What is a key-logger?

A key-logger is a small device that connects in-line to a keyboard connected via USB or PS2 style plug. It is small and looks like a ‘fat’ adaptor.

These are small hardware devices that work with no installed software – unlike the software key-loggers that are either installed by virus/malware or yourself to typically monitor your children.

It contains memory that records all the keystrokes of a keyboard – that includes your user name, password and any other details you type. Just imagine all your details being recorded when you logon to your Internet banking website.

The device can be removed later when you are not near the PC and all the captured key strokes displayed.

.

Are they really a risk ?

Most definitely ! Click here for a news story of how they were used in a public library in Manchester UK.

In 2005, Sumitomo Bank in London had multiple hardware key-loggers installed by cleaning staff. The attackers attempted to steal GBP£220m. Read here for further details.

.

Here’s the bad news

• They can be easily concealed at the back of a PC.
• They look like a standard USB or PS2 adaptor.
• They avoid detection by software – this includes ‘end-point security’ type software.
• They don’t leave any trace of their activity.
• Even if you have a Citrix/Thin client environment, they still work.
• They will record all keystrokes made on the keyboard and replay them on demand later.
• Even if you restrict USB devices with storage capability, a USB key-logger will still function because it is independent of the PC.
• As long as the keyboard is connected by a USB or PS2 style connector, the key strokes will be picked-up for any operating system running on the PC, Mac or Unix/Linux device.
• Key-loggers are relatively inexpensive (from around £20) and are readily available.
• There are now wireless versions available.

.

What can you do?

How to avoid being recorded by a key-logger

• Firstly, check your PC yourself every time you use it. A quick look at where your keyboard is plugged in – make sure the keyboard lead is plugged directly into a port on the PC.
• If your PC is in a public place or isn’t yours (for example, in a library or Internet cafe – always check it first.
• Use an on-screen keyboard for entering sensitive data such as your user name and password. The on-screen keyboard uses a mouse to select characters instead of the keyboard.
• Use a one-time password device such as SecurID. This means that even if the password is recorded when you enter it, it will have changed on next use, rendering the recording of no value.

How to prevent key-loggers being used?

• Have a regular visual check of all PC type devices. This won’t necessarily find a key-logger if it is connected and removed between checks, but it is still well worth doing.
• Educate staff to be vigilant and perform their own visual checks.
• USB key-loggers tend to show on a PC as a generic USB hub – sometimes a Texas Instruments one. It would be possible to monitor for such changes, but there is no guarantee that all key-loggers will behave in such a way. If you are still using PS2 attached devices, this won’t help you either.

What do I do if I find a key-logger

One option is to set-up a ‘sting’. The key-logger device needs to be retrieved in order to be read. Therefore, keep watch or set-up a webcam to wait and watch for the device to be retrieved.

.

And finally….

Hardware key-loggers are a real risk to you and the business you work for. Be vigilant.

Four USA Treasury Web sites have been  taken-offline after their cloud computing host was hacked. The attack caused users to be redirected to a malicious site in the Ukraine.

The four URLs infected were BEP.gov (Bureau of Engraving and Printing), BEP.treas.gov, Moneyfactory.gov and Moneyfactory.com.  The type of attack was a script injection that redirected users. The attack was unusual in that only IP addresses that had not previously visited the Treasury site were targeted, which made it difficult for authorities to track.

Roger Thompson, chief research officer at AVG Technologies, first noticed the attack on Monday (03 May 2010). He is reported as explaining that the hackers added a small snippet of almost undetectable iframe HTML code that redirected visitors to a Web site in the Ukraine. This site then launched a variety of Web-based attacks based on a commercially available attack-kit called the ‘Eleonore Exploit pack’.

The Ukrainian Web site is associated with similar attacks, which targeted a small number of known software bugs, including flaws in Adobe Reader software.

In a statement, the USA Treasury said “The Bureau of Engraving and Printing (BEP)entered the cloud computing arena last year. The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous BEP and non-BEP websites were affected”.

At the time of writing this, the Web sites are still suspended and it isn’t clear how the hackers managed to install malicious code on the Treasury Department Web sites.

.

Final thoughts ….

The headlines suggest that the vulnerability is at the Cloud infrastructure level instead of the individual Web services hosted on it. Exact details aren’t yet know, but let’s hope it isn’t a ‘cloud computing’ issue, as it could impede the deployment of  cloud services to companies who are already nervous about jumping into a cloud service provider.

This issue does highlight just how important security is for the underlying cloud infrastructure layer, because an issue at this layer can potentially impact all services running on it.

.

Also read ….

• Cloud Computing – why is everyone so excited ?

Google has a single sign-on system known internally as ‘Gaia’ and allows users to log into many of Google’s services that it offers, such as Gmail, web search, business applications and others, using just the  one password.

The hackers stole the code after gaining access to the Google’s software repository – this is the ’crown jewels’ for their services. The hackers copied the software but it is not thought that they gained access to customer passwords, which means that users aren’t directly affected by the theft. However, the risk to Google is that the hackers could examine the software for security vulnerabilities to devise ways to gain access to the system that would later impact users.

