What do they look like?

Hardware keyloggers can be hard to spot. They are typically small and can be plugged into the back of a computer, unseen. They often look like a USB flash drive or a keyboard connector. They are easily found online; even Amazon has several them. If you see any device plugged into a computer that is not yours, consider this a red flag. While there is a good chance the device will look like one shown in the link or below, there are others out there.

Why are they legal?

While they may be useful in fraud and identity theft, they do have valid uses. In testing software, knowing exactly what a user did is useful to programmers. That can effectively pin-point a problem in code. Employers can use them to monitor the progress and productively of employees. Some manufacturers advertise them as a form of backup, keeping each page you write even if the power goes out. While arguments can be made that they are more often used for nefarious reasons, in the right hands, they are a useful tool.

Have they actually been found on public computers?

Yes. Earlier this year, there was a case where hardware keyloggers were found on library computers in Manchester. In three separate locations, the devices were found plugged into public access machines. The type used here was the kind that looked like a USB flash drive. Authorities advise greater vigilance, especially for the employees, but users need to be alert too.

It should be noted that it is generally unwise to use public computers for sensitive data. E-mail, banking sites, and credit card use should be avoided when on these computers. If you have to use them, here are some tips. Ask how the computers are protected. Do they block software installation? Are they wiped on reboot with software like Deep Freeze? If so, could they restart the computer for you (wiping out most software keyloggers)? Always use a secure connection (https) when possible, and be alert to your surroundings (e.g. watch those around you, know what is connected to the PC). This still is not as safe as a home computer running a live CD, but there is not much more you can do.

What do I do if I find one on a work computer?

It should go without saying that you should contact IT and your manager immediately. Should you remove it? Ask. If the company owns a PC, they can install a keylogger on it. What is deemed notification (if required) can vary by state and country. Typically, a software keylogger would be more conventional, so a hardware one is suspect. Chances are that it was planted, but if that is the case, then it is evidence. Physical and digital forensic information can be gathered. Let someone responsible for and trained for this handle it.

Should one of these devices be found on a server, the problem is much more severe. It highlights a lack of physical security. A strong firewall, good anti-virus software, proper permissions, and complex passwords will not protect you from a trick like this.

The Point: Awareness

The point of this article is to be aware of the existence of these deices. They do exist, but they are not commonly seen. If you do see one on a computer, let someone know. Chances are they are not supposed to be there. While they are legal to own, it is illegal to install them on computers for public use or on systems someone does not own.

Defending all of our interests in cyberspace is a relatively small cadre of talented and highly skilled public sector and private sector cyber security professionals,” said Baroness Neville-Jones, Minister of Security.

Lady Neville-Jones said the pool of available professionals had to grow and the Cyber Security Challenge was an “innovative” way to attract people to take up the profession.

The UK has fallen behind in recent years in computing expertise which has angered many who remembered the country as the birthplace of the modern computing revolution where programmers were sat in every front room and bedroom on their Sinclair Spectrum, BBC Micros or Commodore 64 only thirty years ago.  Since then, other countries have stolen the lead in expertise because they have put much greater emphasis on the appropriate skills during schooling than British governments have done.

A virtual competition takes the form of a treasure hunt that will involve looking for flaws on a dummy website and answering questions about what was found. The challenge will take about two hours to complete with will be run on several dates between September and December.

The face-to-face challenge will see teams taking over a simulated network and defending it against a series of attacks carried out by security professionals.

The winners of these initial competitions will go forward to the UK Masterclass at which they will work with others to defend a different simulated network.

If you fancy yourself as a computer security specialist and would like to enter the competition you can do so here.

Followed by no file type at all (e.g. pointing the user to a root url or directory) with 18.99%, the txt file extension with 10.37% and php with 6.56%.

This requires some explanation. Most users would probably agree that text files are harmless. This is not always the case especially when it comes to links as links can be redirected easily. But attackers can also rename an executable to txt and use malicious code on a website to run the file.

The statistics basically points out that while the standard file (exe) associated with a computer virus is making up more than 50% of all attacks it is of equal importance to understand that harmless looking files and links can be malicious as well.

The safest bet is still to avoid clicking on links or attachments in emails. A sandboxed environment or a virtual PC are two secure alternatives if the link needs to be clicked on. (via Avira Blog)

It is therefor recommended to regularly check the open ports for computer security reasons. We reviewed CurrPorts (see: Who is connected to your PC right now) a while ago. It is a portable Nirsoft application that will display the open ports along with information needed to conclude if the open ports are needed or not.

