New Zealanders might have mixed feelings about a local product contributing to workplace digital surveillance internationally, but the KeyGhost keystroke logger, developed in Christchurch, has established a thriving local and export market.
KeyGhost, the company of the same name, is now making the product available through retail outlets.
Unfortunately, if you know your keystrokes are being logged (and according to law and best practice you should) it appears fairly easy to confuse the logger.
The disquieting statistic that between 70% and 90% of computer system misuse happens inhouse may mitigate reservations about snooping . Employer surveillance is a fact of life, and, to judge from the reaction of an audience of IT professionals to a talk last year by forensics specialist John Thackray, so is the covert installation of logging devices by law enforcement agencies on private premises when a crime is suspected: Thackray laughingly called it a “virtual search warrant”, and there were no audible murmurs of doubt from the audience.
KeyGhost covers itself by including in the key-logger package a prominent red label to paste on the front of the computer signalling that activities are being logged.
KeyGhost is a 46mm-long cylinder with PS/2 keyboard connections on each end, so it can be inserted between the keyboard plug and its socket. (Be honest, when was the last time you looked at that connection? Now come out from under your desk and read on.)
KeyGhost is a self-contained hardware device, eliminating the risk that logging software on the PC’s hard disk can be removed or tampered with or the log data copied by an unauthorised person. Entry of a password brings the logged data or selected parts of it back to the screen.
The KeyGhost company is working on a version to enable centralised retrieval of logs on all monitored PCs in an organisation.
The device records all keystrokes but not mouse-clicks. “Mouse clicks tell you nothing unless you can see what is happening on the screen,” says KeyGhost’s FAQ.
Disregarding clicks, however, means the device does not see switching between documents. If a user wants to conceal, for example, the address of a visited website, one strategy is to put up a dummy document alongside the browser and type the address a character or two at a time interspersed with unrelated text typed into the other document.
KeyGhost simply records the characters in the order typed. Passwords can be similarly protected from capture.
An offending employee might have some explaining to do if passages of obviously contrived garbage were found in their log; but that in itself may not be evidence strong enough for discipline or dismissal.
The raw logged text records every backspace and arrow key as, for example <bks>, <lft> or <rgt>, which can make an unskilful piece of typing almost incomprehensible. In its latest version KeyGhost provides a “rendering” program which turns it supposedly into sensible text. But the lack of a click detector means the logger does not pick up words corrected by clicking the cursor directly into the position of the error rather than arrowing.
In one test, we typed the classic “quick brown fox” exercise deliberately clumsily, corrected it with clicks, cuts and typing in of missing single characters and followed by entering the URL www.oracle.com into the browser in similar mistype-and-click-correct fashion.
The raw output from the log was “The quick borwd focs jumps<lft><bks>nx over then luz dorggggya. ww.acrhjoalce<bks>lcupo.mw” and the “rendered” output the scarcely more comprehensible: “The quick borwd focs jumpsnx over then luz dorggggya. ww.acrhjoalclcupo.mw”.
In some of our samples, where we switched frequently between document and browser, the rendered version of the log partially or completely “lost” the URL entry we interspersed with the text, though it was there, albeit in garbled form, in the raw log.
If the offender didn’t know the log was there, of course s/he would not take such precautions. But law and good employment practice require notice, some lawyers say regularly repeated notice, to employees that they are being monitored, and the KeyGhost package has its red label to that end.
KeyGhost is sometimes sold into applications where the user will be unaware of monitoring and will not know to take evasive action, says spokesman Javier Jarquin. “Of course we’ve sold to employers that notify their employees that their computers are being monitored. In a case like this the KeyGhost would act primarily as a deterrent — like the ‘speed camera zone’ road signs whose primary purpose is to deter speeding, not catch speeders.”
Also supplied is a gummed paper “seal” with barcode to be pasted round the device in place preventing tampering.
The latest KeyGhost SX has a capacity of more than 500,000 characters and is priced at $249 including GST. Older, lower-priced versions are still available.