The spy in the machine

It might not inspire the next Scorsese film, but when mobster Nicodemo Scarfo Jr was brought down in 2001, it was not in a hail of bullets and bloodshed. Instead, Scarfo's illegal gambling and loan sharking business was exposed by a simple keylogger that the FBI had downloaded onto his computer. The keylogger recorded every keystroke made, and sent the information to the Feds – who were then able to piece it together and indict Scarfo on the evidence.

It is not just law enforcement that uses keyloggers. Employers can check productivity and monitor employee activity online. Parents can even use them to check their children's computer activities.

But there is a darker side to these surveillance technologies that presents a significant risk to companies and individuals alike. Using exactly the same principle, they open the door to a treasure-trove of valuable information, ripe for picking by the criminally minded. Thieves use keyloggers to discover user names, passwords and encryption codes. E-mail addresses, instant messaging usernames, financial data and other sensitive details are all vulnerable to a keylogging attack.

Keyloggers are, therefore, ideal tools for industrial espionage or for accessing confidential corporate data. They can damage business relationships, financial standing, and reputation. They can even cause an organisation to breach major pieces of legislation such as the Data Protection or Sarbanes-Oxley Acts.

It is not just large corporations that can experience keylogging attacks. As more and more of us conduct our financial transactions online, our personal details are at risk from a carefully located keylogger. In fact, any individual or organisation that accesses, inputs or stores private information is at risk.

So how do keyloggers end up on our machines? Traditionally, they have been pieces of software, which can be installed on a computer through a virus or as spyware. The FBI used a Trojan to download a keylogger called Magic Lantern when they caught Nicky Scarfo.

More recently, autumn 2006 saw a spate of fake e-greetings cards which directed browsers to an exploit server that checked for web browser patches to find vulnerabilities, then downloaded a keylogger accordingly. The software versions were popular because they could easily be installed on any number of machines, and the data collected frequently and easily.

Fortunately, they are also relatively straightforward to detect. Regularly updated anti-virus software can prevent Trojans and spyware entering the system in the first place, and guards against adware can be put in place. Protection tools that monitor the status of a computer can detect keyloggers that have slipped through the net and remove them.

Much harder to detect, however, are hardware keyloggers. They install no code onto the machine, so are much less likely to be discovered by traditional applications.

Unfortunately, they are also becoming more prevalent. The IT security fraternity is wise to the presence of keylogging software, and there are ever more sophisticated processes for detecting it. Determined thieves have therefore realised that traditional software keyloggers require updating.

Hardware keyloggers take three main forms. The first, and probably the most common, is a small device installed at the back of a PC between the keyboard and its connection to the machine. As with all hardware keyloggers, it requires the attacker to have physical access to the computer in question, both to install and later retrieve the device. This is unlikely to pose a problem to the determined individual, particularly as it takes a matter of seconds to install, and requires no technical skill.

This type of keylogger may only be about 1.5 inches long, but may have a memory capacity that allows up to two million key strokes to be recorded – or about five years' worth of typing for the average computer user. Happily, this type of hardware keylogger is also the easiest to spot.

More insidious forms of keyloggers are built into the keyboard. Thieves will either replace the keyboard completely or dismantle it, insert a keylogging device, and re-assemble it. Naturally this requires a greater degree of skill on the part of the criminal, and takes more time to complete. But the chances of visual or manual detection are almost zero.

The good news is that companies can protect themselves from keyloggers. First of all they should ensure that comprehensive employee IT security awareness training is given. It may not be practical for the IT manager to check the back of every single box or keyboard – but if users can monitor their own equipment, the chances of detecting rogue devices are greatly enhanced.

In addition, two-factor authentication devices that change passcodes every time they are used can counter keyloggers. As soon as the user signs in with the passcode, it becomes obsolete, so even if the code becomes known to the attacker, it is no longer valid for further use.

However, a more practical solution may be products that have recently come on to the market that automatically identify hardware keyloggers and alert the IT security department. The device can then be removed, and the data kept out of the wrong hands.

Sacha Chahrvin is managing director UK and Ireland, SmartLine Inc, www.devicelock.com