Many of us rely on encryption to keep communications private. We can encrypt email using programs like PGP, and we can encrypt telephone conversations and data transmissions with any number of devices. Encryption gives us a sense of security. It is important to remember, however, that security is not absolute, and that it is always part of a larger context, and that a sense of security is not necessarily security.
As an example let us look at voice encryption devices, some of which we will be reviewing over the next few months. Security on these can be defeated by bad-guys in at least five ways.
First, the encrypted signal can be captured and decrypted using skill and computing power. We like to think that this is unlikely to happen if the people doing the decrypting aren’t from one of the government agencies that do this sort of thing in whatever country is doing the capturing and decrypting, and that most normal bad guys will be unable to capture the communication in the first place, nor decrypt it so easily. Because of this, we do not concern ourselves here with the sophistication of the encryption.
Second, the encryption algorithm could have a back door built in, with the people doing the capturing and decrypting having the key available. Thus, some countries insist that they be give keys for all encryption. In theory this is for purposes of national security, will never be used against you personally or commercially, and the keys will never be guarded by as-yet- undiscovered spies buried within the handling agency. Rumor has it, for example, that the keys to the Clipper Chip have been shared, for security purposes, with close allies like China…. In fact, nobody really knows reliably what backdoors have been put into what encryption methodologies.
Third, the signal could be captured at a point where it is not encrypted. As an example, we might look at mobile phone transmissions. While analog transmissions can be picked up with a simple receiver, most digital signals are not so easy to capture. CDMA transmissions are spread over the spectrum and hard to capture, and GSM transmissions are encrypted (we won’t get into the issue of the sophistication or lack thereof of this encryption). These transmissions are decrypted at the switch, however, and can be picked up easily there, which means that legal wiretaps on cellphones (now more common than taps on wirelines) are trivial: The switch merely directs the call to the requesting agency (or its computer) at the same time it goes to the called party. By the same token, if you are making a mobile call to a landline, a conventional tap will pick up the unencrypted conversation on the receiving end of the link.
Fourth, a bad guy can ignore taps altogether and put a bug in the room where the speaker is located. Thus, the transmission may in fact be perfectly encrypted, but someone could be listening in to your half of the conversation.
Finally, the secure transmission can be inconvenient, either through poor choice of equipment, or tampering with lines to make them work poorly. As it happens, when it is inconvenient to speak securely, most people — including those who should know better — choose to speak insecurely rather than wait until they can make a secure connection.
For encrypted messages on the computer the bad-guys also have a number of options. On the highest-tech end would be a Tempest receiver (see the article on Tempest in the December 1999 issue of the e-Journal). Alternatively, they could place a video camera to capture what is on the screen. But these are way too high-tech and convoluted, and a bad-guy’s job is actually much easier than that if he can merely get access to the computer.
If they have access to the computer they can use what we will generically call a key logger. Key loggers are available as either hardware or software, and either capture your keystrokes (thus the name), or, in some software cases, they can capture periodic screen shots. Some store the data on the drive or the memory of the hardware device, with you needing access again to get the data. On a network, of course, the data can be stored on another machine by the software version, and you will never be aware of it. Actually, you probably won’t be aware of it even on your own machine, as the files are hidden, and references to them are buried in obscure places. Alternatively, some programs will email the data somewhere.
How expensive are key loggers? Prices vary. There are some that are freeware or shareware, and we’ve certainly seen them in the $20 range, so money is not really the constraint here: There are something under 150 different keylogger software offerings out there, and bad guys have a wide variety of choices. Hardware versions, such as offered by Codex and Keyghost and others generally come in two flavors: Devices that attach between your keyboard and the keyboard port, mimicking an adapter cable, or as replacement keyboards. We’ve seen keyboard versions on the internet are still under $400. These can store up to a year’s worth of keystrokes! The advantage of hardware loggers is that they capture keystrokes before the operating system starts, so if you change a password built into the bios setup it will be captured, compromising your machine.
How do you find keyloggers? Well, the hardware versions require you to physically look. It is fairly easy to spot an adaptor between your keyboard and the port (they often have a piece about the size of an AAA battery in the cable). For one built into the keyboard — and there are devices that can be inserted into a laptop — you have to take the device apart and look for the logger.
Software can be detected using software programs, of which we have seen several sorts. One program reports on changes in the Windows registry, but this assumes you understand the Windows registry, and can tell a bad entry when it appears. We can’t. Another does a heuristic analysis, but appears to require a reasonably high level of technical sophistication to interpret the results. We couldn’t test this software, as it doesn’t yet support Windows 2000, the operating system of the test machine.
If you want a piece of software that will make a reasonable job of checking your hard drive and determining if you have spyware on it, SpyCop (http://www.spycop.com/) is worth investigating. SpyCop takes the same approach that anti-virus software uses: They track current spyware and check, file by file, for software that contains code that fits the pattern of know spyware. When we ran SpyCop, it took about an hour to do a deep scan of our hard drive.
As with anti-virus software, you need to update SpyCopy as new versions of spyware appear, but since new versions of spyware do not appear with the same frequency as do new viruses, this should not be onerous. In addition, once you determine your computer is un-bugged, you should make an effort to secure it, thus obviating the need for frequent re-scans. At $30 for the home license, or $70 for the commercial license, SpyCop can provide a certain peace of mind, and is worth the cost even if only used once.