The RDV Group InfoSec Blog

Tuesday, February 28, 2006

Keylogger Basics - Part 1

Keyloggers are really hot in the news now. I'm going to post several overview pieces about how they work (excerpted from "Phishing: Cutting the Identity Theft Line.")

Keyloggers are a form of spyware that records user keystrokes. They can be either hardware devices or software programs. They record every key typed on a computer, sending this information to the person who installed it or saving it to be read later.The software versions may be delivered by Trojan horse email attachments or installed directly to the PC. The hardware version must be physically installed on the target machine, usually without the user’s knowledge. Although keyloggers are sometimes used in the payloads of viruses, they are more commonly delivered by a trojan-horse program or remote administration trojan (RAT)."



“Some hardware keystroke loggers consist of a small AA battery-sized plug that connects between the victim's keyboard and computer. The device collects each keystroke as it is typed and saves it as a text file on its own tiny hard drive. Later, the keystroke logger owner returns, removes the device, and downloads and reads the keystroke information. These devices have memory capacities between 8KB and 2MB, which, according to manufacturer's claims, is enough memory to capture a year's worth of typing.”

“The only way to detect hardware keyloggers is through physical inspection. Because the device resembles an ordinary keyboard plug, it’s easy for the victim to overlook. The fact that most workstation keyboards plug into the back of the computer makes them even harder to detect.”



Stay tuned for Part 2 of Keylogging Basics ...

Monday, February 27, 2006

Spyware Is Real

An article by Tom Zeller Jr. on the front page of the NY Times today (2/27) clearly shows how the spyware and keylogger threat has morphed over the last year. He also has a sidebar with some helpful hints.

My most recent book, "Phishing: Cutting the Identity Theft Line", is the first text to offer a thorough description of phishing, spyware and keyloggers. It also presents a clear plan of action for corporations as well as home Internet surfers.

You can read an excerpt (provided by SearchSecurity) here, and Tony Bradley posted a five-star review on netsecurity.about.com: "...an enjoyable and educational book...Phishing covers the information that readers need to know to protect themselves as well as providing information that companies can use to prevent their servers from being used in phishing attacks...This is an excellent book that just about anyone who uses computers should read".

But if there was any doubt that spyware is today's #1 threat to Internet users, the NY Times just dispelled it.

Friday, February 24, 2006

Laptops Have Legs!

An article in the Westchester Journal News Friday (2/24) by Jorge Fitz-Gibbon reports on a missing laptop, with some very interesting data on it: "New York City police and Department of Environmental Protection officials are searching for a stolen laptop computer that includes diagrams of the city water supply system."

Although DEP officials don't believe the info was of a serious security nature,
they're looking into the possibility that the employee losing the laptop was in violation of their computer use policy: "Michaels also said the computer was stolen from a DEP vehicle on Monday night. He said investigators from the city Department of Investigation and the New York City Police Department believe it was a random crime." The laptop was left in a car, which was vandalized with other cars in the same lot.

Laptops have legs!

Goodbye to a Jazz Master

If you're into Latin jazz, you probably know that percussionist Ray Barretto died last Friday (2/17) at the age of 76. He was honored last month as a Jazz Master by the NEA at the International Association of Jazz Educators annual conference in NYC, which I attended. He fell ill on the way home from the event, and never recovered.

His life was more than the history of Latin jazz in America, in one way or another he was there during the major milestones of jazz. He was originally from the Bronx and was self-taught on the drums. "... After four years with Puente, he was one of the most sought-after percussionists in New York, attending jam sessions with artists including Max Roach and Art Blakey and recording with Sonny Stitt, Lou Donaldson, Red Garland, Gene Ammons, Eddie "Lockjaw" Davis, Cannonball Adderley, Freddie Hubbard (JM), Cal Tjader, and Dizzy Gillespie. Barretto was so much in demand that in 1960, he was a house musician for the Prestige, Blue Note, and Riverside record labels".

The Times has nice piece on his wake last Tuesday (2/22): "
... I'm here because Ray Barretto was the best congero in the world," said Eddie Karimbo, 68, referring in Spanish to Mr. Barretto's mastery of the conga drum...There was the jazz pianist Randy Weston and Latin music stars like the percussionist Bobby Sanabria. There were other Latin men in sharp suits carrying instrument cases... Mr. Weston recalled hanging out with Mr. Barretto together with Max Roach and Charlie Parker".

As the old guard disappears, and the young lions grow up, it's important to take the time and consider where we've come from, and what we owe.

