Educause Security Discussion mailing list archives

Re: USB Keyloggers

From: Jon Hanny <jehanny () GWU EDU>
Date: Wed, 15 Dec 2010 09:36:07 -0500

If the systems in question are Windows systems, you should be able to
configure them to limit the allocation of drive letters. This would
prevent usb storage devices from being added to the given station while
still allowing usb mice and keyboards to function.

Respectfully,

----------------------------------
Jon Hanny CRISC, CISSP, GSLC
IT Risk Management /Application Security
The George Washington Universtiy
703-726-4469
jehanny () gwu edu
----------------------------------


On 12/15/2010 9:29 AM, Doty, Timothy T. wrote:

In our case the majority of lectern systems are housed in a casing of some
sort. Locking that down can prevent insertion of the keylogger at the PC.
For others our support grouped talked about the possibility of attaching the
keyboard to an internal USB port with a cable loop to prevent extraction.
I'm not sure if they ever got to the point of doing that.

For what its worth, a couple of factors may allow identifying those
responsible. In addition to inappropriate account access (for example, a
faculty logging in from a computer lab they don't go to) and correlating
activity from that, the keyloggers I've seen use a keystroke to switch to
mass storage device mode and trolling through the logs can reveal
interesting items such as the login that preceded the key sequence.
Typically the last key pressed to make the magic combination won't be
logged, but the rest will so searching through the logs for appropriate
combinations of keys can find the transition for key logging being disabled.

Tim Doty

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will Froning
Sent: Tuesday, December 14, 2010 10:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] USB Keyloggers

Hello All,

This semester we've already found 2 USB keyloggers on lectern PCs.
Until we get some sort of OTP solution ironed out (AuthLite w/ YubiKey
looks nice), what are your schools doing to protect lectern PCs from
keyloggers?

A bit of googling brings up:
<http://www.myusbonly.com/>
<http://www.devicelock.com/>

Thanks,
Will

--
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning

Current thread:

USB Keyloggers Will Froning (Dec 14)
- Re: USB Keyloggers Doty, Timothy T. (Dec 15)
  - Re: USB Keyloggers Jon Hanny (Dec 15)
    - Re: USB Keyloggers Doty, Timothy T. (Dec 15)
- Re: USB Keyloggers Brad Judy (Dec 15)
  - Re: USB Keyloggers Doty, Timothy T. (Dec 15)
  - Re: USB Keyloggers Will Froning (Dec 15)
    - Re: USB Keyloggers Brad Judy (Dec 15)
    - Re: USB Keyloggers Doty, Timothy T. (Dec 15)