point to a long relationship with Snoopfree that has existed since 2003 for me; and an industrial wide acceptance for the product. So far I have never detected any behaviour that seems suspicious. If you already have maleware on the system when you attempt to install, the installation or starting of the service will be botched or blocked. Once the offending maleware is removed it usually goes smoothly. I was told once by someone I trusted [I think it was Patrick Kolla] that NO PROGRAM worth its salt needs to read you keyboard/screen to function properly now days. I block ALL applications until I find out whether functionality is compromised; and then I think really hard whether I really want a program allowed if that functionality doesn't happen. In some occasions I will allow a read and then set it to deny immediately afterward. So far so good. I have never noticed a reduction of function with ZoneAlarn with deny setting. I set SpyBot deny . I suspect SpyBot S&D does a check to see if the user is actually entering the command unput; this way there is no need for a consol password to protect your settings in Spybot. Eternal paranoia rules.

WhiteHat5555
WhiteHat5555

Since this article tells us that it is impossible to detect keyloggers and has no good solution, their is only one way to defeat it. If everyone logging in would use this technique, no one would have to worry about keyloggers. Keyloggers only track keystrokes, not mouse clicks. Starting with the password textbox 1. enter the first one, two or three keystrokes. 2. mouse click outside the box (anywhere in the unused website whitespace). Use a predetermined set of keystrokes for the next one, two, or three ghost entries (to be logged by the keylogger). 3. mouse click inside the password textbox, enter one two or three more actual password keystrokes. 4. repeat until password completed--add 1, 2, or 3 more keystrokes outside the textbox, mouse click enter. Example: Gt5[mouse click outside]28R[mouse click inside], repeat until complete. You must use the same exact white space alternates so that a hacker cannot determine by process of elimination which alternates are different, and leave only the pw strokes left. Long live the white hats...

JCitizen
JCitizen

because some old utilities and applications like ACAD 10 used to retain keystrokes in the application folders as well as the output files; if I remember correctly. These are the factors I've never been sure about with modern applications.

catseverywhere
catseverywhere

Any sloppy system can no doubt be compromised regardless of OS. But for instance I run tripwire, and even a rootkit can't hide itself from such a raw snapshot of the fs. The only way I could see a key logger being installed on a well secured Linux system would be such as "adblock plus" from Mozilla not actually being adblock plus, for instance. Tripwire would show the modified files nonetheless, and if one cared to they could open whatever scripts and see what they are actually doing. The beauty of open source. It does seem to me that with a little forensic study a key logger could be revealed to the end user. I do not see how this is remotely possible with Windows, or even Mac OS for that matter. They are not wide open source. I suppose it is possible to thwart tripwire, dnotify (or inotify if you're lucky) and similar. But we're talking a whole lot of special attention. Whoever would want to do that would have to have a serious agenda, and a ton of computing power behind them. Linux allows for a total "paranoid" initial setup, NOTHING allowed until explicitly enabled. Add to this a firewall running iptables or pf, and I'd have to call casually picking up a key logger along the normal course of usage all but impossible. That said, I have no doubt does have the wherewithal and (usually bogus) rationalization for totally stealth Linux key logging (and other mayhem) but of this I have no direct proof. Nothing I have seen out there appears to be capable of getting past tripwire. I have been dead wrong before... ;)

dirtylaundry
dirtylaundry

I'm not going to list them here - I'm not going do the work for someone, but they do exist and they can be found. The *duh* was more of my being incredulous than anything else.

j.e.rhoads
j.e.rhoads

Hardware loggers are designed to work with a specific architecture and if Linux is running on the supported hardware then keystrokes will be logged; regardless of user permissions or encryption. If, instead, a kernel based all-software logger were being implemented how would a normal user be aware of it? Still, even if the logger were running in user space how would a normal user become aware of it? Or are you saying that you do not believe it possible to install, load or run a keylogger without the user being aware?

JCitizen
JCitizen

Especially on old machines that just don't have the power to run the new AV applications. Thanks Dumphrey and Mond0!

Mond0
Mond0

The one that I use is: [url=http://www.mvps.org/winhelp2002/hosts.htm][b][u]MVPS[/u][/b][/url] It seems to be the most comprehensive and many authorities give it high marks. Heck, if Kim says it's good, you better believe it! Or what you say? Have you heard what Chuck Norris can do to you? Neither have I... ;)

Dumphrey
Dumphrey

I ran across a site one time that had host files to download that had in some cases thousands of entries for add and spyware sites, all redirected to loopback. I should look that back up, as its an easy and simple way to redirect known bad/unwanted sites. And its fun to occasionally add google.com 127.0.0.1 to a friends host file.

