Discussion on:

Be aware of the threat of hidden keystroke-logging devices

Can a person phyically open a keyboard and find the device and remove it.

If the keyboard is manufactured with a keylogger built into it, you'd probably damage the keyboard trying to remove it.

Also, I have to question the inclusion of the keylogger site at the end of the article. It was moderately informative without that tidbit.

I realize that this is a forum of mostly professional IT geeks, but I don't know of a single situation where I'd need a keylogger. There are so many other tools available for controlling the domain. Not the least of which is, as mentioned, educating the users!

Unfortunately, the bad guys peruse forums such as this (directly or indirectly) for just such information. Delete one line from this article and it goes from weapon to usable defense information.

Since this article tells us that it is impossible to detect keyloggers and has no good solution, their is only one way to defeat it. If everyone logging in would use this technique, no one would have to worry about keyloggers.

Keyloggers only track keystrokes, not mouse clicks. Starting with the password textbox 1. enter the first one, two or three keystrokes.
2. mouse click outside the box (anywhere in the unused website whitespace). Use a predetermined set of keystrokes for the next one, two, or three ghost entries (to be logged by the keylogger).
3. mouse click inside the password textbox, enter one two or three more actual password keystrokes.
4. repeat until password completed--add 1, 2, or 3 more keystrokes outside the textbox, mouse click enter.
Example: Gt5[mouse click outside]28R[mouse click inside], repeat until complete.
You must use the same exact white space alternates so that a hacker cannot determine by process of elimination which alternates are different, and leave only the pw strokes left.

Long live the white hats...

At times use the mouse to select a few characters (more than one character). Click the delete key. This will delete 2 or 3 characters, but the keyloggers will not know how many characters have been deleted.

Also store your passwords in a text file (not complete of course and add a few extra characters). Use the mouse to copy and paste the text into the password field.

On Windows I use a product called RoboForm (www.roboform.com). I click a button and it auto fills fields for me. I don't type them.
In addition, it prevents phishing scams as it will only allow the password to be typed on the correct domain. The Mac has similar software built into the OS.

and only insert it when needed. This can keep it from getting out if your system is comprimised.

NOTE: Keep all of your personal data and PW's on a flash drive. If you do your taxes on your system, move the file(s) to a flash drive as well (or cd as they are cheap), and make a backup and store under lock&key.

In the late 90s I actually saw one in use. All that yiu had to do was to open up the keyboard and cut through one printed cct line, then the scroll lock LCD would flash with "a morse code"
as each key was pressed. Replace it with an I/r LCD and then use a filter on the end of a fibre bundle and you are in business. The equipment used was very similar that that which I had used in the nuclear industry since 1959.
I thought it was top secret, the bugging equipment, but a google got me a paper on the subject OPTICAL TEMPEST, of which there are two forms, I was unaware of the other form at the time.
SEE:-Proceedings 2002 IEEE ISBN 0-7695-1543-6. pp 3-18.
The paper was by Markus. G. Kuhn, University of Cambridge Computer Laboratory. UK.

If more input output devices used fiber optics for signaling(minus the gizmo you related to us); this would defeat a lot the old rf frequency methods of gleaning information from keyboards. Crt monitors and chipsets in motherboards would still be a problem though.

I still read about break throughs in motherboard and chipset design where nanolasers will substitute for metal signal connections in circuit design. This actualy solves a lot of problems with further circuit shrinkage in the new architecture.

No more worries about the quantum limit for electron paths. This will further silence the rf noise that system units put out.

encrypting the flash drive is a good idea... I have lost 2 in the past 3 years... sigh...
So far I have found truecrypt easy and effective, and I only need a simple password on the flash drive anyway. Hmm a dvd-rw would be a good idea to back up my flash drive for when I loose it again... bleh.. but thanks for the idea w2k.

Whitehat.. I like that idea, but some of the newer keyloggers are starting to get to mouse clicks, on screen keyboards are no longer safe.

Hardware keyloggers are the real threat long term, but at home, I can tell if my computer has been moved (required to install key logger) and at work the backs are all plainly visible.
Software keyloggers are eventually picked up by AV products or snoopfree (which I use religously).

I checked out Snoop Free Privacy Shield and downloaded it right away.

Again, I'm thankful for you're input in these forums. Keep up the good work! white hats like yours are always a welcome sight.

