Standards & Guidelines - Key Loggers

There's a bug in my keyboard...

Keyloggers are hardware or software that record keystrokes. They represent a serious threat to the privacy of computer users.

Keyloggers record every keystroke a computer user makes. They are marketed to monitor the computer usage of children or to catch a cheating spouse. They are used to steal credit card and bank account numbers, user names and passwords. They are also used to monitor employees.

Keyloggers can be installed by gaining physical access to the computer or by downloaded programs. Their small footprint in terms of memory and processor utilization makes them practically untraceable . Keyloggers can email or ftp the file containing keystrokes back to a spying person.

Keyloggers can be one of three types:

1. Hardware Keyloggers. Small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time -- however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords.
2. Software using a hooking mechanism. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords.
3. Kernel/driver keyloggers. This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.

Countermeasures

Keyloggers are practically impossible to track once installed. However, there are several preventive measures that can be taken.

1. Most Windows users should have restricted privileges by making them part of the User group.
2. The Administrator group should have very few entities, and they should have strong password policy.
3. No one should ever connect to Internet or even the internal network while logged in to the computer as an administrator. This gives network eavesdroppers carte blanche access to the machine and the opportunity to remotely install software.
4. The computer's keyboard port should be inspected to see if a hardware keylogger is attached.