Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: USB Keyloggers

From: "Doty, Timothy T." <tdoty () MST EDU>
Date: Thu, 12 Jul 2018 17:00:56 +0000
We have had some experience with USB key loggers. Initial discovery was following up a report by a concerned faculty 
member which led to a sweep of systems which identified more.


Detection: manual inspection is pretty much all there is. You can try monitoring keyboard disconnect/connect events, 
but the signal to noise ratio makes it difficult to get any value. Looking for mass storage device identifiers is also 
a losing proposition. Keep in mind some key loggers are inserted into the keyboard so to be thorough you have to check 
keyboards, not just cabling. Also note that some key loggers will deliver their logs wirelessly.


Prevention: physically secure systems so that the keyboard cannot be unplugged. Train users to be aware of changes to 
the environment and unwarranted activity at faculty stations.


Remediation: nothing all that special to it being key loggers other than gaining access to the device. Its collect 
evidence and process as for any other event.


In our cases, the users never bothered to change the magic keys to toggle the device function so it was a matter of 
identifying each device and finding its default keys. Note that your activity will inherently modify the device's state 
and device timestamps are not likely to be reliable. But users tend to do things like login then switch state so 
searching for the magic keys (less one, because the last key pressed won't be recorded) are interesting events in the 
log. It is fairly easy to use activity to tie to a user. The ones we encountered did not work through a USB write 
blocker and did not function with all keyboards. Document everything.


Tim Doty

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Hiram Wong 
<hiram.wong () DOMAIL MARICOPA EDU>
Sent: Thursday, July 12, 2018 11:04:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] USB Keyloggers

Hi Everyone,

I was wondering if any of you have any experience with USB keyloggers and detection of them? Have you had attempts from 
students, employees, etc to gain access to usernames and passwords via a keylogger?  How did you discover it and what 
was the remediation for the event?  Thank you in advance!

Hiram

--
[eSig Logo]
Hiram Wong, CISA
Information Security
2411 West 14th Street, Tempe AZ 85281
phone | 480-784-0519
email | @domail.maricopa.edu<mailto:@domail.maricopa.edu>
website | https://www.maricopa.edu<https://www.maricopa.edu/>
[eSig facebook]<https://www.facebook.com/maricopa.edu>[eSig twitter]<https://twitter.com/mcccd>[eSig 
linkedin]<https://www.linkedin.com/company/maricopa-community-colleges>[eSig 
youtube]<https://www.youtube.com/user/themcccdEDU>[eSig instagram]<https://instagram.com/maricopacc/>



[facebook]<http://www.facebook.com/maricopa.edu>
Previous By Date Next
Previous By Thread Next

Current thread: