Eng. Hector M Lugo-Cordero, MSEng. Hector M Lugo-Cordero, MS

CIS4361CIS4361

Department of Electrical Engineering and Computer Science

February, 2012

University of Central FloridaUniversity of Central Florida

What is keystroke logging?What is keystroke logging?

A keylogger is a program that runs in the background or hardware, A keylogger is a program that runs in the background or hardware, recording all the keystrokes. Once keystrokes are logged, they are recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the hidden in the machine for later retrieval, or shipped raw to the

attackerattacker

Attacker checks files carefully in the hopes of either finding Attacker checks files carefully in the hopes of either finding

passwords, or possibly other useful information.passwords, or possibly other useful information.

What is keystroke logging?What is keystroke logging? Key loggers, as a surveillance tool, are often used by Key loggers, as a surveillance tool, are often used by

employers to ensure employees use work computers for employers to ensure employees use work computers for business purposes only business purposes only

Such systems are also highly useful for law enforcement Such systems are also highly useful for law enforcement and espionageand espionage

Keystroke logging can be achieved by both hardware Keystroke logging can be achieved by both hardware and software means. and software means.

The good, the bad and the uglyThe good, the bad and the ugly

Good: companies can monitor the Good: companies can monitor the productivity of an employee, also useful for productivity of an employee, also useful for software developing.software developing.

Bad: EspionageBad: Espionage Ugly: External hardware can be caught Ugly: External hardware can be caught

easily and software installation without easily and software installation without user noticing is hard.user noticing is hard.

Hardware key loggersHardware key loggers

Come in three types:Come in three types: Inline devices that are attached to the keyboard Inline devices that are attached to the keyboard

cable cable Devices which can be installed inside standard Devices which can be installed inside standard

keyboardskeyboardsReplacement keyboards that contain the key Replacement keyboards that contain the key

logger already built-inlogger already built-in

Some hardware keyloggers Some hardware keyloggers Hardware Hardware KeyLoggerKeyLogger Stand-alone Edition Stand-alone Edition

a tiny hardware device that can be attached in between a tiny hardware device that can be attached in between a keyboard and a computer. a keyboard and a computer.

Hardware Hardware KeyLoggerKeyLogger Keyboard Edition Keyboard Edition looks and behaves exactly like a normal keyboard, but it looks and behaves exactly like a normal keyboard, but it keeps a record of all keystrokes typed on it. keeps a record of all keystrokes typed on it.

KeyGhostKeyGhost Hardware Keylogger Hardware Keylogger a tiny hardware device that can be attached in between a tiny hardware device that can be attached in between a keyboard and a computer. a keyboard and a computer.

KeyKatcher Keystroke Logger KeyKatcher Keystroke Logger a tiny hardware device that can be attached in between a tiny hardware device that can be attached in between a keyboard and a computer. a keyboard and a computer.

KeyloggerKeyloggerThe The Hardware KeyLogger™ Stand-alone EditionHardware KeyLogger™ Stand-alone Edition is a is a tiny hardware device that can be attached in between a tiny hardware device that can be attached in between a keyboard and a computer. It keeps a record of all keyboard and a computer. It keeps a record of all keystrokes typed on the keyboard. The recording process keystrokes typed on the keyboard. The recording process is totally transparent to the end user. The keystrokes can is totally transparent to the end user. The keystrokes can only be retrieved by an administrator with a proper only be retrieved by an administrator with a proper password.password.

BEFORE AFTER

Hardware KeyLoggerTMHardware KeyLoggerTMKeyboard EditionKeyboard Edition

The The Hardware KeyLogger™ Keyboard EditionHardware KeyLogger™ Keyboard Edition looks and looks and behaves behaves exactly like a normal keyboradexactly like a normal keyborad, but it keeps a , but it keeps a record of all keystrokes typed on it. The recording process record of all keystrokes typed on it. The recording process is totally transparent to the end user. The keystrokes can is totally transparent to the end user. The keystrokes can only be retrieved by an administrator with a proper only be retrieved by an administrator with a proper password.password.

KeyKatcherKeyKatcher

The KeyKatcher is a hardware device to log activity as it is The KeyKatcher is a hardware device to log activity as it is performed on the keyboard. The device works with any performed on the keyboard. The device works with any PS/2 keyboard and is not dependant on the operating PS/2 keyboard and is not dependant on the operating system because there is not any software required for the system because there is not any software required for the manufacture to product to interact with the hardware. manufacture to product to interact with the hardware.

