Say you work in a company and are up for a promotion. You want to negotiate your salary effectively, but to do this, you need to know what others in that position are making. How do you get into the Human Resource records?
Bob, who has a cube across the hall, is the DBA. He could get in there, but how do you get his password? Your network is monitored and audited pretty closely. You can’t do anything to steal his password “on the network” which might get logged and would be traceable to you.
Enter this little device:
This USB keyboard logger has a huge 2MB or 4MB memory capacity, organized into an advanced flash file system. Super fast data retrieve is achieved by switching into pendrive mode for download. Completely invisible for computer operation…
It comes in USB and PS/2 models and costs less than $100. (No link, lest I be accused of encouraging this. You can find these things easily enough if you want to.)
One night, you work late, then you unplug his keyboard, plug this device into his computer, then plug his keyboard into the device. His computer is way under his desk, so he’ll never see it. You retrieve the device the next evening and download all his keyboard input for the entire day from the internal Flash memory. It wouldn’t be hard to pick out his password, and now you’re him.
This is unlike a software keyboard logger because there’s no evidence left behind. No process that runs in the background, no need to install anything on his machine, etc. It’s like stabbing someone with an icicle — no evidence gets left behind.
All you security types out there — how do you defend against this? Do they sell encrypting keyboards, which encrypt data sent down the keyboard cable and decrypt it on the machine?