So you've now got PGP disk and email encryption all set up (after reading this site) and
the you are using the best, most unbreakable passphrase in the world right? However, if
the authorities (or other counter-force) wants to get at your encrypted information badly
enough, there are still methods with which they can. Those methods include the employ of
keylogging hardware and software, trojans and backdoors.
Now, having said that, we think the state has to be pretty interested in your
activism in order to break into your home or network to install a hardware or software
keystroke logger or backdoor program on your machine. Only you can assess how
likely that scenario would be in your own circumstances. We felt this site wouldn't be
complete without at least touching on this subject and what you can do to monitor your machine for this type of invasion.
In preventing tampering with your machine's hardware and software - physical control is
the most important means for protection at your disposal. That means that if the machine
contains important information, you should do whatever it takes to secure the box itself. Laptops
and PDAs are obviously more desirable where this is concerned as it is easy to keep one of
these smaller devices on your person or locked up at all times, whereas a desktop machine
is likely sitting relatively open in your home or office at all times.
Keystroke Loggers
Keystroke loggers come in both hardware and software forms and are used to capture and
compile a record of everything you type and then make it available, sometimes over e-mail
or a Web site, to the agency or individual snooping on you. Most keystroke loggers record
the application name, the time and date the application was opened, and the keystrokes
associated with that application. Keystroke loggers are becoming more popular with law
enforcement and employers because they capture information literally as it is being
typed--before any encryption can take place - which gives them the access they want to
passphrases and other usually well-hidden information.
Hardware keystroke loggers are what they sound like - hardware devices that attach to
your keyboard and record data. These devices generally look like a standard keyboard
adapter, so they can be hard to spot unless you are specifically looking for them. In order
to retrieve data from a hardware logger, the person who is doing the spying must regain
physical access to that piece of equipment. Hardware loggers work by storing information in
the actual device, and generally do not have the ability to broadcast or send such
information out over a network. To take a look at two of the main products on the market
(and to give you an idea of what to look for), check out Key Katcher and Key
Ghost. KeyGhost also makes keyboards with the key logger built straight in, which makes
it much more difficult to spot. Note that because these are hardware devices, KeyKatcher
and KeyGhost will not be discovered by any of the anti-spyware, anti-virus or desktop
security programs. You must visually scan the back of your computer where the keyboard is
plugged in to detect it's presence.
Software keystroke loggers are likely more prevalent because they can be installed
remotely (via a network, a piece of trojan software, or as part of a virus), and don't
require physical access to obtain keystroke data (data is often emailed out from the
machine periodically). Software loggers often have the ability to obtain much more data as
well, as they are not limited by physical memory allocations in the same way. There are
hundreds of software keystroke-loggers out there - the best known is Amecisco Invisible Keylogger Stealth. Other
programs that perform these functions include Spector, KeyKey Monitor, 007 STARR, Boss
Everywhere, and I-See-Ua. Check them out if you're interested in seeing how they work, and
what type of data they provide once installed.
We know for a fact that the FBI is using both hardware and software loggers. In
December, 2001 - there was a case in which the FBI put a hardware keylogger on the machine
of a member of an organized crime family, without first obtaining a wiretap warrant. In
that case the US Supreme Court ruled that the FBI did not need a warrant in order to record
keystrokes on a target's machine. To read more about this case, click
here. For a software example, check out information about Magic Lantern - developed as
part of the FBI's Carnivore project - it is a trojan/key-logger specifically aimed at
gathering encryption key information for transmission back to the FBI.
Detecting Keystroke Loggers
The only way to check for keystroke logging hardware is to familiarize yourself with
what it looks like and visually scan your machine on a regular basis. Taking pictures of
the inside and outside of your machine when you get it is always a good idea, so you can
compare if anything seems to be out of place. For some specific ideas of what to look for,
check out the SpyCop page on this
subject.
In combatting software loggers, you can also take a virtual snapshot of the contents of
your hard drive, as well as any alterations made by programs to other files. You must make
a new snapshot each time you install new software or make system upgrades in order to keep
it up to date. As well, you should store that "snapshot" file off your computer and in a
private location so that it can't be altered by someone having physical or remote access to
your machine. Products that take system snapshots include: Snapshot Spy Pro and ArkoSoft System Snapshot (for
windows boxes). Fcheck is one
of the more trusted programs out there for linux machines - we're hoping one of you out
there can tell us whether or not Fcheck runs on OSX as well.
There are a few programs out there specifically designed to detect keystroke logging
software. Two that have received good reviews are Anti-keylogger and SpyCop. Neither of these programs are free, but
Anti-keylogger does have a demo version that allows you to scan your machine for logging
programs. We haven't been able to fully test either of these softwares, since we aren't
putting the money up to purchase them. We currently don't know of *any* program that checks
for Magic Lantern (please email us if you know otherwise).
Trojans & Backdoors
Another software method an investigating agency may utilize is a trojan carrying a
backdoor program. A trojan is a program that looks innocent but carries a dangerous
payload, like the Trojan Horse of Greek mythology. It may be disguised as a game or some
other kind of executable program, in the same way that viruses are often disguised. (Need
we remind you not to open up .exe files or other attachments coming from folks you don't
know?)
These trojans, once launched by the targeted user carry a backdoor program (or maybe
just a few lines of code that create a security hole so a backdoor program to be installed
later). A backdoor program allows the intruder to access your computer whenever it's on the
Internet. It's a remote control, and usually a very thorough one with full access to every
facility and file on your computer.
It's obviously important to avoid getting a backdoor program inside your computer. The
best way is to use a competent virus protection program. Most of these will stop trojans
and backdoors getting through, unless you are permanently connected to the Internet, in
which case - you should probably be looking at a good hardware or software firewall.
There's a free one that's easy to use called ZoneAlarm, available from ZDNet.
It's also recommended for users of regular modems who want to improve their security.
If your machine behaves strangely and you think you've got a parasitic backdoor (it's a
bit like somebody else having a remote keyboard for the same computer) manually unplug the
phone/adsl line to break the connection and get yourself a top virus protection program.
Don't reconnect that machine to the Internet (not even to collect email) until you're sure
it's clean.
More Software
Symantec makes the Norton line of
products that work on Windows and Macintosh machines that detect for viruses, provide some
firewall protection
and provide system snapshots.
Further Reading and Resources
