FBI Files Brief on Scarfo Keylogger

Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.

keystroke blackbox

I suspect it's only a matter of time before motherboards come equiped with a "blackbox" type of thing, similar to a flight data recorder. They could store, say, the last 10,000 keystrokes on any keyboard. Does such a thing exist?

More keyboard logging

Speaking of "if you are important enough" and "all is takes is application of resources", I was recently reading through some of the briefs in the US v. Scarfo case. It sounded to me like the FBI got frustrated with his use of PGP and went with the keylogger approach. I was under the impression that the government had the resources to actually break some of the encryption schemes that are lawfully available in the US. It takes them time and a lot of computer horsepower, but I thought they could do it. It seems that the FBI didn't want to have to use all these resources in the Scarfo case and take the time to do it that way, so they used a logger. The material I was reading came from www.epic.org [epic.org]. It was interesting.

Re:More keyboard logging

Brute forcing depends on key length. If you are willing to spend, say, 1 billion on it, a PGP special purpose RSA breaker (or ElGamal breaker), that takes, say a day to break a 512bit key, could be feasible (the numbers are just a very rough guess, but I think not so unrealistic).

I doubt very much that they can break 2048 bit at the moment and I think 4096 bit is secure until some serious mathematical breakthroughs (which cannot be predicted).

The NSA could have such a device for emergency purposes.

Cheaper would be an attack on the passphrase. Most people don't have so much entrophy in their passphrase. E.g. I have only about 65 bits. Of course for this you need the secret keyring, a ciphertext sample will not be enough.

Re:More keyboard logging

P.S.: I think part of these "we (could) have broken" statements are also a smokescreen that is intended to make people not bother with encryption, because "they can break it anyway".

Would not be the first diversion with that purpose: If you cannot defeat it, undermine its credibility.

Bypassing the keylogger

The key to fooling the keylogger is to use a blank password, of course.

FBI recruiters who are reading this: you know where you can contact me about that job offer.

A simple keystroke logger can be elegant, too

It's important to note the fact that it doesn't log all keystrokes for 2 reasons:

1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.

2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.

On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).

My point is that ...
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.

Re:A simple keystroke logger can be elegant, too

I was under the impression that part of the reason that it didn't log everything was to keep from possibly recording communications (Which would need a different kind of court order, along the lines of a phone tap).

Re:A simple keystroke logger can be elegant, too

Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery.

Well, there's the Dallas Semiconductor iButton [ibutton.com]. It includes tamper-resistant features that will zero its RAM under certain conditions (e.g. over-temperature), although it doesn't have an actual "erase" switch.

New FBI surveilance technology

ROOTKIT - Remote Objet Oriented Telecommunications Knowledge Intelligence Technology

Doesn't it seem strange

that the FBI was so concerned about not capturing anything but the passphrase for the PGP key? Call me a sceptic but I'd say that the affidavit merely states this to either make it seem like they really know what they are doing, or to appease whatever restrictions the warrant for their entry to the premises and 'bugging' of the computer allowed.

I would seriously doubt that if this 'device' was capable to record every keystroke as they claim, that if they had the opportunity to sift through Scarfo's (outgoing) email/online banking/Adult-Check/etc. they wouldn't.

Re:Doesn't it seem strange

Why would this be strange? Most agents know pretty well what they can, and cannot get away with. The FBI, given some of the problems of the past, is doing what they can to NOT lose a case over a technicality. So creating a tool that allows them to capture only the information they have a court order for is an excellent idea from the FBI. If they got everything, found some new evidence from that illegally acquired information, it would probably get tossed out of court, along with the case (fruit of a poisoned tree).

A law enforcement agency, creating a tool that is designed to operate within a limited court order - shouldn't we be at least somewhat positive of this?

Scarfo's Password

Anybody out there know what it was? The affidavit implies that it was put into court records at some point in time (at least the output of the KLS was). Just curious, thinking its something like NickyS or BaddaBing.

Re:Scarfo's Password

nds09813-050-- [washtech.com] -- the prison identification number of Scarfo''s father.

Ctrl-V ?

Even if a keystroke logger recorded every single keystroke... if you were to copy and paste a password, say you put it in a text file on a floppy on a different computer.... wouldn't this render the keystroke logger useless? It would have to also record the contents of the "clipboard", no?

Re:Ctrl-V ?

Yeah, but think about it.

Do you really want to leave your PGP passphrase lying around in a text file on your computer? :)

D.

...is for DOH!

Solution: Chargen

Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.

Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.

-Ted

Scarfo Used Windows

The affidavit says that Scarfo used a Windows OS.

