Re: USB Keyloggers

["Doty, Timothy T." <tdoty () MST EDU>]

In our case the majority of lectern systems are housed in a casing of some
sort. Locking that down can prevent insertion of the keylogger at the PC.
For others our support grouped talked about the possibility of attaching the
keyboard to an internal USB port with a cable loop to prevent extraction.
I'm not sure if they ever got to the point of doing that.

For what its worth, a couple of factors may allow identifying those
responsible. In addition to inappropriate account access (for example, a
faculty logging in from a computer lab they don't go to) and correlating
activity from that, the keyloggers I've seen use a keystroke to switch to
mass storage device mode and trolling through the logs can reveal
interesting items such as the login that preceded the key sequence.
Typically the last key pressed to make the magic combination won't be
logged, but the rest will so searching through the logs for appropriate
combinations of keys can find the transition for key logging being disabled.

Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will Froning
> Sent: Tuesday, December 14, 2010 10:40 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] USB Keyloggers
>
> Hello All,
>
> This semester we've already found 2 USB keyloggers on lectern PCs.
> Until we get some sort of OTP solution ironed out (AuthLite w/ YubiKey
> looks nice), what are your schools doing to protect lectern PCs from
> keyloggers?
>
> A bit of googling brings up:
> <http://www.myusbonly.com/>
> <http://www.devicelock.com/>
>
> Thanks,
> Will
>
> --
> Will Froning
> Unix SysAdmin
> Will.Froning () GMail com
> MSN: wfroning () angui sh
> YIM: will_froning
> AIM: willfroning

Attachment: smime.p7s
Description: