Re: USB Keyloggers

["Doty, Timothy T." <tdoty () MST EDU>]

That is irrelevant to the key logging aspect and would only prevent mounting
of the device as a drive to view the log. Key loggers, when acting as such,
are invisible. As far as the computer is concerned they do not exist. They
simply pass all USB traffic through them, just like a USB extender -- with
the added feature that they sniff the traffic and log key events depending
on their configuration.

Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Hanny
> Sent: Wednesday, December 15, 2010 8:36 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] USB Keyloggers
>
> If the systems in question are Windows systems, you should be able to
> configure them to limit the allocation of drive letters. This would
> prevent usb storage devices from being added to the given station while
> still allowing usb mice and keyboards to function.
>
> Respectfully,
>
> ----------------------------------
> Jon Hanny CRISC, CISSP, GSLC
> IT Risk Management /Application Security
> The George Washington Universtiy
> 703-726-4469
> jehanny () gwu edu
> ----------------------------------
>
>
> On 12/15/2010 9:29 AM, Doty, Timothy T. wrote:
> > In our case the majority of lectern systems are housed in a casing of
> some
> > sort. Locking that down can prevent insertion of the keylogger at the
> PC.
> > For others our support grouped talked about the possibility of
> attaching the
> > keyboard to an internal USB port with a cable loop to prevent
> extraction.
> > I'm not sure if they ever got to the point of doing that.
> >
> > For what its worth, a couple of factors may allow identifying those
> > responsible. In addition to inappropriate account access (for
> example, a
> > faculty logging in from a computer lab they don't go to) and
> correlating
> > activity from that, the keyloggers I've seen use a keystroke to
> switch to
> > mass storage device mode and trolling through the logs can reveal
> > interesting items such as the login that preceded the key sequence.
> > Typically the last key pressed to make the magic combination won't be
> > logged, but the rest will so searching through the logs for
> appropriate
> > combinations of keys can find the transition for key logging being
> disabled.
> > Tim Doty
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will Froning
> > > Sent: Tuesday, December 14, 2010 10:40 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: [SECURITY] USB Keyloggers
> > >
> > > Hello All,
> > >
> > > This semester we've already found 2 USB keyloggers on lectern PCs.
> > > Until we get some sort of OTP solution ironed out (AuthLite w/
> YubiKey
> > > looks nice), what are your schools doing to protect lectern PCs from
> > > keyloggers?
> > >
> > > A bit of googling brings up:
> > > <http://www.myusbonly.com/>
> > > <http://www.devicelock.com/>
> > >
> > > Thanks,
> > > Will
> > >
> > > --
> > > Will Froning
> > > Unix SysAdmin
> > > Will.Froning () GMail com
> > > MSN: wfroning () angui sh
> > > YIM: will_froning
> > > AIM: willfroning

Attachment: smime.p7s
Description: