Forwarded From: kingade <kingade@technologist.com>
http://www.techweek.com/articles/9-7-98/paranoia.htm
Beware the keystroke cops
by Sarah Ellerman
Steve McGrath has been working late, and when he finally gets home his
girlfriend is on the computer—again. "Who do you talk to on that thing,
anyway?" he asks. "Nobody much," she says, hastily shutting down Netscape.
Later that night, his girlfriend sleeping, McGrath types on her computer a
few simple commands. The phosphorous evidence is burned onto the screen:
Those messages to "nobody much" included phrases such as, "I still miss
you" and "my joke of a boyfriend" and "out of town next week." Ken Starr
would have been proud of this high-tech sleuthing.
To snoop on his former girlfriend, McGrath (who did not want his real name
used in this story) used a simple tool that tracks every keystroke made on
a computer, software that is raising complex privacy questions at home and
in the workplace.
Keystroke recorders or "loggers" are simple programs that read keystrokes,
including deletions, and save them to a hidden file. The programs can be
difficult to detect but they are far from obscure; many can be downloaded
from the Internet either for purchase or for use as shareware.
Such programs typically were developed for legitimate reasons, but that
does not mean they aren’t used in nefarious ways. Richard Eaton, president
of WinWhatWhere Corp. (www.winwhatwhere.com), maker of software that can
track a PC user’s progress through different windows and documents, wrote
the original version of WinWhatWhere as a time-management and
project-billing tool. The company later added keystroke logging to its
Investigator product due to customer demand. Leon Yan, managing director
of Amecisco Ltd., developed Amecisco’s Invisible KeyLogger when a user
tampered with the settings of a network that Yan administered.
Indeed, security is the top "legitimate" use of keystroke recorders. Most
of Amecisco’s customers are network professionals who use Invisible
KeyLogger for network auditing, says Yan. Other companies also maintain
that security-minded sysops deserve access to users’ keystrokes.
What types of companies place their employees under such surveillance?
Popular legend has it that many companies keep tabs on the typing speed
(and number of backspaces) of data-entry workers, but it’s not readily
admitted due to questionable legality and potential complaints of "Big
Brother" behavior. The Florida Department of Transportation, however, is
one satisfied user of WinWhatWhere.
"They suspected that employees were abusing the system and they installed
it. Within a week, they found that somebody was running a business there,"
says Eaton. Another large company installed the program on the laptops of
the sales force to measure productivity and software needs. "To their
dismay, they found that their sales force spent over 60 percent of its
time surfing the Net in inappropriate places," he says. Thus, a
time-tracking tool morphed into censorware. (WinWhatWhere can also run in
a mode that is visible to the user, making it an effective deterrent for
Web-wandering employees.)
The potential uses of keystroke recorders go far beyond the obvious
applications of keeping tabs on employees. Several keystroke recorders
are marketed as parental controls, giving parents the ability to see not
only what Web sites their children visit, but also the content of their
e-mails, school papers and chat sessions. Recorders that track both
keystrokes and timing are used to perfect interface design; NASA deployed
WinWhatWhere in designing the user interface for the space station. The
software replaces a primitive system in which researchers stood behind
users and took notes on every move they made.
Ethics 101
The variety of uses and abuses of these tools raise tough ethical
questions. "It’s not just for evil," insists WinWhatWhere’s Eaton,
although he admits the company has had to distance itself from the ethical
questions of the end use of the tool. Hal Gumbert, creator of the
shareware Keystroke Recorder (www.kagi.com/campconsulting), agrees, saying
that since his is not the only tool on the market, "I feel that I have no
connection or responsibility. I cannot control how or why it is used."
All tools are subject to irresponsible use. Yan of Amecisco points out
that recordable CDs can be used to pirate software, but no one questions
their right to exist. "We strongly condemn anyone who uses our product for
any illegitimate purposes," he says. Gumbert’s software is extremely
popular and carried on many shareware sites, although one site
discontinued offering it after some teachers complained that students were
using it to gather teachers’ passwords.
The ethics of using such products is one minefield, the legality is
another. Winn Schwartau, author of Information Warfare and the upcoming
Time-Based Security, is a security expert who worked with Department of
Defense twelve years ago in developing a security system that included
keystroke recording. The controversial issue finally came before the
Department of Justice, which handed down a recommendation (but not a
ruling) discouraging the practice because any evidence gathered would
likely be rendered inadmissible due to the inherent invasion of privacy.