Google announced in January 2010 that it had been hacked. The hackers had targeted the source code repositories at other companies.

It is believed that the theft started when an instant message was sent to a Google employee in China who was using Windows Messenger. The message included a link to a malicious website. When the employee clicked the link, the hackers were able to gain access to the employee’s computer. This meant that they were inside the Google corporate network and from there, they could connect to Google’s headquarters in California.  It is thought that the intruders know the names of the ‘Gaia’ software developers, because the hackers had access to an internal Google corporate directory that lists the business activities of every Google employee. 

According to a McAfee report, the hackers used a malicious website that was hosted in Taiwan. When the victim clicked on a link to the site, the site downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser. A binary executable (program) disguised as a JPEG file then downloaded to the user’s system that opened a backdoor into the computer, setting up a connection to the attackers’ command and control servers that were also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

Read More in this New York Times article.

This incident highlights the concerns that many people already have, that using ‘Cloud’ services can be less secure than private or own hosting. Entrusting your data to a third party provider needs careful due dilliegence to make sure the service and security protection is good enough for your needs.

The criminals were aged 31, 30 and 25. The investigators believe that other arrests may follow.

The first member of the gang was arrested in early February, when he inadvertently logged into the network without disguising the address of his computer. His computer allowed the investigators to link to two more suspects who were arrested later in the month.

The botnet was monitored and rendered inactive in December, following an investigation by the FBI, the Spanish Guardia Civil and security experts around the world.

The network of computers (botnet) was designed to steal sensitive information, including usernames, passwords, banking credentials and credit card data, from online e-mail services and social media sites. One of the criminas had 800,000 pieces of personal data on his machine.

Some very high profile businesses were targeted. Christopher Davis, chief executive of security firm Defence Intelligence, was one of the firms invited to join the Mariposa Working Group, which was set up to deal with the botnet in May 2009. Davis said “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised”.

A senior research advisor, Pedro Bustamante said the criminals behind the botnet did not have “advanced hacking skills”. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss,” he said.

The criminal gang made money by renting out parts of the botnet to other cyber-criminals in addition to selling stolen credentials and using banking and credit card information to make transactions via ‘money mules’.

Working with law enforcement agencies comes with a risk for security firms. After the botnet was closed down, Defence Intelligence were hit by a Distributed Denial of Service (DDoS) attack in an apparent act of retaliation. The firm remains determined to pursue such cases. Davis said “We will continue to fight the threat of botnets and the criminals behind them. We’ll start by dismantling their infrastructure and won’t stop until they’re standing in front of a judge”.

Zaman was sentenced to 46 months in jail and three years supervised release in addition to a US$75,000 fine by a court in Boston after pleading guilty to one count of conspiracy in April 2009.

Zaman laundered between $600,000 and $800,000 for Gonzalez, who also pleaded guilty to a string of cyber-attacks on several firms, resulting in the theft of tens of millions of payment card details. According to the court papers, Gonzalez asked to be paid for card numbers in digital currency or by wire to a bank account in Latvia.

In November 2005 Zaman used ATM cards linked to accounts in the names of fictitious or unrelated individuals to withdraw and repatriate approximately $38,000 of Gonzalez’s Latvian funds. He then sent the money in cash, minus a cut, to the hacker in Miami.

During 2005 and 2006, Zaman went to California for Gonzalez on three occasions. He picked up between $50,000 and $370,000 from an unknown man and then shipped the cash to Gonzalez in Federal Express boxes after taking his cut. A similar process was carried out from New York.

In March 2008, Zaman sent Gonzalez logs from Barclays ATM systems, where he was working as a programmer. Although Gonzalez uploaded these logs to a Latvian server, there was no evidence that the data was used.

Gonzalez was sentenced to 20 years and one day (owing to the need to deal with the peculiarities in the USA sentencing statutes), after pleading guilty to many attacks on different companies which include Heartland Payment Systems and TJX.

The impact to Heartland Payment Systems was significant. It agreed to pay US$2.4 million to settle a consumer cardholder class action suit for losses suffered. It also paid US$1.5 million for the cost of notice to the settling class, and $0.76 million to cover the legal fees.

Heartland also agreed to a $3.6 million settlement with American Express. Its provision for expenses related to the massive data breach were US$73.3 million.

December 2009

The hackers gained access to the database by using a well known SQL-injection method. This is something that should be tested during the development phase of a project.

The issue was made worse because RockYou attempted minimise the negative publicity by downplaying the incident. Firstly by covering it up by not notifying their users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and demonstrated that not only did he have access to the entire RockYou database, but passwords were stored in the clear. The issue then became worse when it was discovered that RockYou stored user credentials for social networks and other partner sites including MySpace and also webmail accounts.

The RockYou account creation process did not encourage or enforce strong passwords. It only enforced a password of a minimum length of five characters. There was no requirement for mixed-case, numbers and the process actually encouraged simple passwords by not allowing any punctuation at all. Passwords were communicated to new users of the service by clear text e-mails.

Interestingly, an analysis of the 32 Million passwords revealed the top 10 to be:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

This list shows how important it is to choose a password that cannot be obviously guessed.