[ISN] Beware the keystroke cops

From: mea culpa (jerichoat_private)
Date: Thu Sep 10 1998 - 12:32:53 PDT

  • Next message: mea culpa: "[ISN] Pentagon Deflects Web Assault"

    Forwarded From: kingade <kingadeat_private>
    Beware the keystroke cops
    by Sarah Ellerman
    Steve McGrath has been working late, and when he finally gets home his
    girlfriend is on the computeróagain. "Who do you talk to on that thing,
    anyway?" he asks. "Nobody much," she says, hastily shutting down Netscape. 
    Later that night, his girlfriend sleeping, McGrath types on her computer a
    few simple commands.  The phosphorous evidence is burned onto the screen: 
    Those messages to "nobody much" included phrases such as, "I still miss
    you" and "my joke of a boyfriend" and "out of town next week." Ken Starr
    would have been proud of this high-tech sleuthing. 
    To snoop on his former girlfriend, McGrath (who did not want his real name
    used in this story) used a simple tool that tracks every keystroke made on
    a computer, software that is raising complex privacy questions at home and
    in the workplace. 
    Keystroke recorders or "loggers" are simple programs that read keystrokes,
    including deletions, and save them to a hidden file. The programs can be
    difficult to detect but they are far from obscure; many can be downloaded
    from the Internet either for purchase or for use as shareware. 
    Such programs typically were developed for legitimate reasons, but that
    does not mean they arenít used in nefarious ways. Richard Eaton, president
    of WinWhatWhere Corp. (www.winwhatwhere.com), maker of software that can
    track a PC userís progress through different windows and documents, wrote
    the original version of WinWhatWhere as a time-management and
    project-billing tool. The company later added keystroke logging to its
    Investigator product due to customer demand. Leon Yan, managing director
    of Amecisco Ltd., developed Ameciscoís Invisible KeyLogger when a user
    tampered with the settings of a network that Yan administered. 
    Indeed, security is the top "legitimate" use of keystroke recorders. Most
    of Ameciscoís customers are network professionals who use Invisible
    KeyLogger for network auditing, says Yan. Other companies also maintain
    that security-minded sysops deserve access to usersí keystrokes. 
    What types of companies place their employees under such surveillance?
    Popular legend has it that many companies keep tabs on the typing speed
    (and number of backspaces) of data-entry workers, but itís not readily
    admitted due to questionable legality and potential complaints of "Big
    Brother" behavior. The Florida Department of Transportation, however, is
    one satisfied user of WinWhatWhere. 
    "They suspected that employees were abusing the system and they installed
    it. Within a week, they found that somebody was running a business there,"
    says Eaton.  Another large company installed the program on the laptops of
    the sales force to measure productivity and software needs. "To their
    dismay, they found that their sales force spent over 60 percent of its
    time surfing the Net in inappropriate places," he says. Thus, a
    time-tracking tool morphed into censorware.  (WinWhatWhere can also run in
    a mode that is visible to the user, making it an effective deterrent for
    Web-wandering employees.) 
    The potential uses of keystroke recorders go far beyond the obvious
    applications of keeping tabs on employees.  Several keystroke recorders
    are marketed as parental controls, giving parents the ability to see not
    only what Web sites their children visit, but also the content of their
    e-mails, school papers and chat sessions. Recorders that track both
    keystrokes and timing are used to perfect interface design; NASA deployed
    WinWhatWhere in designing the user interface for the space station. The
    software replaces a primitive system in which researchers stood behind
    users and took notes on every move they made. 
                           Ethics 101
    The variety of uses and abuses of these tools raise tough ethical
    questions. "Itís not just for evil,"  insists WinWhatWhereís Eaton,
    although he admits the company has had to distance itself from the ethical
    questions of the end use of the tool. Hal Gumbert, creator of the
    shareware Keystroke Recorder (www.kagi.com/campconsulting), agrees, saying
    that since his is not the only tool on the market, "I feel that I have no
    connection or responsibility. I cannot control how or why it is used." 
    All tools are subject to irresponsible use.  Yan of Amecisco points out
    that recordable CDs can be used to pirate software, but no one questions
    their right to exist. "We strongly condemn anyone who uses our product for
    any illegitimate purposes," he says. Gumbertís software is extremely
    popular and carried on many shareware sites, although one site
    discontinued offering it after some teachers complained that students were
    using it to gather teachersí passwords. 
    The ethics of using such products is one minefield, the legality is
    another. Winn Schwartau, author of Information Warfare and the upcoming
    Time-Based Security, is a security expert who worked with Department of
    Defense twelve years ago in developing a security system that included
    keystroke recording. The controversial issue finally came before the
    Department of Justice, which handed down a recommendation (but not a
    ruling) discouraging the practice because any evidence gathered would