Thursday, February 23, 2006

IrDA Protocol Can Compromise Diebold Voting Machines















Bill Glennon pointed me to this article from The Brad Blog: "IrDA Protocol Can 'Totally Compromise Systems Without Detection, Warns Federal Voting Standards Website. So far, no state or federal authority -- to our knowledge -- has dealt with this alarming security threat". He posts a photograph from the side of a Diebold AccuVote TSx touch-screen voting machine, which clearly shows an Infrared port.

Now for those who aren't acquainted with this little guy, Brad goes on to elaborate: "Now we have no idea what that "IrDA" port is meant to be used for with a touch-screen voting machine, but we do know that the IrDA (Infrared Data Association) is an Infrared port used for wireless connection between two devices. We used to have one on the back of our notebook and desktop computers which we used to keep the two systems synched up via wireless data transfers over that Infrared port."

According to NIST (National Institute of Standards and Technology) this is a big no-no. Brad goes on: "They issued a warning [PDF] about the Infrared ports on voting machines in a report which warned "The use of short range optical wireless," like infrared, "particularly on Election Day should not be allowed." Also, VotersUnite.org issued an alert mentioning it, with a photograph, back on October 26, 2004."

I don't know what the IrDA is used for, but as I explained in my book "Wireless Security Essentials: Defending Mobile Systems from Data Piracy ", just its existence destroys any guarantee of data integrity. Another comment posted to NIST's voting website [PDF] by James C. Johnson on October 5, 2005 states that "...the use of the IrDA protocols could be used at any time, even after final "Logic and Accuracy" tests have been performed, and thus "totally compromising the system."

Especially with the security and accountability issues with Diebold machines, this is a no-brainer. How much longer can Diebold foist off an insecure, unaccountable system on the American voter? And how much longer will the Secretaries of State allow this?

Smokin Dutch Cleanser

An item for the Obscure Phrases Dept:

I was surprised when I saw the headline of Maureen Dowd’s Feb 11 NYTimes column: “Smoking Dutch Cleanser.” She was referring to a remark by Arlen Specter about Albert Gonzales' testimony last week re: NSA wiretapping: “...When Gonzales argues that the Constitution gives the president undisputable powers to conduct warrantless surveillance despite a statute aimed at requiring him to seek court approval, such an interpretation "is not sound," Specter said in the interview. ". . . He's smoking Dutch Cleanser."

But this is what surprised me: my friend Patricia Farrell from Philadelphia who now resides in Virginia, asked me last year if I had heard of the phrase “Smoking Dutch Cleaner”. I had never heard it before. Evidently it implies that the subject is under the influence and hallucinating, and probably dates from the 60’s, a dope-smoking reference. Although Specter grew up in Kansas, he went to U of Penn and was the Philadelphia DA and Asst. DA.; maybe there’s the link. Although my wife is also from Philly, she’s never heard it.

This is a new one. I think it needs more investigation ...

Update II on Google Desktop

Google has admitted that it's Desktop Beta could pose a security risk after Gartner reported the risk. CNET reports that: "Gartner said in a report on Thursday that the "mere transport (of data) outside the enterprise will represent an unacceptable security risk to many enterprises," as intellectual property could be transported out of the business."

Evidently Google's response was "... it recognized the risk, and recommended that companies take action. "We recognize that this is a big issue for enterprise. Yes, it's a risk, and we understand that businesses may be concerned," said Andy Ku, European marketing manager for Google. Google confirmed to ZDNet UK that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented "as much of a security risk as e-mail does."

But mature procedures for securing email exist, and most users/business realize there is some risk. This is new technology, and as such hasn't been subjected to the rigors of testing or has the awareness of it's vulnerability sunk in.

"Google said that security was the concern of individual businesses. "The burden falls on enterprises to look after security issues," Ku said. "Companies can disable the Search Across Computers facility."

Gartner has recommended that businesses use Google Desktop for Enterprise, as this allows systems administrators to centrally turn off the Search Across Computers feature, which it said should be "immediately disabled."

Monday, February 13, 2006

Update on Google Desktop

Someone I know read my previous post, about Google's "Search Across Computers" feature of its Desktop Beta 3, and flipped out. She works from home using very sensitive documents, and had to sign intellectual property non-disclosure letters. With this feature on, the documents (Microsoft PowerPoint) she was working on could be stored on Google's servers and would technically constitute a violation of her non-disclosure agreement.

Although Google says it would delete them, any of us working in computer forensics know nothing every really goes away. I wonder if this feature will be enabled inside of business networks inadvertently?

Bad news ...

Saturday, February 11, 2006

Don't Use Google Desktop?