I have never got an answer to this on any forum including Tech Republic. Back in the 286 days a lot of programs used to record all keystrokes entered for use with their programs; so you could troubleshoot problems later. What about now? Is this practice no longer done ( I don't mean undo recording either); if it is, the bad guys wouldn't even need a key logger. He could just read the keyrecord file of a particular application and process the important stuff for export.

Of course once SnoopFree Privacy Shield is installed; I assume it would detect this process for any given application; but you would have to shred any previous old information from application files. I suppose CCleaner could do this very well for the very popular applications; anyone suggest a better third party cleaner that recognizes such data?

Some AV suits prevent specific data from being shipped out by HTTP, IM, and email. But the hacker could use FTP or some other port couldn't they? Is there any information source out there that lists the record file names of popular applications that keep files such as this?

P.S. Some AV products block access to the SpyCop link you provide. Are you sure it is legit?

Has anyone actually used these? I didn't even like the look nor feel of either site. I installed SnoopFree Privacy Shield on a 3rd system I use to test OSes, programs and apps before I even consider using them for my main box. It didn't give me the QQ eyes in the taskbar nor inform me that I had to reboot for it to work until I manually rebooted. Also, there is no uninstall feature (aside from manually uninstalling it via remove programs in control panel). It did question Zonealarm Pro access and SpyBot S&D, warning me both were trying to capture/read my screen. Is there any background check or legitimate code check on this program to verify that it is NOT in and of itself a keylogger?

I agree with your concerns; my allegiance to security products only lasts as long as my paranoia holds out.

I can only point to a long relationship with Snoopfree that has existed since 2003 for me; and an industrial wide acceptance for the product. So far I have never detected any behaviour that seems suspicious. If you already have maleware on the system when you attempt to install, the installation or starting of the service will be botched or blocked. Once the offending maleware is removed it usually goes smoothly. I was told once by someone I trusted [I think it was Patrick Kolla] that NO PROGRAM worth its salt needs to read you keyboard/screen to function properly now days.

I block ALL applications until I find out whether functionality is compromised; and then I think really hard whether I really want a program allowed if that functionality doesn't happen.

In some occasions I will allow a read and then set it to deny immediately afterward. So far so good. I have never noticed a reduction of function with ZoneAlarn with deny setting. I set SpyBot deny . I suspect SpyBot S&D does a check to see if the user is actually entering the command unput; this way there is no need for a consol password to protect your settings in Spybot.

Eternal paranoia rules.

Thanks for your input and sharing your experience. It was helpful. I wish the original author would respond as well.

I know next to nothing about it. I was surprised to see a recommendation for it. Trend Micro blocks the site link provided by the author; that is why I was bugging him about legitimacy.

Perhaps an old trooper will chime in to defend this utility.

For my computer attached to the Internet I don't work particularly hard to keep data secure. First, but this doesn't work for everyone, I have bad credit so good luck using my identity for purchases. Second, I usually spell my name wrong for my accounts so I know where things went wrong and last re-image if you wonder if you have a key logger or any other virus or spy-ware.

I keep a ghost image so I can re-image in about 10 minutes. I believe in re-image rather than cleanup although I've done my fair share of ad-ware and virus' removal.

Also, I run a modified host file and add entries when I find another address I want to block. I find this works especially well when you share the Internet computer with children and novice computer users. Most of the time, ads don't load and you almost never get any pop-ups.

"Eternal paranoia rules" Quote from JCitizen

OMG this is so true but just because you're paranoid doesn't mean they aren't out to get you!

Thank you for your post.

Our local learning institution uses "Deep Freeze". As a restricted user - everything entered or saved on the local account is wiped out when you log off. This forces the user to save to a floppy/memory stick; but a file storage server or separate drive works well here too.

It is a lot easier to manage one server than a multitude of accounts and system units. Blocking file sharing to a separate drive would effectively isolate a problem in the system unit also. You can set it to freeze just the OS drive, I believe. If anyone has been to their site lately, please correct me if I am wrong..

Although an administrator has to unfreeze the hard drive to install anything on the local, or server system unit; it is less of a hassle than putting up with all the problems. This college has ended their maleware problems permanently.

I'm beginning to think this is good for the home user as well; you would only need one utility(well two if you want to keep keyloggers off the present session). No updates; not needed(except MS updates)! Just the occasional scan disc and defrag.

