Forwarded From: kingade <kingadeat_private> http://www.techweek.com/articles/9-7-98/paranoia.htm Beware the keystroke cops by Sarah Ellerman Steve McGrath has been working late, and when he finally gets home his girlfriend is on the computer—again. "Who do you talk to on that thing, anyway?" he asks. "Nobody much," she says, hastily shutting down Netscape. Later that night, his girlfriend sleeping, McGrath types on her computer a few simple commands. The phosphorous evidence is burned onto the screen: Those messages to "nobody much" included phrases such as, "I still miss you" and "my joke of a boyfriend" and "out of town next week." Ken Starr would have been proud of this high-tech sleuthing. To snoop on his former girlfriend, McGrath (who did not want his real name used in this story) used a simple tool that tracks every keystroke made on a computer, software that is raising complex privacy questions at home and in the workplace. Keystroke recorders or "loggers" are simple programs that read keystrokes, including deletions, and save them to a hidden file. The programs can be difficult to detect but they are far from obscure; many can be downloaded from the Internet either for purchase or for use as shareware. Such programs typically were developed for legitimate reasons, but that does not mean they aren’t used in nefarious ways. Richard Eaton, president of WinWhatWhere Corp. (www.winwhatwhere.com), maker of software that can track a PC user’s progress through different windows and documents, wrote the original version of WinWhatWhere as a time-management and project-billing tool. The company later added keystroke logging to its Investigator product due to customer demand. Leon Yan, managing director of Amecisco Ltd., developed Amecisco’s Invisible KeyLogger when a user tampered with the settings of a network that Yan administered. Indeed, security is the top "legitimate" use of keystroke recorders. Most of Amecisco’s customers are network professionals who use Invisible KeyLogger for network auditing, says Yan. Other companies also maintain that security-minded sysops deserve access to users’ keystrokes. What types of companies place their employees under such surveillance? Popular legend has it that many companies keep tabs on the typing speed (and number of backspaces) of data-entry workers, but it’s not readily admitted due to questionable legality and potential complaints of "Big Brother" behavior. The Florida Department of Transportation, however, is one satisfied user of WinWhatWhere. "They suspected that employees were abusing the system and they installed it. Within a week, they found that somebody was running a business there," says Eaton. Another large company installed the program on the laptops of the sales force to measure productivity and software needs. "To their dismay, they found that their sales force spent over 60 percent of its time surfing the Net in inappropriate places," he says. Thus, a time-tracking tool morphed into censorware. (WinWhatWhere can also run in a mode that is visible to the user, making it an effective deterrent for Web-wandering employees.) The potential uses of keystroke recorders go far beyond the obvious applications of keeping tabs on employees. Several keystroke recorders are marketed as parental controls, giving parents the ability to see not only what Web sites their children visit, but also the content of their e-mails, school papers and chat sessions. Recorders that track both keystrokes and timing are used to perfect interface design; NASA deployed WinWhatWhere in designing the user interface for the space station. The software replaces a primitive system in which researchers stood behind users and took notes on every move they made. Ethics 101 The variety of uses and abuses of these tools raise tough ethical questions. "It’s not just for evil," insists WinWhatWhere’s Eaton, although he admits the company has had to distance itself from the ethical questions of the end use of the tool. Hal Gumbert, creator of the shareware Keystroke Recorder (www.kagi.com/campconsulting), agrees, saying that since his is not the only tool on the market, "I feel that I have no connection or responsibility. I cannot control how or why it is used." All tools are subject to irresponsible use. Yan of Amecisco points out that recordable CDs can be used to pirate software, but no one questions their right to exist. "We strongly condemn anyone who uses our product for any illegitimate purposes," he says. Gumbert’s software is extremely popular and carried on many shareware sites, although one site discontinued offering it after some teachers complained that students were using it to gather teachers’ passwords. The ethics of using such products is one minefield, the legality is another. Winn Schwartau, author of Information Warfare and the upcoming Time-Based Security, is a security expert who worked with Department of Defense twelve years ago in developing a security system that included keystroke recording. The controversial issue finally came before the Department of Justice, which handed down a recommendation (but not a ruling) discouraging the practice because any evidence gathered would likely be rendered inadmissible due to the inherent invasion of