feature

8

passwords, login userids and passwords,application userids and passwords,Internet userids and passwords, onlinepasswords to subscription based informa-tion services and, indeed, any and allother combinations of userids or pass-words imaginable. The userids and pass-words are captured exactly as they aretyped, before any layer of encryption orconcealment can be added. In effect, thisdevice provides a cast-iron guaranteedmethod by which passwords may beintercepted — not via a network or onthe server — but between the keyboardand the console!

If this were not disconcerting enough,this device does not impair or affect the res-ident system’s functionality and it is invisi-ble at the user interface. It cannot bedetected using security software and itspresence is completely transparent to theuser. The key logging hardware can be con-nected to a target computer in a matter ofseconds, and starts intercepting keystrokesentered into the subject computer immedi-ately, without the need to load any soft-ware, or adjust any of the computer’shardware settings. This makes installationnearly effortless. The device has no movingparts, no settings or switches and it requiresno batteries or external power supply.

The software necessary to analyse thekey logging data captured by KeyGhostinstalls on to a designated inspection com-puter in seconds and is faultless at extract-ing the recorded keystrokes to a readily

intelligible log file. The device is capable ofstoring up to 2 000 000 keystrokes. Thisequates to approximately one year’s worthof intense user activity. Versions of thedevice are available that provide 128-bitencryption, rendering the recorded logfiles secure against unauthorized browsing.

In its basic installation, KeyGhost isshipped as a discreet module that isplaced between the keyboard plug andthe computer. In truth, a careful visualinspection by a knowledgeable computeruser would thus reveal the device.However, the technology can also beplaced inside the keyboard making itcompletely invisible to the user. It canalso be purchased pre-installed in a fullkeyboard. The manufacturer states thatit is developing a version capable oftransmitting the captured keystrokes ona target computer in real-time to aremote receiver.

In addition to demonstrating profoundsecurity vulnerabilities, the potential usesfor hardware keyboard monitoring areabundant. Augmenting its obvious inves-tigative applications, the KeyGhost alsoserves as a comprehensive backup devicefor anybody writing extensive essays,reports or dissertations. In the event of ahard disk failure or file corruption or loss,the user would simply download therecorded log-file and recreate any lost data,word for word.

In conclusion, KeyGhost is an extremelyeffective tool for conducting covert

computer investigations and shoulddumbfound and unnerve anyone compla-cent or foolish enough to believe that asimple password-based authenticationregime is secure.

On the flip-side, these devices are poten-tially extremely dangerous if they fall intothe wrong hands. Armed with this tech-nology, a computer fraudster could cutthrough many bank security systems likethe proverbial knife through butter.

For information about commercially availablekeyboard monitoring hardware, see www.keyghost.com (KeyGhost) and www.microspy.com (MicroSpy)

References1 Electronic Funds Transfer Systems2One-time passwords are generated by devicessuch as SecurID from RSA Security Inc.(www.rsasecurity.com)3In the author’s experience, the passwords neces-sary to access computer systems are writtendown in the immediate vicinity of the machinesinvolved on approximately three percent of occa-sions.4This is the case even if the target computeremploys access control software or biometricauthentication systems.5Raise, Authorize and Release are discrete, segre-gated functions allocated to separate custodians inorder to enforce control and supervision withinpayments systems.6(Basic Input Output Services). These arepower-on (hardware-based) passwords.

Data Genetics International Limited7 Adam Street, London WC2N 6AASwitchboard: +44 (0)20 7520 9384Fax: +44 (0)20 7520 9385Direct: +44 (0)20 7520 9386/7mail@dgiforensic.comwww.dgiforensic.com

Since 11 September, it’s an assumptionthat has spread, but that’s just it — anassumption. According to the Office ofNational Statistics, between March andMay 2002, 734 000 people in the UK

were employed on a contract basis. Andwithin UK plc, £40 million a day is lostto corporate fraud. An astonishing num-ber, particularly when 80% can be attrib-uted to employees.