    likely be rendered inadmissible due to the inherent invasion of privacy. 
    Law enforcement officials can monitor keystrokes with a court order, but
    individuals can land in legal hot water. Frank Jones, president of Codex
    Data Systems Inc., a security firm based in New York, believes they
    violate U.S. Code 2512, which prohibits the surreptitious interception of
    oral, wire or electronic communications. "Thatís a federal law,"  says
    Jones. "Itís punishable by five years in jail and up to $250,000 in fines.
    A keystroke logger is a device that is primarily designed for
    surreptitious interception of data communications. There is no getting
    around this. Depending on how itís used, you may or may not be charged
    Is it OK to install one on your own computer? In Yanís opinion, "Itís
    certainly legal to use this program on your own computer for parental
    control purposes." But even that is up for interpretation. "It is my
    opinion, under these existing laws, that a person who uses a keystroke
    logger without a court order, even though itís their computer, could be
    subject to the eavesdropping law," says Jones, likening it to the
    felonious act of recording a phone conversation between two unsuspecting
    Itís a gray area at best, say the experts, and companies use these
    programs at their peril. Recent court decisions upholding an employerís
    right to read employee e-mails only complicate the issue. Gary Weiss,
    co-managing partner of the Silicon Valley office of Orrick, Herrington &
    Sutcliffe, says a logical analogy might be drawn: "The law is fairly clear
    now that if you tell employees, if you give them notice that the computer
    system is there as a tool and it is not to be used for personal use, and
    that their e-mails are subject to examination, that that is not a
    violation of their privacy rights." But he cautions that privacy laws in
    California are still being revised and the use of keystroke recorders has
    not been settled. 
    In July, an unnamed juvenile was tried in federal court in New York for
    using a Trojan horse program that stole more than 500 passwords from AOL
    users simply by recording their keystrokes. The youth pled guilty to one
    count of unlawful interception of electronic communications. He had not
    been sentenced at press time, but the incident should make anyone involved
    with keystroke recorders sit up and take warning. 
    The programs are a tangible threat to Silicon Valley, where the theft of a
    trade secret or proprietary software code can threaten a companyís
    existence. "If I were into serious industrial espionage, damn right Iíd
    use this stuff," says Schwartau. "Iíd use it in a heartbeat." 
    Damage from such programs is already visible. A new program called Back
    Orifice (a pun on Microsoftís Back Office) is wreaking havoc for some
    Windows users. Back Orifice was released in August by one of the oldest
    and best-known hacking groups in existence, Cult of the Dead Cow
    (www.cultdeadcow.com). The program, easily delivered to a standalone PC
    through various methods, including attachment to an e-mail message, is a
    back door into Windows 95 and 98 systems. Its stated purpose is to allow
    sysadmins remote control over networks, but it is also useful for logging
    keystrokes, downloading files, stealing passwords and executing commands
    on the target computer. 
    Microsoft said in an advisory that Back Orifice "does not expose or
    exploit any security issue in Windows."  However, their statement noted
    that users who are tricked into installing the program could suffer
                   Getting DIRT on criminals
    There is another powerful tool for surreptitiously intercepting data, but
    it is only available to law enforcement and the military. Called DIRT
    (Data Interception and Remote Transmission), it was released in June by
    Codex Data Systems. Investigators need only know your e-mail address to
    secretly install the program. Once they do, investigators can read your
    documents, view your images, download your files and intercept your
    encryption keys. DIRT was developed to assist law enforcement in
    pedophilia investigations, but future uses could include drug
    investigations, money laundering cases and information warfare. 
    How is DIRT different from Back Orifice? The sale of DIRT is restricted,
    while Back Orifice is free for the downloading. Also, there are already
    fixes available for Back Orifice, but no way yet to defend against DIRT. 
    Most feel secure when they encrypt their data, but itís an illusion of
    comfort if a keystroke monitor is involved. DIRT defeated Pretty Good
    Privacy in a matter of minutes at a recent conference simply by stealing
    the userís key as it was typed in. 
                        Save yourselves
    Users can take measures to defend themselves. "You want to get rid of
    conventional passwords, absolutely. If youíre using static passwords, you
    deserve what you get," says Schwartau. He adds that floppy drives on a
    network should go; what good are they, he asks, except for bringing in
    games and viruses, and bringing out your proprietary information? He
    suggests disabling file sharing and disallowing unexamined executables
    behind firewalls. 
    Gumbert simply warns, "Donít do anything on a computer thatís not yours or
    that you donít intend for everyone to know about." 
    Sarah Ellerman (saraheat_private) is a Bay Area freelance writer. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:47 PDT