This is a 7/3/2011 update of my Stop The Spying – Keylogger Detection post below.
See: ExposingKeyloggers.Wordpress.com
Rootkit key loggers, like those developed by HBGary and disclosed by Anonymous, threaten activists, freedom fighters and democracy world wide.
Key loggers record all the keystrokes on the target PC and send them to a remote location where they are stored and viewed. They are commonly used by parents to monitor their children’s Internet activity and for industrial espionage in business settings.
It’s a sophisticated spying technique that is readily available to oppressive governments everywhere. They are designed to be intentionally hard to detect so people don’t find them and delete them.
Key loggers must use standard communications protocols to transmit their information to the remote location to work.*
This is a key logger’s most vulnerable point, when they transmit to the remote location, where they can be detected, identified and tracked.
*Some key loggers may simply store information on an USB-like memory stick but this information must be physically retrieved. This is only appropriate when the target PC (or printer) does not have good 7/24 physical security.
If enough prominent people find unauthorized key loggers spying on their PCs, their outrage would pressure the media and law enforcement to investigate and stop this spying.
Project Goal: Produce simple, reliable, inexpensive means to detect when key loggers transmit data to the remote location and identify where and when they are sending data in a form that can be easily shared widely with activists.
It’s important to emphasize that ANY device that does not have good 7/24 physical security can easily be tampered with. Portability, stability, reliability and ease of use need to be high priorities.
Concept #2: Use a simple line sniffer to read and record the address headers of all outgoing transmissions. The hardware should be easily constructed from readily available electronic components or reuse of old PCs. The software should be Open Source or offered under an inexpensive Creative Commons arrangement.
Outbound transmissions from a PC should fall into one of two categories: 1) Deliberate browsing activity; 2) Installed programs calling home checking for updates. The second would be relatively small, short and predictable, especially if automatic update is turned off.
Anything outside of these two types of transmissions would be suspect. HBGary proposed disguising its key logger transmissions as ad clicks.
It shouldn’t be hard to read and record the address headers and the size of all outgoing transmissions. Key logger transmissions would be relatively large or frequent anomalies. Once the entire key logger transmissions are identified, it’s easy to prove unauthorized spying is occurring.
The system should be designed to be as simple and inexpensive as possible and to minimize the possibility of hacks and back doors being installed to defeat them. Hash or CRC checks should ensure the original code has not been changed.
Develop simple step by step procedures for constructing and setting up inexpensive line sniffers to do this.
Invite hackers to make suggestions as to how it could be defeated and improved. Solicit better ideas from the hacking community. Review and improve the approach and instructions.
Once the design is finalized, share the instructions widely publicly in different languages.
Key logger sweeps could be a money making opportunity for people who have the interest, equipment and skills to do it.
Questions:
Is this the best approach? Has it already been done and documented? What is the best way to proceed?
I don’t have the expertise or skills to develop this myself, but I can certainly help test, polish and promote it.
Please Support This Effort & Stop the National Security State