My Ports is another application for that purpose. There is not really a big difference between both programs we’d figure it would be nice to have an alternative at hand. My Ports displays all open ports in a list after startup. It uses a table to display various information about each open port on the computer system including the state, local and remote IP address, local and remote port, process name that is listening or using that connection and the process path to that application. It is not as sophisticated as CurrPorts but it does its job just fine.

Most of the open connections can be easily associated with one specific program like Firefox or Skye in the screenshot above. Other ports are listening due to Windows Services or other services that are running. These usually require some investigation on the user’s part to find out if they are needed to operate the computer system. A search on the Internet usually reveals websites that contain information and advice on how to deal with those connections.

My Ports is compatible with most Microsoft operating systems including Windows XP, Windows Vista and Windows 7. It can be downloaded from the developer’s website.

Marxio Login Logger is a software program for the Windows operating system that can create the access log file and reports that detail the logins and logouts of every user on the system including login attempts over a computer network and in an Active Directory environment

The program is completely portable and no signs of it appear on the user’s desktop other than its process in the Windows task manager. It will automatically create a log file based on the initial configuration. Each log file includes information about the data and time of the login, the username, computer name, network IP and operating system. It is possible to adjust these parameters and use them in the log file creation as well.

The portable computer program can be downloaded from the developer’s website. New users should start with the included readme file to understand how to configure and use the program.

Update: The program has been discontinued. Users can alternatively use the Windows Event Log to find out when someone logged in or out of their operating system. The easiest way to access the Event Log is to type event log in the start Menu run box and select the Event Viewer from the options. You then look under Windows Logs > System and there for Source entries named Winlogon which covers both log ons and log offs.

The theory that keyloggers can be defeated with onscreen keyboards is unfortunately a computer security myth. It is definitely true that some keyloggers, especially those that only record the keys that the user enters on the computer computer keyboard, can be defeated with onscreen keyboards.

There are however advanced keyloggers which make a screenshot of the onscreen keyboard while it visible on the computer screen and which record the mouse movements on the system. It is then a matter of simply reconstructing the mouse movement to know exactly what a user typed on a computer system.

There is only one 100% way of defeating keyloggers and that is to not use computer systems for sensitive information. That’s not always practicable and it is possible to reduce the chance that keyloggers are installed by running good antivirus programs.

One of the traits of the Conficker worm is the blocking of url strings. This includes urls of antivirus companies, Microsoft and support sites that could aid users in removing the Conficker worm from a computer system. Users with the worm cannot open the websites in their web browser anymore and this is the exact concept of the Conficker Eye Chart. It displays six images on the website. Three images from urls that are not blocked by Conficker and three that are blocked.

If the web browser is displaying all six urls it is very likely that Conficker has not infected the computer system. If only the safe three images are displayed an infection with the C variant of Conficker is likely while the display of four images hints at A and B variants of Conficker.

The major benefit of this Conficker detection test is its simplicity. It takes only a web browser and a few seconds to test if the computer system has been infected. It is still a good idea to confirm the findings by using a software detection program which you can find here.

CW Sandbox is a web service with a similar looking frontend like all the other online virus scanners. What sets it apart is the remote secure environment that it uses to execute and analyze the files that get uploaded. It uses a sandbox to execute the file and will log all system activity that is connected to the file launch. The file analysis contains a summary but also detailed changes to the file system, the Windows Registry and network activity plus a technical summary with additional information.

Each report is divided into different categories. The File Changes for example contains categories that list newly created, opened and deleted files and a summary that lists all file operations in chronological order. The network activity analysis will detail connections that have been established including host names, IP addresses and if data has been posted to one of those addresses.

The submit form on the website of the project accepts files with a maximum size of 16 Megabytes. Zip files with up to 50 files can be uploaded to the service as well if the password is set to “infected”. A link to the file analysis will be send to the email address that the user enters when submitting the files.

CW Sandbox is an excellent online service that provides an in depth analysis of submitted files. The only drawbacks are the 16 Megabyte file size limit and that the reports are send to an email address with an undefined wait time. A ticket system on the website directly detailing the place in queue and the estimated wait time would be really helpful for users who are submitting files to the service.