Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage

Trojans, viruses and other malware can be categorized as either active or passive in nature. Active viruses (for example) are viruses that perform some outwardly noticeable function. They are typically ooensive in nature and cause denial of service attacks or other disturbances. In the electronic warfare context they can translate into \direct military attacks". Passive viruses are, on the other hand, inconspicuous and may for example , simply steal CPU time for a particular computation. They may also secretly leak information and are capable of leaking \intelligence informa-tion" to the author (i.e., espionage). Recently, Cryptovirology has been introduced as a means of mounting active viral attacks using public key cryptography. It has been shown to be a tool for extortion attacks and \electronic warfare", where attacks are mounted against information resources. The natural question to ask is whether Cryptovirology is also useful (i.e., provides enhanced functionality) in the area of spying via malware. In this paper we demonstrate that, indeed, Cryptovirology helps in \electronic espi-onage" and allows the spy to conceal his or her identity (as well as past collected information). Speciically, we present an attack that can be mounted by a cryptotrojan that allows the attacker to gather information (passwords) from a system in such a way that the attacker cannot be proven guilty beyond reasonable doubt. That is, even if the attacker is under surveillance on the local machine from when he rst attacks the target machine, to when he obtains the passwords, and even if the leaked information is made available to the attacker exclusively, he still cannot be caught. The threat is made possible by the combination of public key cryptography, probabilistic encryption, and the use of public information (I/O or communication) channels which together form a \secure receiver-anonymous channel". The machine can be a standalone one (where channels are I/O ones), or a networked one (where channels are communication ones). What we learn from the attack is extracted as general tools and basic principles for \espionage attacks". The generic existence of such evasive attacks implies that auditing and logging tools are not suucient in apprehending electronic spies and identifying their operators, and may not be suucient to collect evidence. The concrete attack we present clearly sharpens the known inherent weakness of expository authentication mechanisms (like passwords).