Law enforcement officials can monitor keystrokes with a court order, but
individuals can land in legal hot water. Frank Jones, president of Codex
Data Systems Inc., a security firm based in New York, believes they
violate U.S. Code 2512, which prohibits the surreptitious interception of
oral, wire or electronic communications. "That’s a federal law," says
Jones. "It’s punishable by five years in jail and up to $250,000 in fines.
A keystroke logger is a device that is primarily designed for
surreptitious interception of data communications. There is no getting
around this. Depending on how it’s used, you may or may not be charged
federally."
Is it OK to install one on your own computer? In Yan’s opinion, "It’s
certainly legal to use this program on your own computer for parental
control purposes." But even that is up for interpretation. "It is my
opinion, under these existing laws, that a person who uses a keystroke
logger without a court order, even though it’s their computer, could be
subject to the eavesdropping law," says Jones, likening it to the
felonious act of recording a phone conversation between two unsuspecting
parties.
It’s a gray area at best, say the experts, and companies use these
programs at their peril. Recent court decisions upholding an employer’s
right to read employee e-mails only complicate the issue. Gary Weiss,
co-managing partner of the Silicon Valley office of Orrick, Herrington &
Sutcliffe, says a logical analogy might be drawn: "The law is fairly clear
now that if you tell employees, if you give them notice that the computer
system is there as a tool and it is not to be used for personal use, and
that their e-mails are subject to examination, that that is not a
violation of their privacy rights." But he cautions that privacy laws in
California are still being revised and the use of keystroke recorders has
not been settled.
In July, an unnamed juvenile was tried in federal court in New York for
using a Trojan horse program that stole more than 500 passwords from AOL
users simply by recording their keystrokes. The youth pled guilty to one
count of unlawful interception of electronic communications. He had not
been sentenced at press time, but the incident should make anyone involved
with keystroke recorders sit up and take warning.
The programs are a tangible threat to Silicon Valley, where the theft of a
trade secret or proprietary software code can threaten a company’s
existence. "If I were into serious industrial espionage, damn right I’d
use this stuff," says Schwartau. "I’d use it in a heartbeat."
Damage from such programs is already visible. A new program called Back
Orifice (a pun on Microsoft’s Back Office) is wreaking havoc for some
Windows users. Back Orifice was released in August by one of the oldest
and best-known hacking groups in existence, Cult of the Dead Cow
(www.cultdeadcow.com). The program, easily delivered to a standalone PC
through various methods, including attachment to an e-mail message, is a
back door into Windows 95 and 98 systems. Its stated purpose is to allow
sysadmins remote control over networks, but it is also useful for logging
keystrokes, downloading files, stealing passwords and executing commands
on the target computer.
Microsoft said in an advisory that Back Orifice "does not expose or
exploit any security issue in Windows." However, their statement noted
that users who are tricked into installing the program could suffer
damage.
Getting DIRT on criminals
There is another powerful tool for surreptitiously intercepting data, but
it is only available to law enforcement and the military. Called DIRT
(Data Interception and Remote Transmission), it was released in June by
Codex Data Systems. Investigators need only know your e-mail address to
secretly install the program. Once they do, investigators can read your
documents, view your images, download your files and intercept your
encryption keys. DIRT was developed to assist law enforcement in
pedophilia investigations, but future uses could include drug
investigations, money laundering cases and information warfare.
How is DIRT different from Back Orifice? The sale of DIRT is restricted,
while Back Orifice is free for the downloading. Also, there are already
fixes available for Back Orifice, but no way yet to defend against DIRT.
Most feel secure when they encrypt their data, but it’s an illusion of
comfort if a keystroke monitor is involved. DIRT defeated Pretty Good
Privacy in a matter of minutes at a recent conference simply by stealing
the user’s key as it was typed in.
Save yourselves
Users can take measures to defend themselves. "You want to get rid of
conventional passwords, absolutely. If you’re using static passwords, you
deserve what you get," says Schwartau. He adds that floppy drives on a
network should go; what good are they, he asks, except for bringing in
games and viruses, and bringing out your proprietary information? He
suggests disabling file sharing and disallowing unexamined executables
behind firewalls.
Gumbert simply warns, "Don’t do anything on a computer that’s not yours or
that you don’t intend for everyone to know about."
Sarah Ellerman (sarahe@techweek.com) is a Bay Area freelance writer.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Thu Sep 10 16:31:34 1998