Financial Daily from THE HINDU group of publications
Monday, Mar 13, 2006
eWorld
Features
Stocks
Shipping
Archives
Google

Group Sites

 eWorld - Security
Columns - Security Musings


Spies track every keystroke

R.K. Raghavan

Cyber criminals use `key logging' to steal personal information from victims even as they key in such data into a computer.

Key logging was originally intended to be a diagnostic tool to determine sources of error.

A New York Times report of February 27, 2006, once again raises misgivings over the wisdom of conducting banking transactions over the Internet.

It draws our specific attention to a formidable menace in cyberspace, called `key logging', a variant of Phishing in a remote sense (because the objective of both is to steal the ID and User Names of targets).

To put it strongly, `key logging' makes a mockery of all existing security measures because it is a daring, and often successful, attempt to steal personal information from unsuspecting victims, even as the latter key in such data into a computer.

It is hard to detect and even more difficult to eradicate.

Imagine you're going online from a secure home in Nagercoil, and a predator sitting in Srinagar or Leh gets, almost instantaneously, a complete image of every letter that you type from your keyboard with which to secure access to your bank account. Can anything be scarier?

The New York Times refers to a recent incident reported from a northern Brazilian city Campina Grande in which 55 persons (including nine minors) were arrested for plundering sensitive information from unwary computer users whenever they did online banking.

The booty was $4.7 million from 200 different accounts in six banks.

Again, very recently, Russian law enforcement busted a gang that spirited away $1.1 million from French banks.

Also, an operation to steal £220 million from a UK bank last year was foiled by the country's super-smart National Hi-Tech Crime Unit (NHTCU) in London. Here again, the miscreants, said to be computer experts, resorted to key logging. These three instances are proof enough that it is not some paranoid cyber security nitwits who are talking about the monster that `key logging' is.

But do not for a moment think that `key logging' is an absolutely new phenomenon or some recent brainwave of the underworld. It has now been there for several years.

For example, in 2003, two persons were arrested in Tokyo for using a keystroke logger to get at bank account passwords for misappropriating $136,000.

There were possibly several other such intrusions into bank Web sites that have not been publicised, given the reluctance of commercial institutions the world over not to admit their online vulnerabilities.

The only point is that this breach in computer security has not received enough attention amidst all the dust raised by `phishing'.

Diagnostic tool degraded

What exactly is key logging? It is essentially an invisible software programme that runs in the background - although I am told that there are some hardware devices that can be installed between the keyboard cable and the socket in the rear of the computer - that bypasses documents and monitors the goings-on in a machine.

Originally intended to be a diagnostic tool to determine sources of error in a computer system, it has now degenerated into a weapon in the hands of dishonest elements.

Speaking in computer language, it is a Trojan that is concealed in software downloads or in e-mail attachments and is deployed to monitor the user's access to specific sites of interest to the intruder. As New York Times puts it, while phishing employs deception - making the victim wrongly believe that he is entering a Web site which is well known to him and which he trusts — in `key logging' the attacked computer is infected and the keyboard is kept on tab by a criminal. I am told that most of available anti-virus software does not normally detect such infection.

Is there any way you can protect yourself against all these kinds of misdeeds?

There are some who think that you can do precious little because of the presence of any number of layers of virtual drivers between the user and the keyboard in most of the operating systems.

Nevertheless, a few banks such as Westpac in Australia have tried an on-screen keypad for Internet banking sign-in. Here, the traditional sign-in page and the regular keyboard are eliminated.

The on-screen keypad carries technology that scrambles Customer IDs and passwords.

Lloyds in the UK has introduced key-ring-sized devices that generate six-digit codes to be typed in alongside user names and passwords.

Since the key-rings used by customers carry unique codes, they are considered to be an effective anti-key logging innovation. How effective are on-screen keypads and key-rings? We will have to wait for the findings.

Interestingly, `key logging' is occasionally used by law enforcement agencies to eavesdrop on suspects to find out what the latter are doing in cyberspace.

The FBI, in particular, has admitted to this practice that has gone on to raise judicial eyebrows. As early as 2001, the Bureau latched on a keystroke-recording device to a notorious mobster, Nicodermo Scarfo Jr's computer for obtaining the password to an encrypted file. The matter went before a Federal Judge in Newark (NJ) when challenged by Scarfo on the ground that the FBI did not obtain the prescribed wiretap order.

The judge, however, held that such an order was not required in this case, because the logger did not intercept any telephonic communication.

The FBI claim was that the logger had been so configured that it would pick up the keystrokes only when the modem was not transmitting.

What was possibly of greater comfort to the FBI was that it was not obliged to reveal to the defence the technology behind the operation, as such information was protected by the Classified Information Procedures Act 1980!

A humorous tail-piece! When the FBI Director, Robert Mueller, appeared before the US Senate for his confirmation hearing, he expressed his ignorance of the technology behind `key logging'. This was in the context of the Scarfo case.

One observer, Thomas Greene, writing in The Register, an online magazine who refused to believe that Mueller was speaking the truth, said: "... . that little gem had to be either a bald-faced lie, or evidence of his technical incompetence and consequent unfitness to lead the FBI in the 21st century."

I am happy that as CBI Director I did not have to appear before a committee to establish my cyber competence or reluctantly admit my ignorance!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Ringing in a `national' village

`Out-of-the-box' thinking
A case of `serious disconnect' in a software contract
Join `search' party
Digitising audio tapes
Installing mobile data cable
`Sharpen skill sets, broaden risk appetite'
Spies track every keystroke
Good or bad, news is news
Quiz
Start a good brand with a lasting legend
Up for buys

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line