Tag Archives: Keystroke logging

Carrier IQ’s Opt-Out Data Collection Patent

ZDNet writes here about an Carrier IQ patent that outlines keylogging and ability to target individual devices . Which is interesting. But Carrier IQ owns a dozen patents, including this one, which to me is much more interesting. This patent indicates what Carrier IQ software could do—not what it does—but it is revealing nonetheless:

A communication device and a data server record and collect events and event-related data to create an activity record. A user of the communication device may request that events and related data be recorded and collected using a configuration option on the communication device or through an interaction with the data server. Data are grouped into data sets and uploaded to the data server either automatically or upon user approval. The data server uses the uploaded data to create an activity record which the user may access through a website. The user uploads additional data which are associated with the activity record. In some instances, the data server embeds a link pointing to the additional data in an entry in the activity record corresponding to an event associated with the additional data.

Basically this patent offers a way for a “user”—which could be either the user of the device or the service—to have a record of everything they do:

image

While most of the patent is clearly about a product that would create a ‘lifestream’ for the user—where they can access all the things they’ve done with the device, including photos etc, in one tidy presentation, there’s clearly more to it than that. Buried in the patent are indications that it could do all this without the user asking it to. It’s paragraph 0023 which I think is most interesting:

A user of a mobile device requests that events and event-related data be collected by a data server and data collection begins. Alternately, data collection may be a default setting which is turned off only when the device user requests that data collection not occur. In yet another embodiment, a request from a server can initiate, pause, or stop data collection. The mobile device is configured to record events performed by the mobile device as well as event-related data. Typical events that the mobile device records include making or receiving a phone call; sending or receiving a message, including text, audio, photograph, video, email and multimedia messages; recorded voice data, voice messages, taking a photograph; recording the device’s location; receiving and playing an FM or satellite radio broadcast; connecting to an 802.11 or Bluetooth access point; and using other device applications. The data most often related to an event include at least one of: the time, date and location of an event. However, other event-related data include a filename, a mobile device number (MDN) and a contact name. Commonly, the mobile device records events and provides a time, date and location stamp for each event. The events and event-related data can be recorded in sequence and can be stored on the mobile device.

This seems to suggest that

  • basically all activity on the phone can be logged
  • the software can be turned on by default
  • the software can be turned on and off from the server

All this information would be grouped together and uploaded either with the user’s permission or without it:

[0025] The mobile devices may be configured to store one or more data sets and upload the data sets to the data server. In one embodiment, the data sets are uploaded automatically without user intervention, while in other embodiments the mobile device presents a query to the user beforehand. When the mobile device is ready to upload one or more sessions to the data server, a pop-up screen or dialog may appear and present the user with various options. Three such options include (1) delete session, (2) defer and ask again and (3) upload now. The user interface may present the query every time a session is ready to upload, or the user may be permitted to select multiple sessions for deletion, a later reminder or upload all at once. In another embodiments, the uploading of sessions may occur automatically without user intervention. Uploads may also be configured to occur when the user is less likely to be using the device.

This point—about the option to collect such data without the user’s say-so—is confirmed in [0030]:

Although typically the device and the server do not record, upload and collect data unless the user requests it, in other embodiments the communication device and the server automatically record, upload and collect data until the user affirmatively requests otherwise.

And in [0046]:

In embodiments where participation in the data collection services is the default configuration for a mobile device (e.g., an “opt-out” model), it is not necessary to receive a request from a user prior to recording data.

An ‘opt-out’ model is hard to visualize if this is a product that is a user-centric lifestream.

While patents only tell part of the story, there’s no evidence of any such consumer-facing product on Carrier IQ’s website, so one has to assume these capabilities have been, or could be, wrapped into their carrier-centric services. In that sense, I think there’s plenty of interest in here.

Keeping the Keyloggers out of the Basement

Here’s a product about to be announced that claims to really protect users against keylogging — when bad guys capture the keystrokes you make and then transmit it back to base: StrikeForce’s WebSecure (PDF file):

The basic idea, StrikeForce’s PR guy Adam Parken tells me, is that “keystrokes are encrypted at the hardware driver and delivered directly to the browser.” This, he says, “gets around the OS, messaging service, etc. where keyloggers normally hide.” It looks a bit like this (from a WebSecure presentation):

Websec

If that makes any sense. The grey boxes are the bits in between the keyboard and the network, and they’re all places that keyloggers hide. Anti-keylogging programs, as I understand them, are usually merely programs that try to guess what’s going on, and, if they see something sleazy, warn the user. Usually this is based on a prior knowledge, or library, of known keyloggers or known keylogging tricks.

WebSecure, instead, according to the press release, “automatically encrypts every keystroke at the keyboard level, then reroutes those encrypted keystrokes directly to the Web browser, bypassing the multiple communication areas that are vulnerable to keylogging attacks.”

WebSecure is going to be demoed at DEMO here sometime in the next 24 hours or so. If they do the job seamlessly and as promised, WebSecure could be quite a useful tool for companies and end users. But it’s an area long tackled and never conquered by security software developers, so I’m not holding my breath.

