Scarfo "keylogger", PGP
Rick Smith at Secure Computing
rick_smith at securecomputing.com
Mon Oct 15 18:52:12 EDT 2001
Stripping off the precise legal language, this looks like a software
keystroke logger that was carefully crafted to collect a PGP passphrase
while collecting as little other data as possible. Collecting evidence is
tricky business. You have to collect exactly the information you need, but
you mustn't collect any information you aren't authorized to collect. If
you do, then you can't use the information you have. Moreover, you need to
be able to show that the evidence is 'clean' and hasn't been tampered with.
This makes it very tricky when you're trying to collect computer
information that's intended to be used as evidence in legal proceedings.
Without actually seeing the warrant used to authorize the keystroke
capture, it's hard to tell what was really going on. But it seems
reasonable to speculate that the keystroke monitor was carefully configured
to comply with the letter of the warrant issued to the FBI to implant the
keystroke logger. If they collect too much data under the warrant, the
defense attorney might be able to block the use of the logs as evidence by
arguing that the FBI didn't comply with the warrant.
I suspect that the "components" of the logger are software modules that are
included and/or configured according to the types of data that the FBI has
a warrant to collect.
Regarding all this, Peter Fairbrother wrote:
>The other and more worrying "component" picked up the PGP key Scarfo used -
>his father's prison number!
I found Scarfo's choice of password rather amusing, since it shows that a
personally tailored dictionary attack would have worked as well as the
keystroke logging, and probably wouldn't have taken as long (14 days).
>I don't
>know if Scarfo entered his PGP key more than once but apparently it only
>recorded it once. The PGP key information was at the end of the output
>presented to the Court so it may have stopped operation then, but the
>"keystroke capture component" should have continued to work if the overall
>design was good.
If my speculations about the warrant are correct, the logger may have shut
itself down just to reduce the risk of intercepting anything that might
have violated the letter of the warrant.
>Could it be remotely installed?
If someone manages to install Back Orifice (or its latest incarnation) on
the victim's computer, then it's possible to remotely command Back Orifice
to install keystroke logging software. However, the remote approach isn't
100% guaranteed to work, and Scarfo might have detected the installation
activity or the presence of Back Orifice.
>Is this a serious security failure in PGP?
No, it's a problem with any programmable computer. If you can install new
programs, you can install changes to existing programs. Since the FBI snuck
into Scarfo's house and had physical access to his computer, they could
install or patch the Windows OS, or PGP, or anything else on the computer
however they wanted. The only limitation on their actions was that they
didn't want to change anything Scarfo might detect.
Rick.
smith at securecomputing.com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list