More and more people have made the switch to using the
Internet for personal tasks—online bill paying and shopping are just two
examples. But while companies tout the convenience of using the Web for such
purposes, the security
threats continue to mount.

That’s why user education is so important. Teaching users best
practices for being safe on the Web can help mitigate some of these threats.
But it’s also important that users understand the full extent of the risks.

For example, using an encrypted link (i.e., HTTPS rather
than HTTP) to access bank or e-mail online is a good way to encrypt the
transmission of private information as it flows across the Internet. However, it’s
vital to remember that the encryption process doesn’t take place until the information
leaves the machine. This creates a vulnerability that some people may not be
aware of—keystroke logging.

Keystroke loggers are a dangerous security threat,
particularly because—like other forms of spyware—the user can’t detect their
presence. Let’s look at the different versions of keystroke loggers and discuss
what you can do to protect your organization and your users from this threat.

Keystroke loggers are available in either software or
hardware versions. They can store everything a user types without the user ever
knowing they’re even there.

Some of the more clever software versions can even operate
without antivirus or antispyware tools, such as AD-Aware or Spy Sweeper,
flagging them. Even worse, nothing can detect a hardware keystroke logger,
which can capture usernames and passwords as you log in to your machine.

Software keystroke loggers, such as CyberSpy Software, intercept data as the
user types. They typically store that data in hidden encrypted files on the
user’s computer.

When malicious hackers want to access this file, all they
have to do is start the program, which allows them to read everything the user
has typed since the program activated. Some of these programs even sort the
data according to the active window at the time of data entry and then categorize
the information (e.g., Web sites, e-mail, etc.).

Most antivirus and antispyware programs will miss software
keystroke loggers, so how can you protect against these sneaky devices?
Fortunately, there are some programs designed for this specific task. For
example, SpyCop and SnoopFree Software are both
software programs specifically designed to detect software keystroke loggers.

On the other hand, hardware keystroke loggers, such as KeyGhost, are undetectable by any software.
These keystroke loggers are physical devices that sit between the keyboard and
the computer—connecting the keyboard with the keyboard port on the computer.

Some companies actually sell keyboards with built-in keystroke
loggers, which means there’s no way to visually detect them. These keystroke
loggers have built-in memory chips that can capture a year or more of typing.
Retrieval of that information requires typing a preset random-character
sequence that brings up a menu of commands.

While there’s no available software to detect hardware
keystroke loggers, you can take steps to defend your systems. Tell users to always
lock their computers when they’re away, and ask that they don’t surf the
Internet with an account that has administrative rights—i.e., the rights to
install software on the computer.

Final thoughts

Keystroke logging is an invasion of privacy and stands on
questionable legal grounds. However—just like viruses, worms, and rootkits—that
doesn’t stop their availability and distribution.

That’s why it’s more important than ever to arm your users
with knowledge and best practices. In addition, tell them to think twice about
using a public computer to access private information.

For a comprehensive list of keystroke loggers, Keyloggers.com maintains an updated list of both hardware and
software versions sold by a multitude of companies.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.