The Electronic Frontier Foundation posted this week its response to Google's release of a new feature of its Google Desktop Software 3 Beta: "... greatly increases the risk to consumer privacy. If a consumer chooses to use it, the new "Search Across Computers" feature will store copies of the user's Word documents, PDFs, spreadsheets and other text-based documents on Google's own servers, to enable searching from any one of the user's computers. EFF urges consumers not to use this feature, because it will make their personal data more vulnerable to subpoenas from the government and possibly private litigants, while providing a convenient one-stop-shop for hackers who've obtained a user's Google password."

The New Zealand "National Business Review" also weighs in: "At the core of the criticisms being raised is a powerfully useful optional feature that allows users to search across the contents of multiple computers -- even when those other computers are offline. And that's the catch: the data is stored on Google servers ... several recent events have severely eroded that trust and warnings that might once have fallen on deaf ears are very likely to resonate deeply in the user community."

"Good Morning Silicon Valley" has a strong reaction, calling it a "security catastrophe. To be fair, "Search Across Computers" is an optional feature and, should you choose to enable it, the company allows you to manually erase your stored files from its servers at any time. Still, the idea of Google storing such user data, even for a limited period of time, turns my gut."

Be very careful of how you use this feature; it sounds like its usefulness is pretty limited compared to the exposure it creates. As Kevin Bankston, staff attorney to EFF says:"...Google will have copies of your tax returns, love letters, business records, financial and medical files, and whatever other text-based documents the Desktop software can index. The government could then demand these personal files with only a subpoena rather than the search warrant it would need to seize the same things from your home or business, and in many cases you wouldn't even be notified in time to challenge it. Other litigants—your spouse, your business partners or rivals, whoever—could also try to cut out the middleman (you) and subpoena Google for your files."

Oh oh ... and we all know how much the current government values personal privacy.

Thursday, February 02, 2006

Is your game hiding malware?

What’s game copy protection and what’s malware? Cory over at BoingBoing has been having a run-in with StarForce, a company that supplies copy protection routines for PC games. Also, Glop is organizing a StarForce boycott, with a list of the games using it and tips on removing it: “StarForce is a software copy protection tool installed by PC game publishers, which is designed to prevent the casual copying of retail CDROM applications. It installs as a hidden device driver, without the end-user's knowledge or consent.”

However, it isn’t readily apparent if the software crosses over into the next threshold of malware-ism: that is, intentional damage vs. ancillary damage due to incompetent design. Avi at Browian Emotion has been looking into it:“The claim I've heard (many times) is that StarForce is malware, that it infects your computer with low-level drivers that could easily be compromised by virus writers, it prevents you from running things like debuggers (some claim it's only while the game is running, some claim it's all the time) and it may decelerate the performance of--or accelerate the death of--your CD/DVD drives due to how they force CD errors to detect original disks.”

This would seem to be verified by my friend Bill Glennon. He installed “Splinter Cell: Chaos Theory” and, sure enough, the StarForce software had landed on his machine. He noticed a change in his CD/DVD drives and, after logging on to his user account, his bootup sequence noticeably slowed down. He has since removed the game and software and everything’s back to normal.

But the controversy is now starting to gain serious traction, and even hit John Aravosis’s heavily traveled Americablog yesterday. And StarForce has been in full-court press mode to stop the discussion of this, by posting a reply to a negative CNET post (which compared this issue to the Sony ‘rootkit’ debacle that left serious egg on Sony’s face), and threatening BoingBoing with legal action.

So this isn’t going away anytime soon, and while StarForce may have some points, their heavy-handed attempts to instill fear isn’t going to win them many converts. While the legality of StarForce’s protection scheme is not in question, skirting with the tenets of malware by installing itself without the knowledge or the choice of the user may not be the best policy. It appears that the only option open to the consumer now is to not buy/play these games.

As Sony learned, it’s time to get another scheme.

Wednesday, February 01, 2006

Here we go again...

Robert Gavin of the Boston Globe reported yesterday that as many a quarter million subscribers of The Boston Globe and Worcester Telegram & Gazette had their private credit card and bank routing information distributed with their morning paper. Evidently the “confidential information was on the back of paper used in wrapping newspaper bundles for distribution to carriers and retailers.”

Although it’s not know whether any of this info will be used for identity theft in the future, it points out hard it is to maintain any real level of financial privacy these days. A little more info, with the company’s reaction is in today's post: “The Telegram & Gazette has stopped recycling paper that includes customer data, officials said. The company has notified American Express, Discover, MasterCard, Visa and any banks whose customers may be affected.”

File this under boneheaded slipups, rather than intentional data theft.