JCitizen
JCitizen

Our local learning institution uses "Deep Freeze". As a restricted user - everything entered or saved on the local account is wiped out when you log off. This forces the user to save to a floppy/memory stick; but a file storage server or separate drive works well here too. It is a lot easier to manage one server than a multitude of accounts and system units. Blocking file sharing to a separate drive would effectively isolate a problem in the system unit also. You can set it to freeze just the OS drive, I believe. If anyone has been to their site lately, please correct me if I am wrong.. Although an administrator has to unfreeze the hard drive to install anything on the local, or server system unit; it is less of a hassle than putting up with all the problems. This college has ended their maleware problems permanently. I'm beginning to think this is good for the home user as well; you would only need one utility(well two if you want to keep keyloggers off the present session). No updates; not needed(except MS updates)! Just the occasional scan disc and defrag. I believe they have a Linux/Unix version also! This would be real peace of mind as I am not confident that all the flavors out there actually have absolutely no vulnerabilities.

inertia01
inertia01

For my computer attached to the Internet I don't work particularly hard to keep data secure. First, but this doesn't work for everyone, I have bad credit so good luck using my identity for purchases. Second, I usually spell my name wrong for my accounts so I know where things went wrong and last re-image if you wonder if you have a key logger or any other virus or spy-ware. I keep a ghost image so I can re-image in about 10 minutes. I believe in re-image rather than cleanup although I've done my fair share of ad-ware and virus' removal. Also, I run a modified host file and add entries when I find another address I want to block. I find this works especially well when you share the Internet computer with children and novice computer users. Most of the time, ads don't load and you almost never get any pop-ups. "Eternal paranoia rules" Quote from JCitizen OMG this is so true but just because you're paranoid doesn't mean they aren't out to get you! Thank you for your post.

JCitizen
JCitizen

I know next to nothing about it. I was surprised to see a recommendation for it. Trend Micro blocks the site link provided by the author; that is why I was bugging him about legitimacy. Perhaps an old trooper will chime in to defend this utility.

dirtylaundry
dirtylaundry

Thanks for your input and sharing your experience. It was helpful. :) I wish the original author would respond as well.

Mond0
Mond0

I checked out Snoop Free Privacy Shield and downloaded it right away. Again, I'm thankful for you're input in these forums. Keep up the good work! white hats like yours are always a welcome sight.

Dumphrey
Dumphrey

encrypting the flash drive is a good idea... I have lost 2 in the past 3 years... sigh... So far I have found truecrypt easy and effective, and I only need a simple password on the flash drive anyway. Hmm a dvd-rw would be a good idea to back up my flash drive for when I loose it again... bleh.. but thanks for the idea w2k. Whitehat.. I like that idea, but some of the newer keyloggers are starting to get to mouse clicks, on screen keyboards are no longer safe. Hardware keyloggers are the real threat long term, but at home, I can tell if my computer has been moved (required to install key logger) and at work the backs are all plainly visible. Software keyloggers are eventually picked up by AV products or snoopfree (which I use religously).

JCitizen
JCitizen

If more input output devices used fiber optics for signaling(minus the gizmo you related to us); this would defeat a lot the old rf frequency methods of gleaning information from keyboards. Crt monitors and chipsets in motherboards would still be a problem though. I still read about break throughs in motherboard and chipset design where nanolasers will substitute for metal signal connections in circuit design. This actualy solves a lot of problems with further circuit shrinkage in the new architecture. No more worries about the quantum limit for electron paths. This will further silence the rf noise that system units put out.

michael_orton
michael_orton

In the late 90s I actually saw one in use. All that yiu had to do was to open up the keyboard and cut through one printed cct line, then the scroll lock LCD would flash with "a morse code" as each key was pressed. Replace it with an I/r LCD and then use a filter on the end of a fibre bundle and you are in business. The equipment used was very similar that that which I had used in the nuclear industry since 1959. I thought it was top secret, the bugging equipment, but a google got me a paper on the subject OPTICAL TEMPEST, of which there are two forms, I was unaware of the other form at the time. SEE:-Proceedings 2002 IEEE ISBN 0-7695-1543-6. pp 3-18. The paper was by Markus. G. Kuhn, University of Cambridge Computer Laboratory. UK.

nhiep_nguyen
nhiep_nguyen

I also use an application PC-MacPasswordvault that stores user name and password in encrypted file and will fill in the required password without the need to type it. It's from Lavasoftware.

w2ktechman
w2ktechman

and only insert it when needed. This can keep it from getting out if your system is comprimised. NOTE: Keep all of your personal data and PW's on a flash drive. If you do your taxes on your system, move the file(s) to a flash drive as well (or cd as they are cheap), and make a backup and store under lock&key.

bchirgwin
bchirgwin

At times use the mouse to select a few characters (more than one character). Click the delete key. This will delete 2 or 3 characters, but the keyloggers will not know how many characters have been deleted. Also store your passwords in a text file (not complete of course and add a few extra characters). Use the mouse to copy and paste the text into the password field. On Windows I use a product called RoboForm (www.roboform.com). I click a button and it auto fills fields for me. I don't type them. In addition, it prevents phishing scams as it will only allow the password to be typed on the correct domain. The Mac has similar software built into the OS.

Editor's Picks