By Lou Dolinar
Updated Feb. 20, 2006
Second in a series

User-friendly software isn't just for word processing anymore. Computer hacking, once the province of professional thieves and geeky teens, is increasingly accessible to the masses.

In my last column, I wrote about password cracking and reset tools, and how to protect yourself from them. Widely available and simple to use, such software lets anyone with physical access to your computer bypass security and take it over. The gal in the cubicle next-door is a potential threat.

Today we're going to look at another development, keystroke loggers. This is software, or in some cases a device, that is installed on the victim's computer and, as the title implies, keeps a record of everything that's input.

Keystroke loggers cover territory that mere access, as provided by a system-password-cracking tool, does not. Let's say you're a regular user of Web banking. When you log on to your bank, you have to type in a password. That password isn't normally saved on your computer unless you're one of those dummies who checks the little "Save Password" box for convenience. So even if someone can get at your computer and log in to Windows, your money is safe because your password is still concealed.

Not so if the bad guys installed a keystroke logger when they cracked your computer. The precise keystrokes you typed to log in are saved to a file on disk or shipped off across the Internet. It's not necessarily simple to figure out what program the keystrokes were typed into, but if the thief has on-site access, pretty much anything is feasible. Besides, some stuff is real easy: A keystroke logger can capture your entire identity, including credit card numbers, any time you make an online purchase. Think encrypting your files makes them secure? A keystroke logger will nail that password, too.

Besides passwords, keystroke loggers capture any real-time chat. Called your boss a dingus on AIM? Your side of the conversation is recorded. Also, for you Christina Aguilera fans out there, it picks up Web searches.

A quick Google of "keystroke logger" reveals dozens of products to make spying quick, simple and convenient, suggesting that spying is widespread. I don't know what scares me more: that there's a dot- org site devoted to reviewing such software, (http://keylogger.org/) or that most vendors offer steep discounts for volume purchase obviously aimed at corporate information systems departments.

One of the more nefarious keystroke loggers, Keyghost, doesn't even require that the spy break security on the target computer first. (http://www.keyghost.com/) Instead, it uses a little adapter that's plugged in between the keyboard cable connector and the system unit. Inside the adapter is a microprocessor that draws power from the cable, along with varying amounts of solid-state memory to store keystrokes. The home edition, perfect for anxious spouses and parents, is a mere $89. The spy periodically unplugs it from the victim's computer, attaches it to another system and dumps the keystrokes using a proprietary utility.

I'd like to say you can beat hardware-based keystroke loggers simply by inspecting your keyboard connections. Alas, there are some keystroke logger units that are built into otherwise normal-looking keyboards, and some look like ordinary extension cables or adapters or even fit inside the computer. About the only cure for that is to bring your own laptop if you're worried.

Software-based keystroke loggers also are troublesome. I'm going to arbitrarily divide them into two kinds: the ones that you inadvertently install when Web surfing or opening an infected e- mail, of which there are thousands, and the much rarer scenario in which someone installs a commercial keystroke logger directly onto your PC.

You're reasonably well protected from online-acquired keystroke loggers if you're running a full security suite: anti-virus, anti- spyware and, most important, a firewall that prevents a program from contacting its author for instructions via the Internet. (This is why the built-in Windows XP firewall is generally regarded as inadequate, it only covers inbound traffic.  For two way protection, you need something like ZoneAlarm ). You're also protected, to some degree, by the fact that you are unknown to the hacker, who may well be running through a few thousand PCs, looking for targets of opportunity that don't have security software.

The data thief who has on-site access to your PC, on the other hand, probably knows what he's looking for and, with system-level access, can disable your security software. In many cases, it is possible to do this selectively, so that XYZ Antivirus simply ignores an installation of a keystroke logger.

So in theory, although your security suite protects from some keystroke loggers, in practice you can't trust it. Your first line of defense is physically securing your computer so it can't be started with a password-reset tool to allow the hacker to then directly install log-in software. The trick here is to set the BIOS so the computer can only start from the hard drive, and lock the case so settings can't be changed in hardware.

There are a handful of dedicated anti-keystroke-logger programs out there, but the whole field is fairly new and I hesitate to recommend any. Unlike anti-virus programs, these don't look for the "signature" of specific keystroke loggers, but simply block any abnormal interaction between unknown programs and the keyboard. They're worth a shot if you think you're infected, but they won't block hardware-based keystroke logging, and they can be disabled just like other security programs.