Mar 29, 2007 (11:03 AM EDT)
You Have Zero Privacy And Maybe A Keylogger
Read the Original Article at InformationWeek
Former Sun CEO Scott McNealy may have been correct, years ago, when he said there's "zero privacy" and urged his audience to "get over it." That doesn't make it any easier to live with keyloggers.
Keyloggers record what you type on your keyboard, sometimes openly and legitimately but more frequently surreptitiously and illegally. "Today, keyloggers are mainly used to steal user data relating to various online payment systems, and virus writers are constantly writing new keylogger Trojans for this very purpose," explains Kaspersky Labs security researcher Nikolay Grebennikov in a report issued today.
Malware with keylogging functionality is on the rise, according to Grebennikov.
John Bambenek, a research programmer for the Coordinated Science Laboratory at the University of Illinois and an analyst at the SANS Institute, said the percentage of machines infected with keyloggers has stayed pretty stable since 2005, when some 10 million PCs had been compromised, but noted that "there's software that does the same thing without keyloggers."
For example, the Gozi Trojan, which has been spreading through Internet Explorer exploits. This particular malware inserts itself between Internet Explorer and the socket used to send data, capturing it prior to encryption and sending it along to a Russian-owned network.
Some 18% of enterprises reported keylogging attacks, according to Webroot's 1Q 2007 State of Internet Security Report.
Keyloggers can spread by opening files received via e-mail or downloaded over the Internet. They can be installed by a Web page script that exploits a browser vulnerability or through the actions of another malicious program already resident on a PC.
Consumers are relatively insulated from the online theft that may follow the arrival of a keylogger on a PC because most banks and credit card companies limit such losses.
Businesses face greater liability, particularly if they fail to take precautions. Florida businessman Joe Lopez found this out in 2005 when cyberthieves, having obtained Lopez's account information using a keylogging trojan, transferred more than $90,000 to a bank in Latvia. Lopez sued Bank of America seeking the return of his funds, only to have Bank of America assert that Lopez was liable for the loss because he had failed to provide basic computer security, as required under the Uniform Commercial Code.
Banks and other financial institutions generally absorb the cost of fraud, passing it along to their customers.
"In my opinion, the way we do online financial transactions is fundamentally insecure," said researcher Bambenek, noting that lack of strong authentication at banks and e-commerce sites makes it possible for thieves to profit from stolen data.
And as long as cybercriminals continue to steal relatively minor sums from large numbers of people, cybercrime should continue to pay. "If you keep your crime at a certain level, law enforcement basically lets you be," Bambenek explained.