FBI Files Brief on Scarfo Keylogger

Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.

keystroke blackbox

[simetra]

I suspect it's only a matter of time before motherboards come equiped with a "blackbox" type of thing, similar to a flight data recorder. They could store, say, the last 10,000 keystrokes on any keyboard. Does such a thing exist?

More keyboard logging

[Spootnik]

Speaking of "if you are important enough" and "all is takes is application of resources", I was recently reading through some of the briefs in the US v. Scarfo case. It sounded to me like the FBI got frustrated with his use of PGP and went with the keylogger approach. I was under the impression that the government had the resources to actually break some of the encryption schemes that are lawfully available in the US. It takes them time and a lot of computer horsepower, but I thought they could do it. It seems that the FBI didn't want to have to use all these resources in the Scarfo case and take the time to do it that way, so they used a logger. The material I was reading came from www.epic.org [epic.org]. It was interesting.

Scarfo's Password

[billnapier]

Anybody out there know what it was? The affidavit implies that it was put into court records at some point in time (at least the output of the KLS was). Just curious, thinking its something like NickyS or BaddaBing.

Ctrl-V ?

[simetra]

Even if a keystroke logger recorded every single keystroke... if you were to copy and paste a password, say you put it in a text file on a floppy on a different computer.... wouldn't this render the keystroke logger useless? It would have to also record the contents of the "clipboard", no?

Re:A simple keystroke logger can be elegant, too

[Stonehand]

Maybe put a barcode on rice paper, then. *shrug*

Re:Scarfo's Password

[morcheeba]

nds09813-050-- [washtech.com] -- the prison identification number of Scarfo''s father.

Two words

[Anonymous Coward]

Voice recognition.

Re:Ctrl-V ?

[jedwards]

You can cut and paste the characters from a innocent copy of 'Alice's Adventures in Wonderland'.

Re:Ctrl-V ?

[4mn0t1337]

passphrase lying around in a text file

Yeah, but how many millions of phrases are on your computer? The one that is your passphrase doesn't have to be obvious. (ie, brute force attack with the entire contents of the drive should slow someone down.)

But, even better, you don't even have to leave the phrase laying about for longer than a few seconds. Just open up a web page, select the a few char of the password, and paste it to a temp file. Open up another page and copy another block of char and paste that to the file. Keep doing this until you have a complete password, copy it and close the file w/o saving.

Anything that is recording your input stream from the keyboard is just going to see you just web surfing a doing a lot of copy and paste.

Re:Ctrl-V ?

[linuxrunner]

Yeah, just keep a copy of the GNU-GPL lying around.. (I do) and copy and paste a line (long line) out of that!

Linuxrunner

Re:Doesn't it seem strange

[kevinank]

True, but that does not mean that they are not going to break the rules. The knowledge that they couldn't use the evidence would in no way deter them from collecting it.

Unlike your local PD, the FBI risks a lot more harm than possible benefit from such a strategy. All it would take is one whistleblower to make the whole thing blow up in their faces. I suspect that if the FBI says they are using those communication restraints it is because they are. Even the political damage, much less the criminal liability of lying to the courts, would be overwhelmingly more costly than losing this relatively unimportant case.

okay let me get this straight

[Dr. Awktagon]

Did anyone read that whole thing? It seems that the FBI had a keystroke logger that only came on when the modem was off, with the belief, I assume, that the computer isn't a communication device unless the modem is on.

So then the wiretap laws wouldn't apply when the modem is off? Is my interpretation correct?

Strange loophole..

But you miss the entire point

[Anonymous Coward]

What is a key stroke reader, a device that is inserted between your keyboard and computer. You use the key stroke reader as a replay attack, replay their entered password. So just stick a finger print logger between the finger print scanner and the computer. Then used the captured and recorded digital handshake from the fingerprint scanner and the computer to replay a finger. A cdrom scanner could be configured in the same way.

Now how to be safer.

Use openbsd, with an encrypted filesystem and swap. Everytime the feds serve a search warrent. Sell your old computer, buy a new one keeping the hard drive. Use dd to copy over the hard drive information, destroy the old hard drive.

Other things you need to consider. The feds could install an video bug above your keyboard on the ceiling. Also the radiation eminating from your keyboard cable and monitor could be passively monitored and data recovered. I recomend using lap tops and conducting business from inside a limo using a wireless conection. Replace the limo if their is ever a possibility police involvement. If you are running a drugs/prostitution/gambling empire you should have more then enough money to make up for the extra expenses.

Re:Bypassing the keylogger

[jeffy124]

actually, from the looks of the brief, there are a few ways to circumvent their device. To me, it appears the key (no pun intended) to thwarting this lies in that the logger is only active while the modem is active, meaning you have to be online in order to be have your keys logged.

Option #1
Some have suggested saving that phrase in a text file and then copy/paste from there would work, except that your passphrase is now in clear text on your hard disk. Any search warrant against your machine would find that file, and your private key becomes compromised.

Solution there is to open a text editor before going online, entering the passphrase there. go online. Get the mail and then copy/paste the passphrase, close text editor w/o saving.

Option #2
download the email off the mail server (ie, POP it off the server). Go offline. Enter passphrase and read message.

Likewise, dont write emails while online. Write and encrpyt first, then go online to send. The keylogger appears to be able to pick up your typing of the message if you're online as you write it. (this also saves you $$$ if your ISP is cheap enough to still be charging per hour rates!)

Hardware or Software

[Anonymous Coward]

All through this case, the FBI has been very cagey on whether the key logger was implemented in hardware or software (or firmware).

Until recently I had thought the hardware approach more likely. It's easy to install a bug in the keyboard cable, and such devices already exist on the market.

But one passage in this affidavit caught my attention:

Recovery of Output 13. In order to recover the output of the KLS, it was necessary to gain physical access to the computer. A total of five surreptitious entries into Scarfo's place of business were made. On four of those occasions, the computer in question was found to be inoperative or not present. On only one of those conditions was the computer in question found to be present and in working order

A hardware device would have been easy to install even if the computer wasn't "operative" (as long as it was actually there). This strongly suggests that the logger consisted either of software modules hacked into Windows, or possibly a hack to the BIOS firmware.

The software/firmware approach does have the advantage of being less easily detected by a naive user. The average Windows user wouldn't have a clue as to how to look for cleverly hacked DLLs or system programs.

Still, once the threat is known the countermeasures are pretty obvious:

Use an open-source operating system that can easily be rebuilt from trusted sources

Use Tripwire to detect modifications to system programs

Improve physical security. Use a laptop and keep it in a safe when not in use. Use IR motion detectors, to quietly log any intrustions in the vicinity of the safe and/or computer.

Anybody have any other ideas?

"The B. got a prob cos she think she's....."

[Anonymous Coward]

> Interesting, and more technically sophisticated
> than the basic keyloggers which grab keystrokes
> indiscriminately.

If (PGP == RUNNING)
{
for (k = 0; k 256; k++)
{
if GetAsynchKeyState = -32767 // Keydown
log(key, time);
}
}

How sophisticated is that? Lame...
_____________________________________

Do YOU have "Nagelsvamp"?
www.nagelsvamp.nu