The KeyKatcher records up to 32,000 bytes (keystrokes) in The KeyKatcher records up to 32,000 bytes (keystrokes) in the 33k model or 64,000 bytes (key strokes) in the 64k the 33k model or 64,000 bytes (key strokes) in the 64k model. Even if the device is unplugged from the keyboard it model. Even if the device is unplugged from the keyboard it will still remember EVERYTHING and you wont lose a will still remember EVERYTHING and you wont lose a single keystroke.single keystroke.

Interacting with keyloggerInteracting with keylogger

InteractingInteracting with the Keystroke logger is with the Keystroke logger is simple, it can be done from any PS/2 simple, it can be done from any PS/2 compatible keyboard/computer. You can take compatible keyboard/computer. You can take it off the computer it is on to examine the data it off the computer it is on to examine the data on another computer or perform the audit on another computer or perform the audit from that computer. Enter into a text program. from that computer. Enter into a text program. Type the passphrase which was set, the Type the passphrase which was set, the menu will be displayed, you can navigate menu will be displayed, you can navigate through the menus by entering typing in the through the menus by entering typing in the

number corresponding with the command.number corresponding with the command.

Other approachesOther approaches

There are other approaches to capturing info There are other approaches to capturing info about what you are doing.about what you are doing.

Some Some keyloggerskeyloggers capture screens, rather than capture screens, rather than keystrokes. keystrokes. Other Other keyloggerskeyloggers will secretly turn on video or will secretly turn on video or audio recorders, and transmit what they capture audio recorders, and transmit what they capture over your internet connection.over your internet connection.

Software Key LoggingSoftware Key Logging

Easy to implement – code is relatively Easy to implement – code is relatively normal.normal.

Hard to install – user can notice the Hard to install – user can notice the presence of it.presence of it.

Problems with installing Problems with installing a Key Loggera Key Logger

An attacker that connects to the target to An attacker that connects to the target to download the keystrokes risks being download the keystrokes risks being traced.traced.

A code that sends the information to an A code that sends the information to an email address risks exposing the attacker.email address risks exposing the attacker.

Secure ways to install a key loggerSecure ways to install a key logger

Program can be distributed through Program can be distributed through viruses and/or worms and attacker can viruses and/or worms and attacker can claim to victim of it if s/he is caught. claim to victim of it if s/he is caught.

Use cryptography to prevent others from Use cryptography to prevent others from discovering the content and later decode it discovering the content and later decode it later.later.

Examples of key loggersExamples of key loggers

Magic Lantern Magic Lantern developed by the FBIdeveloped by the FBI is installed remotely via email attachment.is installed remotely via email attachment.

All in One Keylogger Spy SoftwareAll in One Keylogger Spy Software sends encrypted logs to desired emailsends encrypted logs to desired email tracks all users activitytracks all users activity

Examples of key loggers (cont.)Examples of key loggers (cont.)

Wiretap ProWiretap Pro specializes in Internet monitoringspecializes in Internet monitoring records chats, emails, web sites visitedrecords chats, emails, web sites visited

Ardamax Keylogger Ardamax Keylogger monitors user activity in an encrypted waymonitors user activity in an encrypted way data is stored as text or web pagedata is stored as text or web page used to maintain backups or monitor kids.used to maintain backups or monitor kids.

Defending from a key loggerDefending from a key logger

Have our computer up to date with:Have our computer up to date with: Keep net firewall onKeep net firewall on Anti-spywaresAnti-spywares Anti-virusesAnti-viruses

Check USB ports and PS/2Check USB ports and PS/2 Check programs installedCheck programs installed Also we can maintain a practice of using Also we can maintain a practice of using

only the soft keyboard (on screen). only the soft keyboard (on screen). However is not completely secure.However is not completely secure.

ReferencesReferences http://www.ardamax.com/http://www.ardamax.com/ http://www.keyghost.com/http://www.keyghost.com/ http://www.keykatcheruk.co.uk/http://www.keykatcheruk.co.uk/ http://www.relytec.com/http://www.relytec.com/ http://www.securitystats.com/http://www.securitystats.com/ http://en.wikipedia.org/Key_loggerhttp://en.wikipedia.org/Key_logger http://www.windowsnetworking.com/http://www.windowsnetworking.com/ http://www.wiretappro.com/http://www.wiretappro.com/

QuestionsQuestions