Scarfo "keylogger", PGP

Rick Smith at Secure Computing rick_smith at securecomputing.com
Mon Oct 15 18:52:12 EDT 2001 

Stripping off the precise legal language, this looks like a software 
keystroke logger that was carefully crafted to collect a PGP passphrase 
while collecting as little other data as possible. Collecting evidence is 
tricky business. You have to collect exactly the information you need, but 
you mustn't collect any information you aren't authorized to collect. If 
you do, then you can't use the information you have. Moreover, you need to 
be able to show that the evidence is 'clean' and hasn't been tampered with. 
This makes it very tricky when you're trying to collect computer 
information that's intended to be used as evidence in legal proceedings.

Without actually seeing the warrant used to authorize the keystroke 
capture, it's hard to tell what was really going on. But it seems 
reasonable to speculate that the keystroke monitor was carefully configured 
to comply with the letter of the warrant issued to the FBI to implant the 
keystroke logger. If they collect too much data under the warrant, the 
defense attorney might be able to block the use of the logs as evidence by 
arguing that the FBI didn't comply with the warrant.

I suspect that the "components" of the logger are software modules that are 
included and/or configured according to the types of data that the FBI has 
a warrant to collect.

Regarding all this, Peter Fairbrother wrote:

>The other and more worrying "component" picked up the PGP key Scarfo used -
>his father's prison number!

I found Scarfo's choice of password rather amusing, since it shows that a 
personally tailored dictionary attack would have worked as well as the 
keystroke logging, and probably wouldn't have taken as long (14 days).

>I don't
>know if Scarfo entered his PGP key more than once but apparently it only
>recorded it once. The PGP key information was at the end of the output
>presented to the Court so it may have stopped operation then, but the
>"keystroke capture component" should have continued to work if the overall
>design was good.

If my speculations about the warrant are correct, the logger may have shut 
itself down just to reduce the risk of intercepting anything that might 
have violated the letter of the warrant.

>Could it be remotely installed?

If someone manages to install Back Orifice (or its latest incarnation) on 
the victim's computer, then it's possible to remotely command Back Orifice 
to install keystroke logging software. However, the remote approach isn't 
100% guaranteed to work, and Scarfo might have detected the installation 
activity or the presence of Back Orifice.

>Is this a serious security failure in PGP?

No, it's a problem with any programmable computer. If you can install new 
programs, you can install changes to existing programs. Since the FBI snuck 
into Scarfo's house and had physical access to his computer, they could 
install or patch the Windows OS, or PGP, or anything else on the computer 
however they wanted. The only limitation on their actions was that they 
didn't want to change anything Scarfo might detect.


Rick.
smith at securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list