• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 937
  • Last Modified:

Keylogger detection

I'm now implementing full system encryption (Truecrypt) on all of my workstations and laptops.  All of this security is worthless if an adversary slips a hardware keylogger into my network.  Since the operating system registers key events they must be traceable.  Hardware key logging devices can connect to both PCI or USB plugs.  How to I block such an attack?
0
Phil5780
Asked:
Phil5780
  • 2
  • 2
1 Solution
 
geowrianCommented:
Some ideas to consier - I haven't used them myself, but I hope they will give you an idea of options available.
1) If possible, disable installation of drivers on the PCs. This will block most hardware and low-level software keyloggers. This also disables USB drives and such as well, so just be aware of that.
2) In a TPM environment, it may be possible to block unknown hardware. Similar to #1, but at a more hardware level block.
3) Ensure antivirus and anti-malware software is installed and fully updated on all PCs.
4) This URL has some information on tools that help detect keyloggers: http://www.how-to-spy-computers.info/2008/12/30/how-to-block-a-keylogger/
0
 
Frosty555Commented:
A hardware key logger is difficult to detect in software. If they do show up in device manager on the computer, they will appear as a fairly generic hardware such as a USB hub. Some hardware key loggers do not require drivers to be installed on the computer at all - they are self contained units which store the data on on-board memory. Of course the attacker would need to come back and retrieve the device later to view the logs.

A visible inspection of the computer is the only reasonable way to prevent it. A hardware key logger will be a fairly obvious piece of hardware inline between the keyboard and the computer.
0
 
Phil5780Author Commented:
I've seen keyloggers that sit on a PCI or PCI-Mini slot.  Since any new piece of hardware is detectable in the device manager, it is detectable.  Is there a software solution that blocks or alerts to the presence of 'unapproved' hardware?
0
 
Frosty555Commented:
This might be useful to you then:

Managing Hardware Restrictions via Group Policies
http://207.46.16.252/en-us/magazine/2007.06.grouppolicy.aspx

Just I don't think it's a 100% fool-proof solution, since it still wouldn't stop keyloggers that just sit inline with a PS/2 keyboard and sniff the keyboard signal.
0
 
Phil5780Author Commented:
Good information provided but still does not offer a great solution.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now