Date: Mon, 7 Dec 1992 22:48:06 +0000
>From: Dave Banisar <[email protected]>
Subject: File 1--DOJ Authorizes Keystroke Monitoring

CA-92:19                         CERT Advisory
                                December 7, 1992
                            Keystroke Logging Banner

The CERT Coordination Center has received information from the United
States Department of Justice, General Litigation and Legal Advice
Section, Criminal Division, regarding keystroke monitoring by
computer systems administrators, as a method of protecting computer
systems from unauthorized access.

The information that follows is based on the Justice Department's
advice to all federal agencies.  CERT strongly suggests adding a
notice banner such as the one included below to all systems.  Sites
not covered by U.S. law should consult their legal counsel.

+++++++++++++++++++

    The legality of such monitoring is governed by 18 U.S.C. section
    2510 et seq.  That statute was last amended in 1986, years before
    the words "virus" and "worm" became part of our everyday
    vocabulary.  Therefore, not surprisingly, the statute does not
    directly address the propriety of keystroke monitoring by system
    administrators.

    Attorneys for the Department have engaged in a review of the
    statute and its legislative history.  We believe that such
    keystroke monitoring of intruders may be defensible under the
    statute.  However, the statute does not expressly authorize such
    monitoring.  Moreover, no court has yet had an opportunity to
    rule on this issue.  If the courts were to decide that such
    monitoring is improper, it would potentially give rise to both
    criminal and civil liability for system administrators.
    Therefore, absent clear guidance from the courts, we believe it
    is advisable for system administrators who will be engaged in
    such monitoring to give notice to those who would be subject to
    monitoring that, by using the system, they are expressly
    consenting to such monitoring.  Since it is important that
    unauthorized intruders be given notice, some form of banner
    notice at the time of signing on to the system is required.
    Simply providing written notice in advance to only authorized
    users will not be sufficient to place outside hackers on notice.

    An agency's banner should give clear and unequivocal notice to
    intruders that by signing onto the system they are expressly
    consenting to such monitoring.  The banner should also indicate
    to authorized users that they may be monitored during the effort
    to monitor the intruder (e.g., if a hacker is downloading a
    user's file, keystroke monitoring will intercept both the
    hacker's download command and the authorized user's file).  We
    also understand that system administrators may in some cases
    monitor authorized users in the course of routine system
    maintenance.  If this is the case, the banner should indicate
    this fact.  An example of an appropriate banner might be as
    follows:

       This system is for the use of authorized users only.
       Individuals using this computer system without authority,
       or in excess of their authority, are subject to having
       all of their activities on this system monitored and
       recorded by system personnel.

       In the course of monitoring individuals improperly using
       this system, or in the course of system maintenance, the
       activities of authorized users may also be monitored.

       Anyone using this system expressly consents to such
       monitoring and is advised that if such monitoring reveals
       possible evidence of criminal activity, system personnel
       may provide the evidence of such monitoring to law
       enforcement officials.

++++++++++++++++++++
Each site using this suggested banner should tailor it to their
precise needs.  Any questions should be directed to your
organization's legal counsel.

++++++++++++++++++++
The CERT Coordination Center wishes to thank Robert S. Mueller, III,
Scott Charney and Marty Stansell-Gamm from the United States
Department of Justice for their help in preparing this Advisory.

If you believe that your system has been compromised, contact the
CERT Coordination Center or your representative in FIRST (Forum of
Incident Response and Security Teams).

Internet E-mail: [email protected]
Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

------------------------------


Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.