I've always had a problem typing my passwords in on computers I don't trust (think non-technical friends computers) and although I can usually avoid doing it, there are times when I still need to use them. My main concern is having my passwords stolen by a keystroke logger.
So my question is - is there a reliable way to detect keystroke loggers?
I know of hardware keystroke loggers like KeyGhost but I'm mostly interested in software based ones.
Answer
Following the change of emphasis of the title of the question to "How do I detect keystroke loggers in a reliable way?" much of my answer below is irrelevant. In short, I do not believe you can detect keystroke loggers in a reliable way. There are some ways to detect some of them, some countermeasures to limit their effectiveness and some ways to bypass them, and I discussed some of these in the rather dated answer below, but there is no reliable way to detect them. Have a read at the Wikipedia article on keylogging methods and countermeasures.
Not an easy problem.
Software keylogging
Bypassing software that picks up keycodes as keys are pressed and released can be done by using on-screen keyboards or cut and paste from screen-based data but that will not work with software working at lower levels (at some point the operating system has to feed the "simulated keypresses" to the application waiting for input).
The risk can be further reduced by using an operating system that is less likely to be a target for keylogging software attacks.
If this really matters and the hardware is clear of logging devices then booting a read-only copy of a known clean operating system (e.g. a checksummed live CD or DVD) is worth considering if the hardware/network owner permits this and the CD/DVD contains the applications you need and you know the setup parameters needed (passwords and data could be on an encrypted USB stick mounted, in a Unix-like system, to not allow file execution). Using your own hardware/software, following good security practices and rebuilding regularly from clean, trusted, checksummed media is another way forward.
The suggested mechanisms aim to reduce the risk of having keylogging software on the system. If a keylogger gets onto a system then a strong firewall policy may detect a keylogger attempting to send data back to its 'owner' over the network but that often assumes an onerous manual involvement in the firewall process (e.g. tuning the system to allow specific applications to use specific IP ports and addresses). Finally, as well as a keylogger on the system, some of what has been typed in may be visible if the data is transmitted over a network or the physical integrity of the filesystem is compromised. How these can be mitigated is beyond the scope of this question but must be included when considering application and system integrity. However, monitoring the network can show whether sensitive data is normally transmitted and also help to identify unexpected transmissions.
One-time passwords, changing passwords quickly if they might have been compromised, the use of keylogging software detectors (software that scans the PC looking for the signature of known keylogging software) are also amongst the possible countermeasures but all countermeasures have weaknesses.
Hardware and other keylogging
Whilst outside the immediate scope of your question these needs to be borne in mind. They include observation of network flows, devices connected between the keyboard and the PC, over-the-shoulder snooping, video cameras, acoustic or electromagnetic or vibration monitoring (e.g. see TEMPEST measures) or examination of RAM contents for information, if someone is interested enough in what you might be typing. Detection of these ranges from easy to impossible.
General
There is a helpful article on Wikipedia on keylogging methods and countermeasures that is well worth reading.
No comments:
Post a Comment