There is an old cliché — ‘charity beginsat home.’ Surely senior level executivesshould take a similar view; after all, £40million is no small sum and there are anumber of areas where internal securitycan be drastically improved. For starters,think about access to your building. Someform of ID process doubtlessly exists, yetthese are often ineffective as they may relyon nothing more than signing-in books.ID access control systems using a cardswipe to gain access, however, can beimplemented for a far greater ROI thanso-called trendy security solutions such asbiometrics. Not only are the initial outlayand running costs significantly lower, but

Protecting from WithinMark Thomson, Eltron

Security — It’s the bugbear of every company because so many threats to businessintegrity exist. Most organizations focus on external threats to their operations,spending time — and extensive budgets — building firewalls, fighting viruses, etc,owing to widely held beliefs that the external threats are rife.

feature

9

card printers are now desktop peripheralsand as easy to use as any PC printer. Thisallows security systems to link with PC-based employee information – meaningspecific employees are granted access tocertain areas of a building. It’s not justabout signing in; the key element is ‘per-mission granting’.

But take it a stage further. Companieshold so much data on their networks,much of which is critical to work inprogress, or relating to internal finan-cial issues. Maintaining this data is nowrightly seen as critical for organizationalsuccess and is encapsulated in the termKnowledge Management that is centralto many CRM programmes. Howeverpart of Knowledge Management is toensure that the right people have accessto the right information for their role.Most organizations simply assign pass-words to enable full network access.Surely it makes sense that, say, onlythose in the finance department havesecure access to payroll information.And in terms of contractors, where doestheir loyalty really lie? How can you besure that what they learn from youwon’t be repeated in a few weeks time toimpress bosses at a rival organization?In the same way that access to yourbuilding is controlled, you can easilycreate access control for your networks.

Your solution could even be to combinethe two. The card that is created to givean employee or contractor access to cer-tain areas of the building could veryeasily be encoded (using the magneticstrip, smart chip or proximity chip) toprovide controlled systems access, aswell as access to many other facilitiessuch as vending and canteen.

And it doesn’t have to be a complexprocedure. You could undertake a review of the latest technologies andopt for biometric access control. Butwhat of the cost? These systems have been tried, but not always success-fully; one airport recently abandonedtheir trial as mistaken identity occurred 47% of the time. Implementation, staff training, encoding network data— the cost added up, only to be rejected before the trial was complete. Alternatively, you couldmaintain a simple Windows password.Most users are comfortable with this option, but therein lies the prob-lem. It’s too commonplace and open toabuse.

The solution lies in combining factorsthat people accept. Finance directorsneed to see the cost benefit — and letsface it, nothing can be done in the cur-rent climate without their say-so. And, importantly, the legitimate

end-user needs to be able to conducttheir work unhindered. We conducted a survey recently in which 73% of peopleclaimed ownership of more cards than can fit in their wallet, 86% ofwhich had magnetic strips. So, cardbased technology, in other words, isaccepted and commonplace. All that a company would need is to connect a swipe-machine to their PCs and uponemployment, provide each staff memberwith an ID card giving access to the area of a network that they require —and no more. Ensure the swipe/ID cardis password enabled and you have one card, two levels of protection andno additional expense for the imple-mentation because these systems are plug-and-play enabled. A live exam-ple exists at the University ofCambridge’s Management InformationServices Division where a single cardgives permission-based PC, network,photocopying access and building security. All this and in so-doing thedepartment can monitor its expendi-ture.

Far from being restrictive the schemehighlights how a well handled securitysolution actually empowers employees. Itallows them in, and keeps those whocould perpetrate fraud, out.

In reality these are valuable measures totake to protect corporate informationfrom unauthorized access, however what

they can’t do is protect electronic assetsfrom internal breaches of security, whetherthose be intentional or accidental. The

fact is that none of the highly publicisedsecurity measures are able to recognize thedesired state of data within the corporatenetwork and revert to this state immedi-ately, should an unauthorized changeoccur.

The truth is, no security strategy is com-plete without measures to safeguard dataintegrity. Only with comprehensive dataintegrity assurances in place to work along-side other perimeter defence products can acompany truly feel that they are achievingmaximum protection for their data assets.

A layered security strategyA complete security strategy should belayered. If we take the security of a house

Data Integrity Assurance ina Layered Security Strategy

Ian Tickle, UK manager,Tripwire

The security industry generally places most emphasis on dealing with threats fromexternal sources, that is, from outside the corporate network. Companies areencouraged to implement firewalls and perimeter defence tools to keep intrudersout. Network administrators monitor traffic for abnormal events, raising the alarmas soon as a suspicious email attachment is spotted. So it is fair to say that there is ageneral assumption that security threats come from outside.