Beware of keylogging

April 13, 2015
Photo: AP

In late February, the German newspaper Die Tageszeitung, known by its shortened name ‘taz‘, published a chronology on its website detailing the discovery of a keylogger that was used to steal data from newsroom computers. Keyloggers record every keystroke entered on a keyboard, which means recording passwords and communication before they can be protected through most encryption techniques. Since the breach was discovered, taz editors have announced new security measures and training sessions for journalists.

News had already been spreading on social media under the hashtags #tazgate and #tazleaks, and taz‘s account of the breach confirmed that the newsroom’s computers had been compromised by what looked like a USB stick.

According to taz, an IT employee found the keylogger plugged in between the keyboard and USB port of a newsroom computer. IT staff analyzed the data saved on the keylogger and placed it back where it was found. The next day, one of taz‘s well-known reporters was seen removing the keylogger from the USB port. The paper’s chronology describes how, faced with questions, the reporter claimed the keylogger was a regular USB stick. When he did not show up to a meeting with editors and lawyers days later, though, taz pressed charges. While taz has not published the reporter’s name, other German media outlets have.

Since 2013, when encryption techniques received a lot of attention for facilitating journalists’ communication with Edward Snowden, there has been more talk about journalists using it (including the “Journalism After Snowden” project at Columbia Journalism School), especially for communicating sensitive information. But the need to be aware of potential breaches that bypass encryption have gotten less attention. The UNESCO report, “Building Digital Safety for Journalism,” which came out at the end of March, describes keylogging and other tools that can be used to monitor computer activity. “It also allows the attacker to bypass encryption. This is especially important given the increase in encrypted traffic over recent years,” the report says.

Jenn Henrichsen, one of the authors of the UNESCO report and First Look Media Technology Fellow at the Reporters Committee for Freedom of the Press, says hardware and software-based keyloggers are likely to affect journalists in different situations. While traveling and crossing borders, devices journalists carry with them can be vulnerable to threats if someone gains physical access to them and could plant a hardware-based keylogger. “They also might leave their device unattended, whether in a hotel room or on a table at a conference, where someone could access it. They could also potentially use an internet-cafe computer to file their story, which may have a keylogger installed on it,” Henrichsen wrote in an email. Henrichsen says software-based keyloggers can also be configured on USB devices, which can be removed from a computer.

Taz‘s analysis of the USB keylogger showed that data from at least 16 employees’ accounts were saved starting at the beginning of 2014 or earlier. At a public discussion held in taz‘s Berlin office building in March about the case, taz Editor in Chief Ines Pohl said the newspaper had started security training for employees. “When something like this happens, you realize that it can occur, and it’s damn easy to extract something when someone has physical access to computers. That does change your feeling,” Pohl said. A taz spokesperson declined to provide details on the security measures.

Sign up for CJR's daily email

The newspaper, known as politically left-wing, is financed in part by a cooperative of 14,652 members, and has a reputation of engaging its readers through an annual congress known as taz.lab. Taz also has a café in the ground floor of its office building that’s open to the public. “We don’t want to completely cut off this openness that makes up taz. But there are things we have to do to properly protect our sources and also our readers,” Pohl said of the new security plans.

Various programs and guides designed to inform journalists about digital security advise about both software and hardware-based keyloggers. The online security guide for journalists and human rights activists Security in a Box includes sections dedicated to protecting data from physical threats and securing digital devices against malware and hackers. Hadi Al Khatib, a security trainer at the Berlin-based organization Tactical Tech Collective, one of the creators of Security in a Box, says that over the last few years he has seen an increase in disguised malware sent to journalists.

This includes DarkComet Remote Administration Tools (also called RATs), malware that records keystrokes and has been used to target Syrian activists, Al Khatib said. When that malware is opened on a computer, it “can capture webcam activity, record keystrokes, and steal passwords so it does the work of a keylogger and has more features as well, such as being a backdoor, allowing external access and full control of the computer,” Al Khatib said.

The New York Times reported that the 2013 hacking of the newspaper likely started with email phishing—that staff members were sent emails with disguised links that gave attackers access to their computers.

Digital security researchers recommend keeping antivirus software up to date to detect malware and software-based keyloggers. As a general precaution, using different devices and email accounts for specific stories a journalist is working on can reduce the risk if they are attacked, says Cameran Ashraf, a digital safety trainer for the organization Global Journalist Security.

“The tendency is for journalists to do a huge variety of work and personal tasks at their one computer, but having a separate fresh computer for a sensitive project can minimize the damage and potential for being hit by a keylogger,” Ashraf said.

For newsrooms, the taz case shows the value of staff technologists who can identify a USB keylogger and other threats to computers. Taz editor Ines Pohl said in the public discussion last month that the measures the paper is taking now are “more than short-term pepping up” and that security may also be a consideration for the new office building taz is set to move into in 2017.

Catherine Stupp is a freelance journalist based in Berlin