A New Way To Foil Keyloggers?

PC Tools has released a new version of Spyware Doctor, 3.2, with what it calls “groundbreaking Keylogger Guard technology that protects users from identity thieves”. A press release says:

Existing solutions can allow keylogger threats to run undetected for weeks or months by which time the damage is already done. Spyware Doctor 3.2’s Keylogger Guard detects and removes keylogger threats in real-time before they are able to steal personal information.

It does this by looking at “behavior rather than signatures….Keylogger Guard detects the behavior immediately, blocking keyloggers from installing on the user’s system and protecting customers right away, not weeks or months too late.”

Sounds interesting, although I’m not sure it’s exactly groundbreaking. Or is it? A trial version of Spyware Doctor 3.2 can be downloaded at www.pctools.com and costs $30.

The world’s biggest phishing attack?

This London bank raid seems impressive:

The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank’s computer system in London.

They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

Of course, it’s likely that there are lots more cases like this we don’t hear about. As Computerworld reports:

[Security experts] Cluley and Barnes said keylogging hacks are more common than thought, and they said the $423 million plot was probably the largest corporate case that had been made public. Both experts said it’s unclear what kind of keylogging was used.

The two speculate it could have been a physical keylogger dongle, installed by a cleaner (although that would mean the dongle would probably have to be retrieved somehow since any traffic through the company’s servers would be noticed. At least, one would hope so.)

A Free Zone Alarm?

For firewalls, I always recommend Zone Alarm from ZoneLabs. To my mind it’s still the best and most intuitive firewall around. But most people only need the free version. And that’s where the problem is. Why do ZoneLabs make it so hard for ordinary users to download it?

Readers and friends who have tried to download the free version often seem to run into problems, and download the ‘free trial’ version or some other less-than-free version of the software. As I recommend Zone Alarm, and thought that ZoneLabs had agreed to make this easer after earlier complaints, I thought I should check it out.

It’s true that it’s not easy. The Free ZoneAlarm and trials link is there in the top half of the screen, but it’s below another ‘freebie’, a Spyware Detector (more of that anon). The list of ZoneAlarm Security Products that are now available does not include a link to the free version, and the big link to the ZoneAlarm Security Suite page which dominates the top half of the screen contains no links to the free version. Neither does the download page. So unless you happen to see the link on the homepage, you’ve pretty much lost the chance to get the free download.

And even then, should you make it to the ‘Free Downloads’ page, you’ll have to scroll down to the end of the list, past five other mentions of the word ‘free’ to find the free version. Made it that far? You still have to skip past another tripwire before you make it home without removing your wallet. The first link on that page is to a link: FREE! Scan My PC for Spyware Before Downloading ZoneAlarm® (Recommended) that sounds, to a casual user, almost part of the download process. (What they don’t tell you is that the scan is for free, but you’ll have to shell out $30 to remove the ‘spyware, keyloggers, cookies, adware, browser help objects and other pests’ that the scan will find. My scan found 48 items of ‘spyware’ — all but two of them cookies, which is pushing the definition a little. (The other two were MS Media Player ID files, which are worth removing, according to CA and Kephyr.)

This is a shame because, while I can understand ZoneLabs need to make a buck, the free version is an excellent shop window for ZoneLabs. And users shouldn’t be misled by ‘recommended’ links to other software that looks free, but isn’t really. Bottom line: If you’re not educating the user but trying to get their money through stealth or obfuscation, then you’re not part of the solution.

Korgo Clarified

More on Korgo; I wish I could say it was the last. But the good news is that it does not seem to be the all-in-one ‘phishing worm’ F-Secure said it was.

F-Secure has clarified the situation over the Internet worm Korgo, which seems to answer some of the questions in my earlier posting. Korgo does not include a keylogger, nor any code to steal banking info. But, F-Secure says, “it seems that the Hangup Team (virus group behind the worm) is actively installing a keylogging trojan known as Padodor to the infected computers.” This is done via a backdoor left by Korgo.

Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks. Padodor is not the same as Padobot, which is one of the aliases of Korgo. Bottom line, according to F-Secure: “Not all machines infected by Korgo have Padobot, and Padobot can be found on machines which are not infected by Korgo.” (In fact, I may be wrong but I think F-Secure mean Padodor here: “Not all machines infected by Korgo have Padodor, and Padodor can be found on machines which are not infected by Korgo.” No?

The thing here is that a worm does the distribution work, infecting computers. Then there’s the bot, or trojan, that is the payload. This is the bit that does the money-generating work. That can either be loaded onto computers as part of the original worm, or else it can be loaded later via the backdoor left by the original worm. So here F-Secure has mistakenly assumed the keylogging bit was part of Korgo, which it wasn’t.

Korgo Spreads Its Wings

Seems like the big anti-virus boys are waking up to Korgo, the ‘phishing worm’ that F-Secure was warning about a few days ago.

