Re: USB Keyloggers

[Will Froning <will.froning () GMAIL COM>]

Hello Brad,

On Wed, Dec 15, 2010 at 6:39 PM, Brad Judy <win-hied () bradjudy com> wrote:
> These programs do not protect against USB keyloggers.  These programs are
> designed to address any USB devices that trigger driver state changes and
> USB keyloggers are designed to be passive in-line devices that are invisible
> to the computer.  Your only real protections are physical security and
> visual inspection.

I've investigated one of the recovered devices and it actually has a
Texas Instruments USB hub chip installed.  So it does show up as an
additional device.  I haven't gotten around to testing if the other
device we've recovered acts as a hub also, but in theory we could deny
all devices except for the mouse and keyboard.

I'm not sure how easy it is for these keyloggers to change device IDs,
but if it's trivial we would be SOL.

> For podiums, lock the computer into a cabinet and provide a USB cable for
> connecting thumbdrives.  This prevents devices from being installed in-line
> with the keyboard.

For us it's the amount of time to get this solution in place.  It
would likely take us at least 3 months.

> Some vendors offer attachments for the back side of computers that lock into
> place and prevent users from accessing the rear ports or messing with
> cables.  I know Dell has offered this for their Optiplex line in the past (I
> haven't looked lately).
>
> Mounting lab computers so the ports are readily visible makes it easier for
> lab techs to notice if anything is out of the ordinary.  It usually means
> they are easier to service too, but it might not be as aesthetically
> pleasing.

Agreed.

Thanks,
Will

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will Froning
> Sent: Tuesday, December 14, 2010 11:40 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] USB Keyloggers
>
> Hello All,
>
> This semester we've already found 2 USB keyloggers on lectern PCs.
> Until we get some sort of OTP solution ironed out (AuthLite w/ YubiKey looks
> nice), what are your schools doing to protect lectern PCs from keyloggers?
>
> A bit of googling brings up:
> <http://www.myusbonly.com/>
> <http://www.devicelock.com/>
>
> Thanks,
> Will
>
> --
> Will Froning
> Unix SysAdmin
> Will.Froning () GMail com
> MSN: wfroning () angui sh
> YIM: will_froning
> AIM: willfroning



-- 
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning