Schneier on Security
A blog covering security and security technology.
« Hunter S. Thompson |
| The Economist on High-Tech Passports »
February 22, 2005
Keystroke Logging for Profit
A high-school student used a hardware keystroke logger -- the undetectable kind that sits between the keyboard and the computer -- to steal exams in order to sell them.
Officials said the 16-year-old boy hooked up a keystroke decoder to a teacher's computer and downloaded exams in November.
Posted on February 22, 2005 at 2:05 PM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wasn't a security class, was it? ;-)
Interesting story. I have to admit that I am not entirely sold on the idea of criminal charges in a case like this. I understand that there have to be ramifications for the students actions, but it seems like they could have been handled through school policy, i.e. suspension, expulsion or the like. Making a felon out of a child seems a bit harsh. There are numerous different approaches that could have been tried. Just my opinion....
I agree. It's unusual to involve the police unless the schools are totally unprepared. The police said "It's surprisingly simple -- to the point our police department is now on alert to other district area police departments to make them aware."
In a way, this is an admission by the police that they are less aware of information security risks than they (or we) might hope, so we might rightly assume the school was even less aware. But at the same time it seems sad for a school to think that the police should need to be involved with every kiddie keystroke-logger attempt to fix their grades. In fact, I would rather see schools seek funding/help to handle these things on their own, including some common practices to deal with tampering and breach attempts on core information infrastructure. When you bring police into the classroom, education is probably going out the window with the bathwater. Although when you read the Ohio Senate Bill 24, it looks like the Christian Conservatives actively WANT to police the classrooms...
"Concerned that Ohio college students' young minds are being indoctrinated by left-leaning college faculty, four Republican state senators have introduced an "academic bill of rights for higher education" that would limit what professors could say in their classrooms."
By Mark Fisher, Dayton Daily News
Reminds me of the comment made by the jude in the case of the 18 year-old who released a version of the Slammer(?) worm: "You have rocked the foundations of the internet" (and thus deserver 18 months in jail).
If your system isn't worth patching when the patch comes out, and it isn't worth patching when the original worm comes out, is it worth 18 months of someones life to protect it?
Incidents like this demonstrate how utterly bewlidered most people are about technology and security, and how totally unprepared they are to take responsibility for their own safety (and the safety of others in their care).
Would the same criminal charges have been laid had the student stolen the answers in a low-tech way?
I suspect his real crime was demonstrating to those in authority that they haven't a clue.
Thomas Sprinkmeier writes above:
"If your system isn't worth patching when the patch comes out, and it isn't worth patching when the original worm comes out, is it worth 18 months of someones life to protect it?"
I am against this as an adequate argument, and suggest the following analogy.
You live in a house with door locks but no burglar alarm, like most of your neighbours. A larger sledgehammer becomes available in the local hardware store; a number of burglaries occur, with the front door smashed down; many of your neighbours install burglar alarms; you do not.
Then a burglar arrives at your house, having noted it is a "safer bet" through lack of burglar alarm; he smashes down the front door and steals your stuff.
Subsequently he is caught and charged with burglary. His primary defence is that you, the householder, deserved to be burgled because of your lack of protection.
Should he be let off?
With regards to Nigel Sedgwick's comments on Thomas Sprinkmeier's post it avoids the issue that Thomas is trying to bring across.
Basically very few people especially in the legislature have an understanding of technology (lets be honest and say a large number of practitioners in technology have a very poor understanding of technology).
The point is a lack of understanding should not be used as an excuse for draconian action against anybody.
To behave in that way reducess peoples belif in justice
Hardware key-loggers have always been a favorite to internal-covert-attackers primarily for the following reasons:
0. No one ever really looks behind their machine to see if there are new unauthorized devices connected to it.
1. The device appears to be within the normal parameters of a common machine. (Think ps2/AT converter). It is small and beige, and can be easily camouflaged to match the theme of the cords in a corporate network.
2. The device can be planted before or after normal work hours by anyone. The attacker him/herself or a third-party contributor such as a janitor or someone posing as a janitor, security, desktop support.
3. The device is password protected and only triggered to dump its information when said password is typed into the keyboard that is connected to the key-logger. This can be done at the target's system or at the attacker's machine.
4. The device also comes with handy filters to quickly search the captured information for patterns.
5. The device is stand-alone and does not require internet access or any type of installable software that may be detected such as the software key-loggers on the market.
6. Very few scanners offer hardware key-logger support, and even fewer are successful.
7. The device is easy to conceal during transport, and does not require constant power to store the captured information.
8. The hardware key-logger can be set in various modes so that it can overwrite or stop capturing once it has reached its capacity. Also various loggers have decent capacities so that the attacker does not need to return for long periods of time.
9. The only risk the attacker needs to negotiate is planting and recovering the device after a given amount of time. Or if the device is captured it contains an (Electronic Serial Number) ESN that may link the purchaser of the device to the device itself if the attacker didn't think ahead to use bogus information during the time of purchase.
As long as the targets remain uneducated and trained to look at their hardware once in a while or within policy/protocol they will always be left vulnerable to hardware key logger attacks.
I agree that there is a fine line here, and that it's all too easy to blame the victims. This was not my intent.
I believe, however, that your analogy is flawed. People who got hit by the variant are more like homeowners who, having seen a police warning about burglars, having ignored an offer of a free dorr-lock upgrade, and having seen neighbours being broken into, fail to even lock their doors!
