Not all that glitters is gold. Keyloggers can exist as part of a honeypot,
PCI tool, management or systems administration utility or even a simple trojan
virus.
It's becoming more and more common to log all root keystrokes in layers of
trust and secrecy that systems administrators don't even immediately recognize
are there.
Many keyloggers exist, but the three most often deployed in systems include:
1) Pam Daemon Systems Level:
rootsh utility, which allows you to enable a systems logger that will show
everything logged to the terminal whenever anyone invokes sudo.
http://freshmeat.net/projects/rootsh/
Many inplementations recommend renaming rootsh to another seemingly innocous
sounding word - like "termd".
The use of rootsh and other keyloggers for root is exceptionally useful should
you have more than one systems administrator, or want to keep track of changes
on production systems. PCI compliance and SOCKS both require controls in place
for the root or administrative user.
The logs, (which by default log to /var/log/rootsh/ which can be changed upon
implementation) of course, can be edited, like any logs, unless you utilize a
stunnel or other syslog-ng single network loghost with limited access, which is
yet another recommendation for a secure administration.
2) Kernel level:
Sebek clients (with Honeywall server) provide nearly invisable logging capacity
for honeypot and systems administration monitoring.
http://www.honeynet.org/tools/sebek/
Sebek is a kernel module that is available for Windows machines also.
3) Hardware based tools.
These masquerade as a USB to PCI or other conversion tool and most often
deployed at NOCs with KVM's that don't also provide tty capacity.
http://www.keelog.com/download.html
These are especially useful, however the most saavy systems administrators
usually see the terminal pause and flash that accompany use of a hardware
logger.
SO if you feel you ARE BEING WATCHED, you ARE. [I personally I can't type when
watched!]
The legal ramifications of micro-critique of a systems administrator or
engineer for making such typing mistakes is problematic due to the non-exempt
federal statutes for professionals, (since the FLSA standards requires us to be
able to work without micro-direction) but be advised, all high level
responsible actions are logged post 2001 in America!
http://www.lieffcabraser.com/itovertime.htm
Trojan Keyloggers:
http://www.youtube.com/watch?v=fVy82nFcvVg
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest! Kristy Westphal, CSO for the Arizona
Department of Economic
Security will provide a one hour
presentation on forensics.
_________________________________________________________________
Get more done, have more fun, and stay more connected with Windows MobileĀ®.
http://clk.atdmt.com/MRT/go/119642556/direct/01/
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
