Scarfo "keylogger", PGP

Trei, Peter ptrei at rsasecurity.com
Tue Oct 16 10:43:52 EDT 2001 

> Peter Fairbrother[SMTP:peter.fairbrother at ntlworld.com]
> 
> The other and more worrying "component" picked up the PGP key Scarfo used
> -
> his father's prison number! - and virtually nothing else. It didn't
> capture
> keystrokes. Almost certainly it detected and captured only the PGP logon
> when the enter key was pressed, and it is almost certainly software. I
> don't
> know if Scarfo entered his PGP key more than once but apparently it only
> recorded it once. The PGP key information was at the end of the output
> presented to the Court so it may have stopped operation then, but the
> "keystroke capture component" should have continued to work if the overall
> design was good.
> 
> Could it be remotely installed? Is this a serious security failure in PGP?
> The recent announcement by NA that they are looking for a buyer for PGP,
> at
> a time when it's value would be low anyway following the WTC attacks, may
> be
> relevant...
> 
> -- Peter Fairbrother
> 
Windows programs can incorporate the GUI components (MFC libraries, etc)
either as staticly linked libraries at compiliation time, or (more commonly)
as
dynamically linked libraries (DLLs).

One of my continual gripes about Windows security has to do with the GUI
DLLs. An attacker could silently replace a component with one which has
the old version number and the same API as the normal one, but which 
does something extra - for example, the component which handles the
textbox for entering passwords could check the system table to see if
the active program was PGP, and if so log the text entered. The user 
would be none the wiser, and even re-installing PGP would not restore
security.

A secure system would use crytographically signed components,
and an application would check the signatures before loading a 
dynamic library. An attacker would then need to get the trojaned
components signed, which raises the bar.

Windows XP at least checks for drivers not signed by MS, but 
whose security this promotes is an open question.

Peter Trei






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list