I believe they have a Linux/Unix version also! This would be real peace of mind as I am not confident that all the flavors out there actually have absolutely no vulnerabilities.

I ran across a site one time that had host files to download that had in some cases thousands of entries for add and spyware sites, all redirected to loopback. I should look that back up, as its an easy and simple way to redirect known bad/unwanted sites. And its fun to occasionally add google.com 127.0.0.1 to a friends host file.

The one that I use is: MVPS

It seems to be the most comprehensive and many authorities give it high marks. Heck, if Kim says it's good, you better believe it!

Or what you say? Have you heard what Chuck Norris can do to you? Neither have I...

I looked at many of the products linked in the article, they all appear to run on windows (the software varieties) I'm sure the access to data contained in the hardware loggers is windows based as well.

I have to conclude then that running Linux or Mac render this a non-issue, unless someone can point me to a Linux/Mac key logger...

google linux keylogger and you get your answer

I still don't see any Linux key logger that can be loaded and this fact is hidden from the user...

Not having been specific, I sure deserved the "duh." But I was coming from (what I assumed to be correct) knowledge there's no stealth Linux key logger.

Other words, there doesn't appear to be such an animal that a normal user would be unaware of...

Hardware loggers are designed to work with a specific architecture and if Linux is running on the supported hardware then keystrokes will be logged; regardless of user permissions or encryption.

If, instead, a kernel based all-software logger were being implemented how would a normal user be aware of it? Still, even if the logger were running in user space how would a normal user become aware of it?

Or are you saying that you do not believe it possible to install, load or run a keylogger without the user being aware?

Any sloppy system can no doubt be compromised regardless of OS.

But for instance I run tripwire, and even a rootkit can't hide itself from such a raw snapshot of the fs.

The only way I could see a key logger being installed on a well secured Linux system would be such as "adblock plus" from Mozilla not actually being adblock plus, for instance. Tripwire would show the modified files nonetheless, and if one cared to they could open whatever scripts and see what they are actually doing.

The beauty of open source. It does seem to me that with a little forensic study a key logger could be revealed to the end user.

I do not see how this is remotely possible with Windows, or even Mac OS for that matter. They are not wide open source.

I suppose it is possible to thwart tripwire, dnotify (or inotify if you're lucky) and similar. But we're talking a whole lot of special attention. Whoever would want to do that would have to have a serious agenda, and a ton of computing power behind them.

Linux allows for a total "paranoid" initial setup, NOTHING allowed until explicitly enabled. Add to this a firewall running iptables or pf, and I'd have to call casually picking up a key logger along the normal course of usage all but impossible.

That said, I have no doubt does have the wherewithal and (usually bogus) rationalization for totally stealth Linux key logging (and other mayhem) but of this I have no direct proof.

Nothing I have seen out there appears to be capable of getting past tripwire.

I have been dead wrong before...

Recently I ran SnoopFree and I got Skype as keystroke-logger, what do you think about?

of whether an application is a logger or not. It does tell you whether or not a program is reading your keyboard or screen; and acts like a firewall for input devices such as these. To be safe I would set it to block Skype and see if you lose any functionality. I assume you have a good antispyware utility that should scan for and remove any keyloggers.

Just recently Skype was found to have serious security vulnerability published by Securia. I would check the site of origin for Skype regularly in anticipation of a patch for this vulnerability.[preferably a legitimate site]

Other than that the program probably does read your keyboard although I have never heard of a legitimate installation doing any logging. There are a lot of nefarious download sites out there that do load keyloggers along with a bogus copy of Skype; user beware.

Nice article, thanks

What happens if we use programs like Roboform to complete certain info - can that still be intercepted?

Great, Thanks for the information

Keystroke loggers are easy to get, easier to install, and fairly easy to write.
The results can easily be hidden in a .dll file and then can be retrieved with a Knoppix CD, as can your 500 digit PGP pass phrase for you 4000 digit keys!
Really if anybody can get access to a system, data recovery becomes a trivial matter.
After having been into computing since IBMs STRETCH in 1961, I just don't believe that security and IT go together.
Most of us get away with it because there is no enemy out there with enough time, effort and resources to spend to copy our secrets, and our secrets are not worth the effort anyway.