Symantec have just issued an advisory upgrading W32.Korgo.F, a new variant of the worm, from a Level 2 to a Level 3 threat. As Symantec says, W32.Korgo.F is a worm that attempts to propagate by exploiting a Microsoft Windows vulnerability publicly announced on April 13, 2004, the LSASS Buffer Overrun Vulnerability. This vulnerability allows a hacker, in the words of Symantec, “to execute malicious code on a vulnerable system, resulting in full system compromise.”

But what I don’t understand is that Symantec don’t indicate the real threat behind this worm: That it steals passwords. And no mention of the keylogging properties of Korgo (sometimes called Padobot or Lsabot) on Sophos or McAfee (which has found a seventh variant, but measures all the threats as low). Even a more detailed explanation on Virusdesk doesn’t refer to the keylogging capability. Why is that?

F-Secure point out that “this latest worm makes it possible to gain access to secure passwords and other valuable information, such as credit card numbers.  Banking information is especially vulnerable as this is essentially a keylogging virus.” I can’t see Symantec mentioning this key bit of information, which as UK-based Netcraft points out“represents an alarming advance in phishing, as it forgoes the need to trick the end user into divulging details.”

End users: Symantec recommends that users update their antivirus definitions and configure their firewalls to block ports 113 and 3067.

More On Korgo

More on the phishing worm I mentioned in a previous post.

Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.

He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.

Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?

A Phishing Worm

Welcome to the phishing worm.

Korgo, a new worm that appeared last week, scans for random machines to infect and attack, using a vulnerability in Windows called the LSASS flaw which was discovered in April, according to Internet Week. Korgo, also known as Padobot, then sits on users’ computers waiting for instructions from home. Most such bots would open up the victim’s computer for relaying spam, launching Denial of Service attacks, or for infecting other machines.

Korgo seems to go one step further. According to F-Secure, Korgo “seems to be stealing user information very aggressively through keylogging techniques.” Mikko writes on his blog (sorry, no permanent link available): “The Korgo network worm keeps spreading actively, and it’s aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form – this will collect lots of credit card numbers, passwords etc.”

This would, if true, mean that users don’t need to receive an email, visit an infected site, or unwittingly download anything for their passwords to be stolen. That would seem to take phishing to the next level in that it doesn’t involve email, either as a form of transmission or as a lure. Roger Thompson of PestPatrol agrees it’s probably the first: “There have been bots that phish, but I don’t think any have specifically targeted banks”.

For some reason McAfee and the others are rating Korgo as a low threat, and make no mention of its keylogging abilities that I can find. I’ve asked F-Secure for more information, including which banks are targetted. I’m also not sure whether there have been previous worms that capture banking passwords. What does seem clear is that the worm is Russian in origin. F-Secure says it believes the HangUP Team, a team of Russian hackers, is the worm’s ‘probable creator’.

Anti Phishing Tools And The Lull Of False Security

From Buzz Bruggeman, here’s another tool that may help fend off phishing attacks (here’s an earlier post on similar software): SpoofStick, a browser extension that sits in either IE or FireFox and tells you what website you’re really visiting.

It works like this: Many phishing scams conceal the real website in a link behind tricks such lots of prior gobbledegook preceded by a legitimate website. Others put in lots of white space so the real link falls off the edge of your screen. All rely on one weirdness in URLs: if there’s more than one website in the link, it’s the last one that counts. So when you see a link begining in ebay.com, you can’t be sure whether it’s really an eBay link until you get to the end of the link, and even legitimate links can sometimes be longer than the width of a screen. CoreStreet do a good job of explaining all this, and SpoofStick will tell you what site you’re really at.

Now, I’ve got nothing against CoreStreet offering these kind of tools; in fact I think it’s a good public service. But given the company is involved in ”massively scalable validation products for identity management and access control” I can’t help wondering whether there isn’t a better way to do this.

First off, with something like SpoofStick users would have to click on the link in their email program and visit the site in question before they know whether the email/website is genuine. Given many phishing emails now don’t bother trying to get the user to fill out a form but instead upload a keylogging trojan when they visit the scamming website, it’s going to be a bit late to find out whether the URL is legitimate or not. Better would be a tool that allow the user to copy the offending URL into a program which would then check its authenticity.

Secondly, what happens when the scammer uses a website name that sounds kosher? As mentioned in a previous posting, some scammers are smart enough to set up website names that may sound legitimate to some users (in that case updatesecuritycheck.com), so the approach adopted by SpoofStick is going to only help those who think that doesn’t sound like a legit site. To many it does.

Bottom line: SpoofStick and its ilk are good, but they don’t go far enough, and they may merely lull users into a false sense of security. It’s not that elegant, but I’d suggest concerned users go to something like Karen Kenworthy’s URL Discombobulator, freeware which will investigate any URL you paste into it and tell you what’s really behind it. Just remember to copy the link itself, not the text in front of it. Many scams will create what looks like a legitimate link but actually links to what, in a recent phish I received, the scammer charmingly admits is the ‘scampage’ (this is a real scam so I don’t advise clicking on it): https://www.paypal.com/fraudcheck/secure/bill.html?sl=070304=”/A”>