Educause Security Discussion mailing list archives
Re: USB Keyloggers
From: "Doty, Timothy T." <tdoty () MST EDU>
Date: Thu, 12 Jul 2018 17:00:56 +0000
We have had some experience with USB key loggers. Initial discovery was following up a report by a concerned faculty member which led to a sweep of systems which identified more. Detection: manual inspection is pretty much all there is. You can try monitoring keyboard disconnect/connect events, but the signal to noise ratio makes it difficult to get any value. Looking for mass storage device identifiers is also a losing proposition. Keep in mind some key loggers are inserted into the keyboard so to be thorough you have to check keyboards, not just cabling. Also note that some key loggers will deliver their logs wirelessly. Prevention: physically secure systems so that the keyboard cannot be unplugged. Train users to be aware of changes to the environment and unwarranted activity at faculty stations. Remediation: nothing all that special to it being key loggers other than gaining access to the device. Its collect evidence and process as for any other event. In our cases, the users never bothered to change the magic keys to toggle the device function so it was a matter of identifying each device and finding its default keys. Note that your activity will inherently modify the device's state and device timestamps are not likely to be reliable. But users tend to do things like login then switch state so searching for the magic keys (less one, because the last key pressed won't be recorded) are interesting events in the log. It is fairly easy to use activity to tie to a user. The ones we encountered did not work through a USB write blocker and did not function with all keyboards. Document everything. Tim Doty ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Hiram Wong <hiram.wong () DOMAIL MARICOPA EDU> Sent: Thursday, July 12, 2018 11:04:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] USB Keyloggers Hi Everyone, I was wondering if any of you have any experience with USB keyloggers and detection of them? Have you had attempts from students, employees, etc to gain access to usernames and passwords via a keylogger? How did you discover it and what was the remediation for the event? Thank you in advance! Hiram -- [eSig Logo] Hiram Wong, CISA Information Security 2411 West 14th Street, Tempe AZ 85281 phone | 480-784-0519 email | @domail.maricopa.edu<mailto:@domail.maricopa.edu> website | https://www.maricopa.edu<https://www.maricopa.edu/> [eSig facebook]<https://www.facebook.com/maricopa.edu>[eSig twitter]<https://twitter.com/mcccd>[eSig linkedin]<https://www.linkedin.com/company/maricopa-community-colleges>[eSig youtube]<https://www.youtube.com/user/themcccdEDU>[eSig instagram]<https://instagram.com/maricopacc/> [facebook]<http://www.facebook.com/maricopa.edu>
Current thread:
- USB Keyloggers Hiram Wong (Jul 12)
- Re: USB Keyloggers Doty, Timothy T. (Jul 12)
- Re: USB Keyloggers Behun, Michael (Jul 12)