Feeds

Interview with the keystroke caperist

Bugged bosses' PC to 'expose improper practices'

  • alert
  • submit to reddit

High performance access to file storage

A former claims adjuster for a US insurance company is the first to be charged under federal wiretap law for the covert use of a hardware keystroke logger, after he was caught using the device while secretly helping consumer attorneys gather information to use against his own company.

Larry Ropp, 46, was indicted Tuesday by a federal grand jury in Los Angeles on a single count of endeavouring to intercept electronic communications. Ropp is accused of installing a "KEYKatcher" keystroke logger on the PC of a secretary to a vice president at the Bristol West Insurance Group where he worked. The KEYKatcher attaches inline with a keyboard connector, and stores every keystroke in an internal memory for later retrieval.

In an interview with SecurityFocus, Ropp admitted to using the device, which he says he ordered off the Internet. But he defended his office skullduggery as a necessary evil to expose improper anti-consumer practices at the company. "The FBI themselves use key loggers quite a bit," he said. "Here, I'm a whistleblower, and I'm getting the shaft."

Ropp was working at Bristol West's Anaheim, California office last year when a state appeals court ruled that the company had been illegally cancelling the policies of customers who were a single day late with their payments. Under California law, an insurance company must give 10 days notice before cancelling a delinquent customer's automobile liability policy. Bristol West had been circumventing that requirement by issuing "cancellation notices" with every bill, before payment was due, so that by the due date the 10 days had already passed.

"If it was due Tuesday, and you had an accident on Wednesday, you didn't have any insurance," says Ropp. "It was out-and-out a wrongful, illegal denial."

A California appellate court ruled against Bristol West in January, in a lawsuit filed by a customer, Curtis Mackey, who'd been involved in an auto accident two weeks after missing a payment, and was consequently denied a claim. Without admitting wrongdoing, the company subsequently agreed to pay six million dollars to settle a separate class action lawsuit filed on behalf of customers whose policy was cancelled without proper notice.

Office Intrigue

As he tells it, the affair left Ropp with a bad taste in his mouth, and ultimately turned him against his employer. "I just felt there were a lot of people getting screwed," he says. By his account, which meshes with an affidavit filed by an FBI agent in his case, Ropp began secretly copying internal company documents about the cancelled policies, then passing them on to two lawyers representing plaintiffs in the lawsuit.

Then, late last year, Ropp, the attorneys, another Bristol employee and a private investigator all met with investigators with California's Department of Insurance, which is charged with enforcing insurance laws in the state. There, Ropp offered what the FBI describes as "information concerning Bristol's handling of certain claims".

What happened next depends on who you ask. Ropp says the Department was interested, and wanted Ropp get more documentation. "They told us to gather all the information we can," he recalls. The Department remembers it differently. "It's a very strange situation," says spokesperson Carrie Beckstein. The meeting took place at Ropp's request, Beckstein said, and the investigators were not persuaded to probe Bristol's practices. "The only information that we wanted was, what, exactly [Ropp] was up to... We have not requested his services. We did not ask him to go out and elicit information."

Regardless, Ropp says he set his sights on a company database of every customer who might qualify as a member of the class in the lawsuit. "What I was trying to do is get the current list of those claims, and what they did or didn't do with them, and I wanted to get that for the Department of Insurance," says Ropp.

That's where the FBI and federal prosecutors say Ropp crossed the line. The database was password protected, and Ropp decided to crack the system. After some Googling, he settled on the KEYKatcher as the best tool for the job. "Basically all it does its capture every stroke that you type into the computer, like passwords and stuff." He ordered it online, and secretly installed it on the secretary's machine.

The plan began to unravel on 3 September, when the company fired Ropp for, as the FBI puts it, "not adhering to its time-keeping policies." (Ropp says he failed to report the time he spent in the office secretly gathering documents). Suddenly barred from the building, Ropp phoned former co-worker Karen Kaiser the next day, and asked her to discreetly retrieve the KEYKatcher from the bugged computer - he suggested she pretend to tie her shoe next to the secretary's desk, then unplug the keyboard cable from the PC and remove the device. Instead, Kaiser snitched on Ropp, and the company brought in forensic investigators who recovered the device and found files of intercepted keystrokes on Ropp's old office computer, demonstrating that he'd already harvested the KEYKatcher at least once.

"If I had never called, they would have never known," he says.

The company called in the FBI, and Ropp quickly admitted the caper. But he told agents that he'd been working for the Department of Insurance. The Department distanced itself from Ropp's adventuring, assuring the FBI that it "had never directed Ropp to collect any evidence that he would not be able to obtain in the normal course of business," according to the affidavit. For his part, Ropp admits the Department never told him to crack passwords or tap keystrokes, but he claims he was under the impression that he had their blessing to investigate his employer. Today, he says he feels burned. "All of a sudden when everything blew up, I'm out there hanging by myself," he says.

The US Attorney's office in Los Angeles says Ropp is the first defendant in the U.S. to be charged for illegally using a hardware keystroke logger. The indictment charges a violation of the federal wiretap statute, which criminalizes the covert interception of electronic communication - in this case several e-mail messages that had been typed in by the tapped secretary, and were therefore stored in the device.

Citing the ongoing nature of the case, Craig Eisenacher, spokesman for Bristol West, declined to comment on Ropp's indictment, or on Ropp's claim that he was working to expose company wrongdoing. Ropp is free on a $15,000 signature bond, and is scheduled to be arraigned on 5 April.

Copyright © 2004, 0

Related story

Disgruntled ex-employee arrested for keystroke caper

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.