Coupled with the DOJ ruling [usdoj.gov], it just goes to prove that M$ Windows is an operating system written for criminals by criminals.

Not while connected

Wonder what they'd use as their carefully-crafted excuse to get around the ECPA if he'd had broadband?

scarfo keylogger

When I read this headline, I thought, Scarfo is a pretty sensible name for a keystroke logger.

Fake "real" keyboard, then USB??? bwahahahar!

Couldn't you have your serial keyboard plugged in, then
when you go to use your pc, go to another room, take out your
nice USB keyboard, then plug that in and use that instead?

Wouldn't it be funny seeing the feds puzzled faces - you've been
sending all sorts of PGP'd email in the last month, and all thier logger has registered is "haha MOFO's!!!!" - LOL!!!!

Interesting.

"They go into a lot of detail on the methods they could be using".

THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.

It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.

A peril of open source

Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)

DMCA

I don't know the American law very much. But as far as I know it's illegal to circumvent encription after the DMCA, isn't it? Would it be possible to fight against this keylogger citing the DMCA?

Why they do not log while online ?

The FBI only logs keystrokes while the modem was not active:

"... the FBI knew that when the computer's modem was not activated, the computer was not acting as an electronic comunication device. [...] In order to avoid potentially intercepting electronic comunications typed on the keyboard and simultaneously transmited in real time [...] Upon entry or selection of a keyboard key by a user, the KLS (Key Logger System) checked the status of each communication port installed on the computer, and, all comunications ports indicated inactivity, meaning that the modem was not using any port at that time, then the keystroke in question would be recorded."

Why ? It make no sense to me. If Scarfo did the encryption/decryption while he was online the KeyLogger would be useless.

okay let me get this straight

Did anyone read that whole thing? It seems that the FBI had a keystroke logger that only came on when the modem was off, with the belief, I assume, that the computer isn't a communication device unless the modem is on.

So then the wiretap laws wouldn't apply when the modem is off? Is my interpretation correct?

Strange loophole..

hardware key loggers

I don't know why the FBI has made such a fuss over this. I purchased a hardware key logger from http://www.keyghost.com/ weeks ago. Why? Because if I ever had to perform a PGP passfrase audit this would be the only way to go.

erm... what about a password that's not text?

what about a password that's not text? a friend of a friend, has a cuecat (with some minor modifications of course) ... but, he scans a moutain dew bottle as his password. it also adds a carraige return to the password for you :)
after this, it's a heck of alot better than the cutting/pasting idea, or even the manually typing it in...

i wonder scanning a mountain dew bottle would hold up in court as an encryption methond, so it's DMCA friendly :)

Must... not... ARGH!

All your keystroke are belong to J. Edgar Hoover!

OK,

- B

KLS: Hardware or software?

I was under the impression that the FBI used a hardware hack to capture the keystrokes - but according to the affidavit the KLS wouldn't capture while the modem was on (getting around some sort of wiretap regulation). So it would have to be software, right?

The affidavit does point out a tastey loophole: enter your passwords only when you're online.

Since it was Open Source PGP...

couldn't they've just replaced the executable/DLL with a compromised version that emails the password to the feds? Duh! The feds should be _glad_ that the source is available!

Uh...

Wouldn't they only be able to read mail sent to him if they had his PGP passphrase? It's not illegal to receive incriminating letters, right? (If it is, I've got some mass mailing to do ;-)

FBI affidavit really says...

The affidavit was extreemely vague, but a close reading reveals details most posts seem to get wrong.

The FBI had a search warrant. Based on this they installed two or more "components" in someone's computer. The court records contain data from two "components".
The first component was key logger which recorded every thing he did. It had one odd property though. It turned off while the modem was active. This is a technicality to try to avoid needing to satisfy the much higher legal requirements for a wiretap.
The second component was much more specific. This component captured the password and related data directly from the encryption program, not from the keyboard. Password entry through copy/paste, disk, and/or mouse entry would not get around this.
The affidavit is very careful not to say if the components are hardward or software. IMO the second component has to be software.

I think the real issue is that the purpose of a search warrant is to SEARCH. It does not/should not allow installing things in/on your propery, and it does not/should not allow you to be recorded. IMO it's the same as the FBI installing video cameras all over your house based on a search warrant. It's ok though, because the cameras turn off when you're on the phone. (groan)

Backdoor in Windows?

Obviously, this would have to have at least some software, even though if it's a hardware keylogger, because the document implies that it's context-sensitive (doesn't capture keystrokes that get sent out over the modem.)

Also, the obivous question: how did they install the keylogger in the firsrt place?

