Video: Tough questions for HP execs

updated 9/28/2006 8:56:19 PM ET 2006-09-29T00:56:19

Hewlett-Packard's decision to hire investigators who assumed fake identities in order to obtain personal records has blown up in the company's face. The ensuing scandal has generated resignations, possible indictments and now a congressional hearing .

But while "pretexting" is a little-known investigative technique existing in a legal gray area, it appears the company may have also used a more common snooping tool: programs that record computer users' keystrokes.

According to recent news reports, HP investigators attempting to track down the source of a corporate board leak tried to use spyware to infiltrate the computer of at least one reporter who covered the company. Cnet reports that on Jan. 27, an HP investigator posing as a Silicon Valley executive e-mailed reporter Dawn Kawamoto, offering insider information about the company. Two weeks later, "Jacob Goldfarb," the tipster’s nom de guerre, sent Kawamoto an attachment, purportedly HP marketing information.

Instead of a scoop, the e-mail contained an attachment with an embedded tracking program. According to a consultant’s report acquired by The Washington Post, the program was a keystroke logger. As the name implies, the program not only tracks e-mail but records key strokes and screenshots, lifting everything from confidential documents to banking passwords.

Unlike pretexting, keystroke loggers are widely used. Commercial keystroke loggers, favored by parents and jealous spouses, take about 20 minutes to install. Marketed under names like KeyKatcher, KeyGhost and Keylogger, they typically sell for less than $100. Employers monitor employees' systems to guard confidential information and to see who’s choosing fantasy football over spreadsheets. Advertisers will send them attached to e-mail campaigns to track their performance. Security consultants speculate that government agencies use keystroke logging to monitor potential criminal activity. About 7 percent of computers have keystroke loggers, whether they know it or not, according to research by antivirus company WebRoot Software, Inc.

Computer scientists suspect that corporations will install keystroke loggers on their competitors’ systems. The use of keystroke loggers may be on the rise, says David Cole, director of computer security firm Symantec's security response group. The programs can infest computers in multiple ways.

  • External devices: Aaron Emigh of Radix Labs, a security technology consulting group, cites an example where a security company doing penetration testing — trying to assess how easily a system could be compromised — left an infected USB drive in an office. The virus soon made it on to the nearby machines. Most computers automatically run external programs, like flash drives and CD-ROMs, so as soon as the user inserts the device, the computer can be infected.
  • Security flaws: Big, popular and complicated software like Microsoft's operating systems, found on most personal computers, often have security breaches easily exploited by online criminals. Last week researchers at Sunbelt Software discovered a vulnerability in Microsoft's Internet Explorer Web browser during routine online surveillance. The flaw opens the door to the "BigBlue" keystroke logger, which captures everything on the computer including screenshots, Web cam, IM sessions and Web usage.
  • "Interesting" attachments: Keyloggers are often sandwiched into attachments—anything from the documents that caught Israeli executives’ attention to a must-see video. In a study by computer science professor Markus Jakobsson at Indiana School of Informatics, about 40 percent of people opened a Foster's beer ad sent by a stranger — after clicking on a notice agreeing to installing invasive spyware. Jakobsson’s test subjects were lucky: The spyware was a hoax.
  • Sketchy sites: Keystroke logger programs can be embedded in Web sites. When you click to see that topless shot of Shakira, you might get something more potent. But make sure you watch your downloads: Keyloggers have been discovered in programs with allegedly useful purposes like games and “necessary” browser updates.

There’s no silver bullet to prevent keystroke attacks, but there are several steps to decrease your chances of getting snared.

  • Use a full-blooded security suite: Anti-spyware software isn’t enough, says Ari Schwartz, deputy director at the nonprofit Center for Democracy and Technology. Make sure your anti-virus program has firewalls, spam blockers and intrusion prevention to plugs holes left by software vulnerabilities. Update your programs and install software patches as soon as possible.
  • Consider alternative programs: Most keystroke loggers are written for Windows, so Linux and Apple systems tend to be less vulnerable. Alternatives to Internet Explorer, like Firefox or Opera, can also prevent online infiltration.
  • Create a separate account for e-mail and Web browsing: Most users' PCs are set to "administrator" mode, which can give malicious programs access to their entire computer. Consider using a "user mode" instead, which may limit the damage.
  • Use online street smarts: A logger discovered last week was embedded in an e-mail about former Mexican President Vicente Fox committing suicide. “If anything smells funny, don’t open it,” says Cole.

© 2012


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments