Software or hardware
Nicodemo Scarfo was caught out by a Magic Lantern, software keylogger that infected his machine through a Trojan, and this is the way that the majority of keyloggers work. The advantage of the software versions is that they are easy to install – despite the constant warnings, too many people lose the war between curiosity and caution and open up spyware, Trojan or virus-infected files and emails. Software also enables thieves to infect a huge number of machines and gather the data quickly, easily and remotely.
Fortunately, detection is becoming much easier. The attractions of the bigger corporates are tempered by the increasing awareness of IT security managers, who keep machines protected with the latest anti-virus software to prevent Trojans and spyware entering the system in the first place. Should a keylogger slip through the net, standard protection tools that monitor the status of a computer can detect and remove them.
Unfortunately, security managers are locked in a game of one-upmanship with criminals who have followed the lead of the most successful businesses and taken the maxim ‘innovate or die’ to heart. As security measures improve, so criminals find new ways to breach them. In this case that means hardware keyloggers. These devices are much harder to detect than software since they do not install any code onto the machine and cannot be spotted by traditional anti-virus or anti-spyware tools.
Installing the hardware
Hardware keyloggers take two main forms. The first, and probably the most common, is a small device installed at the back of a PC between the keyboard and its connection to the machine.
As with all hardware keyloggers, it requires the attacker to have physical access to the computer in question, both to install and later retrieve the device. With social engineering growing in sophistication, this doesn’t pose a problem to the determined individual, particularly as it takes a matter of seconds to install, and requires no technical skill. These kinds of keyloggers may only be approximately 1.5 inches long, but they have a memory capacity that allows up to two million key strokes to be recorded – which represents about five years’ worth of typing for the average computer user. Happily, this type of hardware keylogger is also the easiest to detect visually – provided you know what to look for.
More insidious forms of keyloggers are built into the keyboard. Thieves will either replace the keyboard completely or dismantle it, insert a keylogging device, and re-assemble it. Naturally this requires a greater degree of skill on the part of the criminal, and takes more time to complete. But the chances of visual or manual detection are almost zero.
The good news is that organizations can defend themselves against determined keyloggers. The first step, as with all effective security measures, is to educate and train users to raise awareness and create a culture of individual responsibility. The number of PCs in large companies makes it impractical for the IT security manager to check the back of every single box and every single keyboard manually. Users who carry out basic monitoring of their own equipment greatly increase the chances of detecting any rogue devices.
Secondly, organizations should look at alternatives to desktop PCs. Although still susceptible to hardware keyloggers, the inbuilt keyboards of laptop computers are far harder to tamper with. However, greater use of mobile devices brings new security challenges, which must be balanced against the reduced threat from keyloggers.