News
News
3/29/2007
03:58 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

You Have Zero Privacy And Maybe A Keylogger

Keyloggers record what you type on your keyboard, sometimes openly and legitimately but more frequently surreptitiously and illegally.

Former Sun CEO Scott McNealy may have been correct, years ago, when he said there's "zero privacy" and urged his audience to "get over it." That doesn't make it any easier to live with keyloggers.

Keyloggers record what you type on your keyboard, sometimes openly and legitimately but more frequently surreptitiously and illegally. "Today, keyloggers are mainly used to steal user data relating to various online payment systems, and virus writers are constantly writing new keylogger Trojans for this very purpose," explains Kaspersky Labs security researcher Nikolay Grebennikov in a report issued today.

Malware with keylogging functionality is on the rise, according to Grebennikov.

John Bambenek, a research programmer for the Coordinated Science Laboratory at the University of Illinois and an analyst at the SANS Institute, said the percentage of machines infected with keyloggers has stayed pretty stable since 2005, when some 10 million PCs had been compromised, but noted that "there's software that does the same thing without keyloggers."

For example, the Gozi Trojan, which has been spreading through Internet Explorer exploits. This particular malware inserts itself between Internet Explorer and the socket used to send data, capturing it prior to encryption and sending it along to a Russian-owned network.

Some 18% of enterprises reported keylogging attacks, according to Webroot's 1Q 2007 State of Internet Security Report.

Keyloggers can spread by opening files received via e-mail or downloaded over the Internet. They can be installed by a Web page script that exploits a browser vulnerability or through the actions of another malicious program already resident on a PC.

Consumers are relatively insulated from the online theft that may follow the arrival of a keylogger on a PC because most banks and credit card companies limit such losses.

Businesses face greater liability, particularly if they fail to take precautions. Florida businessman Joe Lopez found this out in 2005 when cyberthieves, having obtained Lopez's account information using a keylogging trojan, transferred more than $90,000 to a bank in Latvia. Lopez sued Bank of America seeking the return of his funds, only to have Bank of America assert that Lopez was liable for the loss because he had failed to provide basic computer security, as required under the Uniform Commercial Code.

Banks and other financial institutions generally absorb the cost of fraud, passing it along to their customers.

"In my opinion, the way we do online financial transactions is fundamentally insecure," said researcher Bambenek, noting that lack of strong authentication at banks and e-commerce sites makes it possible for thieves to profit from stolen data.

And as long as cybercriminals continue to steal relatively minor sums from large numbers of people, cybercrime should continue to pay. "If you keep your crime at a certain level, law enforcement basically lets you be," Bambenek explained.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.