If the keystroke logger was a software-based spyware program and entered the company network as an email attachment, what protection are antivirus companies providing to protect other firm's from coming under similar attack?
"Although antivirus software gives some sense of protection, people have to understand the false level of security there," added Wood. "Antivirus companies struggle to deal with spyware. Antivirus packages don't know if programs have been installed with user permission or not. Sobig installed legitimate software, which meant that antivirus software could detect the worm but not the program it ran."
Sophos' Cluley admitted that antivirus companies need to focus more on stopping spyware.
"Detecting spyware — that can be a problem," he said. "There are quasi-legal keystroke loggers on the market for people to keep an eye on their kids or employees. When we see a malicious piece of software, we typically add detection for it. We're now seeing 15 to 20 new key loggers a day. This time last year it was five a day. I think that the antivirus industry is realising this is giving problems."
One of the problems antivirus companies have is defining what spyware is. It is possible to legitimately buy keystroke logging software, but antivirus software has trouble defining what is malicious and what is legal.
"One of the fundamental problems with spyware is defining it," said Smith. "The definitions show some of the risks. You don’t want a suite of security products where some things fall down the gaps because there's no consistency in definition. And that's making some security companies nervous."
How to prevent keystroke logging:
- Use a mixture of randomised letters and numbers for customers’ passwords and login.
- Use multiple passwords, or a PIN followed by a password. At least one of these should not be requested in full — for example, ask for the second, third and fourth digits of a PIN, in a random order, rather than the entire number.
- Use drop-down boxes for field entry, making it much more difficult for hackers to 'read' passwords.
- The ideal solution to the problem is two-factor authentication. For example, the user has a password or pin, together with a random number generated by a token, such as a small key fob or credit card sized device, which changes approximately every 30 seconds. They foil key loggers because although the hacker can steal your password, he/she will only have the random number generated the last time you logged on, not the most recently updated number.
- A cheaper alternative would be to issue the random number via another medium, such as SMS, each time the user logs on.
- The most effective weapon against hackers is, as always, educating PC users and online customers.
(Tips courtesy of BlackSpider Technologies.)