privacy. Law enforcement officials can monitor keystrokes with a court order, but individuals can land in legal hot water. Frank Jones, president of Codex Data Systems Inc., a security firm based in New York, believes they violate U.S. Code 2512, which prohibits the surreptitious interception of oral, wire or electronic communications. "That’s a federal law," says Jones. "It’s punishable by five years in jail and up to $250,000 in fines. A keystroke logger is a device that is primarily designed for surreptitious interception of data communications. There is no getting around this. Depending on how it’s used, you may or may not be charged federally." Is it OK to install one on your own computer? In Yan’s opinion, "It’s certainly legal to use this program on your own computer for parental control purposes." But even that is up for interpretation. "It is my opinion, under these existing laws, that a person who uses a keystroke logger without a court order, even though it’s their computer, could be subject to the eavesdropping law," says Jones, likening it to the felonious act of recording a phone conversation between two unsuspecting parties. It’s a gray area at best, say the experts, and companies use these programs at their peril. Recent court decisions upholding an employer’s right to read employee e-mails only complicate the issue. Gary Weiss, co-managing partner of the Silicon Valley office of Orrick, Herrington & Sutcliffe, says a logical analogy might be drawn: "The law is fairly clear now that if you tell employees, if you give them notice that the computer system is there as a tool and it is not to be used for personal use, and that their e-mails are subject to examination, that that is not a violation of their privacy rights." But he cautions that privacy laws in California are still being revised and the use of keystroke recorders has not been settled. In July, an unnamed juvenile was tried in federal court in New York for using a Trojan horse program that stole more than 500 passwords from AOL users simply by recording their keystrokes. The youth pled guilty to one count of unlawful interception of electronic communications. He had not been sentenced at press time, but the incident should make anyone involved with keystroke recorders sit up and take warning. The programs are a tangible threat to Silicon Valley, where the theft of a trade secret or proprietary software code can threaten a company’s existence. "If I were into serious industrial espionage, damn right I’d use this stuff," says Schwartau. "I’d use it in a heartbeat." Damage from such programs is already visible. A new program called Back Orifice (a pun on Microsoft’s Back Office) is wreaking havoc for some Windows users. Back Orifice was released in August by one of the oldest and best-known hacking groups in existence, Cult of the Dead Cow (www.cultdeadcow.com). The program, easily delivered to a standalone PC through various methods, including attachment to an e-mail message, is a back door into Windows 95 and 98 systems. Its stated purpose is to allow sysadmins remote control over networks, but it is also useful for logging keystrokes, downloading files, stealing passwords and executing commands on the target computer. Microsoft said in an advisory that Back Orifice "does not expose or exploit any security issue in Windows." However, their statement noted that users who are tricked into installing the program could suffer damage. Getting DIRT on criminals There is another powerful tool for surreptitiously intercepting data, but it is only available to law enforcement and the military. Called DIRT (Data Interception and Remote Transmission), it was released in June by Codex Data Systems. Investigators need only know your e-mail address to secretly install the program. Once they do, investigators can read your documents, view your images, download your files and intercept your encryption keys. DIRT was developed to assist law enforcement in pedophilia investigations, but future uses could include drug investigations, money laundering cases and information warfare. How is DIRT different from Back Orifice? The sale of DIRT is restricted, while Back Orifice is free for the downloading. Also, there are already fixes available for Back Orifice, but no way yet to defend against DIRT. Most feel secure when they encrypt their data, but it’s an illusion of comfort if a keystroke monitor is involved. DIRT defeated Pretty Good Privacy in a matter of minutes at a recent conference simply by stealing the user’s key as it was typed in. Save yourselves Users can take measures to defend themselves. "You want to get rid of conventional passwords, absolutely. If you’re using static passwords, you deserve what you get," says Schwartau. He adds that floppy drives on a network should go; what good are they, he asks, except for bringing in games and viruses, and bringing out your proprietary information? He suggests disabling file sharing and disallowing unexamined executables behind firewalls. Gumbert simply warns, "Don’t do anything on a computer that’s not yours or that you don’t intend for everyone to know about." Sarah Ellerman (saraheat_private) is a Bay Area freelance writer. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:47 PDT