116 lines
5.4 KiB
Plaintext
116 lines
5.4 KiB
Plaintext
|
|
||
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||
|
|
|
||
|
|
|
||
|
|
CA-92:19 CERT Advisory
|
||
|
|
December 7, 1992
|
||
|
|
Keystroke Logging Banner
|
||
|
|
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
The CERT Coordination Center has received information from the United States
|
||
|
|
Department of Justice, General Litigation and Legal Advice Section, Criminal
|
||
|
|
Division, regarding keystroke monitoring by computer systems administrators,
|
||
|
|
as a method of protecting computer systems from unauthorized access.
|
||
|
|
|
||
|
|
The information that follows is based on the Justice Department's advice
|
||
|
|
to all federal agencies. CERT strongly suggests adding a notice banner
|
||
|
|
such as the one included below to all systems. Sites not covered by U.S.
|
||
|
|
law should consult their legal counsel.
|
||
|
|
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
The legality of such monitoring is governed by 18 U.S.C. section 2510
|
||
|
|
et seq. That statute was last amended in 1986, years before the words
|
||
|
|
"virus" and "worm" became part of our everyday vocabulary. Therefore,
|
||
|
|
not surprisingly, the statute does not directly address the propriety
|
||
|
|
of keystroke monitoring by system administrators.
|
||
|
|
|
||
|
|
Attorneys for the Department have engaged in a review of the statute
|
||
|
|
and its legislative history. We believe that such keystroke monitoring
|
||
|
|
of intruders may be defensible under the statute. However, the statute
|
||
|
|
does not expressly authorize such monitoring. Moreover, no court has
|
||
|
|
yet had an opportunity to rule on this issue. If the courts were to
|
||
|
|
decide that such monitoring is improper, it would potentially give rise
|
||
|
|
to both criminal and civil liability for system administrators.
|
||
|
|
Therefore, absent clear guidance from the courts, we believe it is
|
||
|
|
advisable for system administrators who will be engaged in such
|
||
|
|
monitoring to give notice to those who would be subject to monitoring
|
||
|
|
that, by using the system, they are expressly consenting to such
|
||
|
|
monitoring. Since it is important that unauthorized intruders be given
|
||
|
|
notice, some form of banner notice at the time of signing on to the
|
||
|
|
system is required. Simply providing written notice in advance to only
|
||
|
|
authorized users will not be sufficient to place outside hackers on
|
||
|
|
notice.
|
||
|
|
|
||
|
|
An agency's banner should give clear and unequivocal notice to
|
||
|
|
intruders that by signing onto the system they are expressly consenting
|
||
|
|
to such monitoring. The banner should also indicate to authorized
|
||
|
|
users that they may be monitored during the effort to monitor the
|
||
|
|
intruder (e.g., if a hacker is downloading a user's file, keystroke
|
||
|
|
monitoring will intercept both the hacker's download command and the
|
||
|
|
authorized user's file). We also understand that system administrators
|
||
|
|
may in some cases monitor authorized users in the course of routine
|
||
|
|
system maintenance. If this is the case, the banner should indicate
|
||
|
|
this fact. An example of an appropriate banner might be as follows:
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
This system is for the use of authorized users only.
|
||
|
|
Individuals using this computer system without authority, or in
|
||
|
|
excess of their authority, are subject to having all of their
|
||
|
|
activities on this system monitored and recorded by system
|
||
|
|
personnel.
|
||
|
|
|
||
|
|
In the course of monitoring individuals improperly using this
|
||
|
|
system, or in the course of system maintenance, the activities
|
||
|
|
of authorized users may also be monitored.
|
||
|
|
|
||
|
|
Anyone using this system expressly consents to such monitoring
|
||
|
|
and is advised that if such monitoring reveals possible
|
||
|
|
evidence of criminal activity, system personnel may provide the
|
||
|
|
evidence of such monitoring to law enforcement officials.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
Each site using this suggested banner should tailor it to their precise
|
||
|
|
needs. Any questions should be directed to your organization's legal
|
||
|
|
counsel.
|
||
|
|
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
The CERT Coordination Center wishes to thank Robert S. Mueller, III,
|
||
|
|
Scott Charney and Marty Stansell-Gamm from the United States Department
|
||
|
|
of Justice for their help in preparing this Advisory.
|
||
|
|
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
If you believe that your system has been compromised, contact the CERT
|
||
|
|
Coordination Center or your representative in FIRST (Forum of Incident
|
||
|
|
Response and Security Teams).
|
||
|
|
|
||
|
|
Internet E-mail: cert@cert.org
|
||
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
||
|
|
CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
||
|
|
on call for emergencies during other hours.
|
||
|
|
|
||
|
|
CERT Coordination Center
|
||
|
|
Software Engineering Institute
|
||
|
|
Carnegie Mellon University
|
||
|
|
Pittsburgh, PA 15213-3890
|
||
|
|
|
||
|
|
Past advisories, information about FIRST representatives, and other
|
||
|
|
information related to computer security are available for anonymous FTP
|
||
|
|
from cert.org (192.88.209.5).
|
||
|
|
|
||
|
|
|
||
|
|
-----BEGIN PGP SIGNATURE-----
|
||
|
|
Version: 2.6.2
|
||
|
|
|
||
|
|
iQCVAwUBMaMxEnVP+x0t4w7BAQHKiAP/XmfedOnmkaeQyNpaRF+luXnaQNsIcduY
|
||
|
|
RicrGD7EJhKmrhsTj4P4uIIiSL9Ue+4WHOF38/yte+WDNqpAITI1wus/0h7pUg1k
|
||
|
|
urZVI+MzEJJgBGuVqmiu/1hxT10ZtUvtLQGsI/kjfud3e/3xLBfJtSeIwYNNRk/H
|
||
|
|
Xrv8iQr179Y=
|
||
|
|
=UuaN
|
||
|
|
-----END PGP SIGNATURE-----
|
||
|
|
|