Keyloggers are one of the threats that keep security professionals awake at night. By monitoring user activity
and disclosing keystrokes to unauthorized individuals, keyloggers threaten to undermine many of the other security controls that infosec professionals put in place to protect the confidentiality, integrity and availability of information.
Take a moment to think about everything you've typed into your computer so far today. Chances are you've entered one or more passwords to access your computer, email or other systems. You may even have made a purchase with your credit card or typed a sensitive email to a spouse or colleague. Keyloggers threaten to bypass other security mechanisms and disclose this information to hackers.
In this tip, we'll review how to find a keylogger on your computers, and more importantly, how to defend against the malware.
Types of keyloggers
There are two basic categories of keyloggers: software and hardware. Software keyloggers operate in a fashion similar to many other categories of malicious code. In fact, viruses, worms and Trojan horses often carry keyloggers as their payload. Once the software keylogger is installed on your system, it uses one of several techniques to monitor all of the keys pressed by any user and relays them to the keylogger's creator.
Some keyloggers install themselves in a fashion that allows them to intercept the signal sent by the operating system to software applications when a key is pressed on the keyboard. Others infect the core of the operating system (known as the "kernel") to intercept keystrokes before they are processed. Still, others infect a Web browser and only monitor keystrokes entered into online forms. The sheer variety of keylogging software in the wild today makes it difficult to protect your systems against them.
Hardware keyloggers are even more difficult to detect. These devices also come in many forms but, at their most basic level, hardware devices are inserted between the computer and the keyboard. The keylogger may look like a simple extension plug connected directly to the back of your computer, or it may be embedded in the keyboard itself. When was the last time you checked the connection between your computer and your keyboard? Even if you've checked your own computer recently, how certain are you that every computer in your organization is checked on a regular basis?
(Image from Wikimedia Commons)
Protecting your computers against software keyloggers
The steps you should take to protect your organization against software keyloggers are the same that should be used to defend against any type of malware infection. Some simple actions you can take are to:
- Ensure that all computers in your organization use current antivirus software and perform periodic scans.
- Supplement your antivirus software with a solid antispyware package, such as Windows Defender, SpyBot or Ad-Aware.
- Verify that you're applying security patches to your operating systems and applications in a prompt fashion.
- Educate users about the dangers of installing unapproved software on their computers.
Hopefully, you're already doing all of these tasks. If not, it's a good time to update your security practices!
Protecting your computers against hardware keyloggers
Hardware keyloggers are much more difficult to detect. In fact, there really isn't a technology solution to this problem. You'll need to reach deep into your bag of tricks and pull out one of the fundamental principles of information security: physical security. Specifically, these three actions will help protect your systems against hardware keyloggers:
- Educate users about the ill effects of keyloggers and how they can be recognized. The best advice is to tell them to look for anything unusual on their keyboard, keyboard cable or connected to a USB port.
- Verify that the physical security controls in your facility are adequate to protect against intruders gaining access and surreptitiously installing keyloggers.
- Have IT staff routinely check for keyloggers whenever they visit a system for maintenance or end-user support.
Following these steps, in addition to those in the previous section, will help ensure you have a well-rounded defense against both categories of keyloggers.
Protecting your Web applications against keyloggers
If your organization runs Web applications for e-commerce, customer service, or other applications that process sensitive information, you also should spend some time thinking about how you can protect users (and therefore yourself!) from the compromise of their passwords. Here are two suggestions:
- Have users enter their password with an on-screen keypad instead of a textbox. This won't protect you against tools that capture screen activity, but will keep your users' passwords safe from ordinary keyloggers. An example from the US Treasury's website is shown below:
- Use token-based access control systems that require a user to have physical possession of a token to log in to your system. Purchased in bulk, these tokens cost a few dollars each, so it's only practical for applications like online banking or investing where you have a small number of high-value customers.
If you're selecting a Web application off the shelf, you'll want to make sure it includes support for these technologies. If you're developing your own applications, ask the developers to include them.
Keyloggers do pose a significant threat to the security of your network. However, by taking a few straightforward steps to secure your systems and Web applications, you can minimize the risk they pose to your sensitive information.
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
Send comments on this technical tip: firstname.lastname@example.org.