Recently, while attending a banking conference in Las Vegas, I discovered a company called SoftForum. (http://www.softforumglobal.com/) Not long ago, SoftForum created a very unique product called XecureCK, designed to help protect users against keyloggers.
Herein lies the problem, though.
SSL and TLS encryption do a good job of securing data as it flows between the user and the secure Web site, but it offers absolutely no local protection. This means that if a keylogger happens to be installed on the user's machine, then the keylogger will have no trouble logging the user's activity, regardless of whether the user's session is encrypted or not.
Take a look at Figure A. I have gone to a legit banking Web site and entered a bogus online ID. Although the site is encrypted, the keylogger that I am using has no trouble capturing the text as I enter it.
Key loggers are immune to SSL and TLS encryption.
Most keyloggers aren't as readily visible as the one I am using here. Keystroke loggers usually sneak onto a user's machine via drive-by downloads from malicious Web sites. When you consider the sensitive nature of the information that is commonly entered into Web forms, and the fact that keystroke loggers often go undetected, you can see why this is such a serious problem.
The engineers at SoftForum realized that the only way to protect an online session against keystroke loggers was to provide local encryption in addition to the usual SSL or TLS encryption. The end result was an ActiveX control that can provide the necessary encryption.
XecureCK is not a consumer-level product. SoftForum sells XecureCK licenses to companies with Web sites they want to protect. Once a company purchases the necessary license, it simply adds a line of code to its Web page header that calls the necessary ActiveX control.
The ActiveX control works by establishing PKI encryption between the protected Web site and the Windows keyboard driver. That way, when the user enters information into a form on a protected Web page, the text is encrypted. The user is oblivious to this encryption because the text appears in the Web form in its unencrypted format. However, in Figure B, you can see that the keystroke logger records the text only in its encrypted form.
The keystroke logger cannot decipher the encrypted text.
Encryption happens at the application level, so only the protected Web application has access to the text in its unencrypted form. Any text entered is completely inaccessible to other applications. The encryption takes place seamlessly, so users may continue to use their other applications in the usual manner, even while accessing a protected Web page. The only thing that changes from a user's prospective is that he or she is not able to access text from the protected Web page through other applications.
To further protect information entered into a protected Web application, XecureCK disables the copy and paste function on protected Web sites. If a user attempts to press Ctrl+C to copy protected text, the software clears the text from the Web form in order to prevent it from being copied. SoftForum also offers an advanced version of XecureCK, which disables the Print Screen key in an effort to prevent sensitive information from being copied to an image file.
In this day and age, there are often severe penalties associated with accidental disclosure of personal information. Companies put a great deal of effort into securing their Web applications, but all of this security can be undone if a user's machine is infected with a keystroke logger.
About the author: Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.
This was first published in January 2008