(It doesn't help that > 90% of homes have inadequate locks to begin with).
I don't want to give up my freedom, or pay for police resources to protect people who don't make any effort to protect themselves.
Imagine if the Police your taxes pay for spent most of their time recovering stolen cars because people didn't lock their doors (and/or because those doorlock were inadequate). Imagine if draconian laws were then passed to prosecute car-thieves. Imagine if those same laws restricted your freedoms.
Is this serving justice?
Thomas Sprinkmeier writes:
"Incidents like this demonstrate how utterly bewlidered most people are about technology and security, and how totally unprepared they are to take responsibility for their own safety (and the safety of others in their care)."
Your comment show just how ignorant people in the technology world are of basic ideas in criminal laws. In our legal system, our aim is punishment that befits the crime. Does the punishment imposed in the Parson case befit the crime? The answer is yes, despite the relative minor damage caused by his variant of the virus, because the consequence of one's action is largely irrelevant in determining criminality. It is the intent that matters.
For instance, say we have a man trying to hire a hitman to kill his wife. The hitman turns out to be an uncover cop. Once the payment was made, the man is promptly arrested. The wife was not harmed in anyway and was, in fact, never in any danger. Yet the man is guilty of attempted murder and would likely face life imprisonment, because his intent is to cause the death of his wife.
Conversely, a man who kills a pedestrian in an auto-accident would not be punished, because the intent to kill is absent.
In the case of Mr Parson, the intent to cause disruption on the Internet was clearly there. He is actually more guilty than the original author of Blaster was, because this other could at least claim to have not anticipated the potential damage. Mr Parson, on the other hand, knew perfectly well what the virus was capable of when he created and disseminated his version. If anything, the sentence he received was too lenient.
Chung Leong, please show me where "intent" features in post-911 "anti-terror-won't-someone-think-of-the-children" laws.
Please explain to me why countless CEO's who fully intended to comit fraud are walking free.
I'm talking about justice, not the law. The two are increasingly diverging.
Justice is only done if it's seen to be done. Recent laws seems to operate best in the dark.
Please, give me a break, Thomas. People who use keyloggers should be punished. Car thieves and burglars should also be punished. Yes, this serves justice. No, it's not "Draconian".
The story says "The boy has been charged with a Class B misdemeanor -- breach of computer information. The penalty is a fine of $2,000 or 180 days in jail." Do you really think he'll get the full 6 months in jail?
Do you think you have a right to hook up a keylogger to my machine, and that if I don't visually check for its presence four times a day, it's my fault, and you should go unpunished? So what if I forget to lock my car one day--does that mean I "deserve" to have it stolen, and that if you are the one who steals it, it's "finder keepers, losers weepers"?
If every one of my neighbors left their house and car unlocked, and their wallet on their front doorstep, they still wouldn't lose a penny to me.
I never said these people should not be punished. I spent last Friday night eradicating a virus, so personally any punishment involving stocks and tomatoes (preferable still in their cans) sounds great to me.
Forgetting to lock your car does not make it a freebie either. Most people, however, deploy 'defense in depth' - car alarm, immobilizer, locks, steering-steering lock, park in brightly-lit area, so omitting one of those precautions isn't the end of the world. This is common sense in the 'real world', but somehow forgotten in the virtual one. Also, I suspect you would be a lot more careful about locking your car if car-thieves could 'port scan' thousands of cars per second to look for unlocked ones.
The Internet, and computing in general, isn't the rosy world some people try to make it out to be. Web security is more than seeing a reassuring padlock in your browser. A computer in a publicly accessible place is at high risk of being compromised. Some freebie downloads come at a high price.
As much as I wish this weren't the case, the Internet can be a fairly nasty place, and there are no geographical boundaries to protect you from the 'bad neighborhoods'. I think it's time people realized that, and acted accordingly, rather than accusing people of "rocking the foundations" simply for releasing yet another worm.
Of course, most people with PR dollars benefit from selling the false image of a rosy and cheery Internet (with a few bad apples that we could get rid of with just another law or two). How many people would buy PC's if they knew what security experts know? How many businesses would trust their databases to the Internet ("well, yeah, the IT guy told us that was a bad idea, but he's always saying stuff like that")? How many people would fill out on-line surveys (or send e-cards) if they really knew what was happening to their information?
I'm sure you're perfectly trustworthy, and I'd have no problems leaving my wallet lying around your place. It's time we stopped acting like everyone was like this.
People take reasonable precautions in the real world. They should do so in the virtual one as well.
Why is the mechanism of the theft ("breach of computer information") even an issue? To me this charge sound more like "demonstrating weak computer security by stealing something".
Theft it theft, irrespective of whether I used a lock-pick, coat-hanger, key-logger, or climbed through a window.
Following that logic, I guess you would say that a woman who's drugged and raped shouldn't get a "freebie" either. After all, if her body isn't worth refusing a 5 dollar drink, is it worth ten, twenty years of someone's life to protect it? The world is a dangerous place. Women should take reasonable precaution. What we need above all is education...so on and so forth.
If that's how you're interpreting my views then I must have presented them exreemly poorly.
For one, I think we're using "freebie" in a different context. I meant that Scroods car shouln't be a "free to steal with no consequences" just beacuse he forgot to lock it. I'm not sure what you thought I meant.
I don't think generalising my views to violent, predatory crimes serves any useful purpose. I'm not sure where to begin pointing out differances, so I won't.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.