Any conspiracy theorists wanna bet that Microsoft has had such backdoors (eg, blank areas in KERNEL32.EXE or the like where the FBI, etc could covertly upload arbitrary code, if triggered by say, inserting a floppy with the right code in the bootsector, etc?

Hardware or Software

All through this case, the FBI has been very cagey on whether the key logger was implemented in hardware or software (or firmware).

Until recently I had thought the hardware approach more likely. It's easy to install a bug in the keyboard cable, and such devices already exist on the market.

But one passage in this affidavit caught my attention:

Recovery of Output 13. In order to recover the output of the KLS, it was necessary to gain physical access to the computer. A total of five surreptitious entries into Scarfo's place of business were made. On four of those occasions, the computer in question was found to be inoperative or not present. On only one of those conditions was the computer in question found to be present and in working order

A hardware device would have been easy to install even if the computer wasn't "operative" (as long as it was actually there). This strongly suggests that the logger consisted either of software modules hacked into Windows, or possibly a hack to the BIOS firmware.

The software/firmware approach does have the advantage of being less easily detected by a naive user. The average Windows user wouldn't have a clue as to how to look for cleverly hacked DLLs or system programs.

Still, once the threat is known the countermeasures are pretty obvious:

Use an open-source operating system that can easily be rebuilt from trusted sources

Use Tripwire to detect modifications to system programs

Improve physical security. Use a laptop and keep it in a safe when not in use. Use IR motion detectors, to quietly log any intrustions in the vicinity of the safe and/or computer.

Anybody have any other ideas?

Why this is important...

Well, obviously, the FBI is doing some creative sneaking around the law to avoid intercepting electronic communication. Great, clever work. But, what we can infer from this is that the FBI or the NSA does not have a very good grip on PGP. If the government had PGP cracked, there would be no necessity for a key logger.

"The B. got a prob cos she think she's....."

> Interesting, and more technically sophisticated
> than the basic keyloggers which grab keystrokes
> indiscriminately.

If (PGP == RUNNING)
{
for (k = 0; k 256; k++)
{
if GetAsynchKeyState = -32767 // Keydown
log(key, time);
}
}

How sophisticated is that? Lame...
_____________________________________

Do YOU have "Nagelsvamp"?
www.nagelsvamp.nu

modem??? NETWORK!!!

My computer is permanently commected to the internet or 'communicating' by the means of a netword-card. i think the difference in function between a modem and a network card is tuite small. so sollowing the line of thought: is my network card is functioning, it's not allowed to grab keys :)

sim-ple.

Countertactics

If you're using Windows, you can hold down [Alt] and type in the ASCII code on the numeric keypad, and get characters that way. I don't think this works in Linux. Another tactic for GUI users would be to pop up a virtual keyboard that sends the appropriate message to the active window when the buttons are clicked with the mouse. I suppose this could be made to work with console apps as well, esp. if it is in a console window. Or, just click away from the window and enter some gibberish in a text editor, click back and enter the next character of your password, click away, rinse, repeat.

where's the beef?

If they are not grabbing files/content then what are they using the key to un-encrypt?

Conutertactics in Real-World Use

Well, it used to be, anyway...
I use the Commonwealth Bank [commbank.com.au] for some of my online banking, and in it's previous incarnation, their NetBank service used to have a _very_ secure login interface.
It would prompt you for your 8 digit NetBank ID code, and then for your variable length PIN. When the time came to enter your PIN, it popped up a keypad on the screen, disabled keyboard input and you had to click on the keypad with the mouse. In addition, the keypad moved to a random location between every click, so you couldn't even track screen coordinates...
All in all, very secure and very annoying.
They've now gone 'back' to using standard keyboard input and SSL security.
--kai

warrant

As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!

Re:For a second there...

I don't agree with that sentiment at all. The rights that we take for granted and which many people presently are ready to concede have been earned through the blood of our ancestors.

Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died [lsu.edu] defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.

Revolutionary war: 4425
World War I: 53513
World War II: 292131
Total: 350069

This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.

There are also 40,000 deaths per year in the US [cdc.gov], not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?

Re:Two words

"....and as the FBI replayed the tape recording of the crim...."

Re:Just because you're offline...

Does this make sense?

Not especially. They're just exploiting a legal technicality. They aren't allowed to intercept private communications, so they argue that a deactivated modem means no communicating is going on.

Those who forget history...

...are condemned to repeat it [securiteam.com].

Re:Ok, where is it?

Like you can stop them? I'd LOVE to see the legislation and/or resulting lawsuits on that one.

Re:why "warning"?

they crash my computer, that damn integration with IE.

also-- im boycotting adobe still, becuase of the Russian.