Try this. Enter the first one or two digits of your password. Then click some blank spot on the page and enter random digits. Return to the password entry box and enter the rest of your password. Do this randomly each time you enter your password. Result for keystroke loggers: Nonsense.

Notepad and Wordpad are great for this - I read this suggestion on a similar thread. Good to have it posted here.

and left retrievable info in either of those utilities and didn't shred the document the logger program could retrieve the data from the undo file. I don't know if newer versions of Office have protection for this file or not.

Of course you wouldn't make such a mistake; but I supply the argument for other readers.

'nuff said

because some old utilities and applications like ACAD 10 used to retain keystrokes in the application folders as well as the output files; if I remember correctly.

These are the factors I've never been sure about with modern applications.

Is there no way to follow the focus? If the computer can do it, it would seem software running on the computer (aka key logger) could do the same...

I wonder.

I should think yes, catseverywhere.
There are routines in C++ libraries and in Java and in other languages to monitor mouse behaviour whereby one can establish mouse screen coordinates. I should think it wouldn't be difficult for the hackers to incorporate a thread in a key logger to constantly monitor the mouse to overcome the ruse. Of course if all key loggers do have such a routine then the "trick" won't work. Who knows if any do?

That's been always a real worry for those of us who handle everything from our financial data to our personal calendar online. My best bet, so far is using some kind of password manager software that fills out ID and password fields on online forms just by clicking the mouse once. Since nothing is actually typed key loggers, either hardware or software cannot intercept your data. It works fine for the vast majority of the sites and for those where it doesn't work you can cut and paste your information using just mouse clicks, as well. Of course, a malware that checks for clipboard use would threat the latter. Furthermore, at least once one will have to type his personal data when configuring the password manager program. However, that happens only once and it can be done at a safe, non networked machine. I have been using PasswordSafe, a free software that can be download at http://passwordsafe.sourceforge.net for many years.

Good luck out there!

I'm not an IT professional, so can someone offer advice: I use MS On-Screen Keyboard (which I run using quick-launch) to enter passwords. I've always hoped that logging software can't pick this up, but is there anything out there that can do so?

Rob

Contents of video output have long been readable. I even read, a this many years back, that there were systems available that could reassemble your screen remotely, using the radio frequency (rf) output that leaks from your monitor.

BTW same with key strokes. The "south bridge" has distinct rf characteristics that clearly delineate when it's interrupt is being handled, then ascii characters that flow have their unique rf signature while being processed by the bridge.

If you have a short wave radio, you can tune it to unused frequencies and hear your typing, and changes in the screen when they occur. Put the antenna up close to the motherboard or monitor and do some work, you'll be able to hear patterns, which do contain a ton of information, discernible with the right software.

While on the subject, I am pleased to see the "I have nothing to hide" ruse hasn't reared it's ugly head in this discussion.

I do not have anything to hide myself, and actually don't care if someone out there hears what I have to say. The more the merrier, in fact a lot of the work I do I HOPE there's some paycheck-blinded spook listening in. My aim is to wake such people up.

But there is a fundamental matter of freedom, and lines I have never, nor will ever, cross. (eg "national ID") I have long witnessed and publicly decried the slippery slope into what is basically becoming a "brave new world" high-tech global command and control slave grid.

Just because 'we' can do something doesn't mean 'we' should. Not in the least. But most folks dream on, unawares of such as human history and human nature.

I want to leave a better world for my two young men now beginning their lives in the wild. (ages 25 and 23) A broad, institutionalized and blatant intrusion into privacy, anywhere it is encountered, is to be rejected summarily. Once those institutions get a toe-hold, they never go away and only get worse.

May you live in interesting times.

cat

... of the Patriot Act or even of Carnivore (or whatever the FBI is calling it now).

PS
You didn't see me here
(it's for your own good)

The best part of waking up...is that we are waiting for the rest of us to wake up. The other fact is that 99.99% of everything on the Internet is never read by anyone, I think you're safe. Not enough eyes, not enough time...I for one am glad that the Patriot Act, (i.e., DHS, etc.), are in place making our neighborhood safe since 9-11, and sincerely hope they continue to do so...toe-hold or not. Real-ID is just an earmark away from being a globalists dream.

What kind of keylogger have been installed to your PC?
Is it this?
http://www.techrepublic.com/article/an-iscsi-primer/5841749
http://isafesoft.com/