Experts from the security firm Inverse Path claim that power that is “leaked” from poorly shielded cables can offer vital clues as to what a PC user is typing to hackers further than 15 metres away, prompting fears of an increase in internal computer security breaches.

As part of the research, experts used an oscilloscope to measure fluctuations in voltage that occur when data is sent from keyboard to a PC. This data travels down poorly insulated PS/2 cables where they become earthed at the PC base unit. Data is then leaked at this point into the mains supply which can be picked up by simple monitoring equipment.

“Our goal is to show that information leaks in the most unexpected ways and can be retrieved,” wrote Andrea Barisani and Daniele Bianco, of the security firm, in a paper describing their work, as reported by the BBC.

The report claimed that the data picked up by the equipment was of a good enough quality to determine what key was pushed, with each keystroke having its own unique characteristic.

“The PS/2 signal square wave is preserved with good quality… and can be decoded back to the original keystroke information,” wrote the pair in a paper describing their work.

They demonstrated it working over distances of 1, 5, 10 and 15m from a target, far enough to suggest it could work in a hotel, office and even high-density residential areas.

“The test performed in the laboratory represent a worst case scenario for this type of measurement, which along with acceptable results emphasizes the feasibility of the attack on normal conditions,” they added.

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart has agreed to delete any information that it gained after it was found to have misled users into installing software from ComScore which would then monitor their online habits.

The agreement comes as part of a settlement with the Federal Trade Commission although the company did not concede that it had broken any laws.

The FTC accused Sears Holdings of misleading customers in as part of market research campaign in which customers were encouraged to join an “online community”. Tracking software from ComScore was installed on the PCs of those who agreed to be part of the scheme.

But the FTC said Sears used the software to collect information on non-Sears sites, such as online bank statements, drug prescription records and emails as well as tracking user keystrokes, contrary to what many customers believed that they were agreeing to.

Sears did disclose that it would monitor non-Sears sites on page 10 of a 54-page user license agreement, but the FTC argued it was not enough.

“The complaint charges that Sears’ failure to adequately disclose the scope of the tracking software’s data collection was deceptive,” the FTC said in a statement.

“At all times, Sears Holdings ensured the privacy and security of the personal information of all participants who enrolled in the program,” Sears said in an email statement. “No customer data was ever compromised or disclosed.”

It is not the first time that ComScore software has been criticised, with experts such as Harvard researcher Ben Edelman claiming in 2007 that ComScore software was being distributed over the controversial DollarRevenue network, which has since been shut down. ComScore subsequently took steps to prevent DollarRevenue from distributing its software.

The information has allowed researchers to discover key details on the workings of the notorious Torpig botnet, a network of zombie computers used to collect sensitive user information such as credit card details and login information.

Within the data, researchers found more than 297,000 unique login credentials (defined as a username and password pair) from 52,540 unique machines infected with the Torpig virus. More than 8,200 of these were for Google profiles whilst login credentials for Facebook, Myspace, Yahoo and Italian ISP Alice also featured prominently.

To capture the information, the Torpig virus attaches itself to programmes such as Mozilla Thunderbird, Skype, Microsoft Outlook, ICQ, Internet Explorer and Firefox. After monitoring keystrokes, the malware automatically uploads new data to servers controlled by the authors eery 20 minutes. Researchers also found that due to the discreet way in which it operates, Torpig is able to capture information before it is encrypted by secure socket layer (SSL).

The report also highlighted a notable lax attitude towards password security from the users of infected machines, with 28% of users using the same login credentials for several sites or services. The authors of the report suggested that users were not taking enough steps to prevent themselves from malware, such as secure passwords or updated antivirus software.

“The victims of botnets are users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites,” stated the report. “This is evidence that the malware problem is fundamentally a cultural problem.

“Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behaviour when using a computer. Therefore, in addition to novel tools and techniques to combat botnets and other forms of malware, it is necessary to better educate the Internet citizens so that the number of potential victims is reduced.

The plot, which would have been worth around £229m if successful, involved the use of complex “keylogging” techniques installed on computer systems within the offices of the Sumitomo Mitsui Bank in London that harvested every keystroke and mouse click made on the infected PC’s. The intention was to then retrieve this data which would, in theory, have contained login details for many of the bank’s security systems.

The scam failed however and last week, Hugh Rodley, 61, of Twyning, Tewksbury was found guilty of conspiracy to defraud and conspiracy to transfer criminal property and David Nash, 47 of Durrington, West Sussex was convicted of conspiracy to transfer criminal property.

The device in question in this instance was a USB hardware based keylogger but software based versions remain in existence, although many are not as sinister as they may seem.

If you’re reading this on a work, school or college PC, then the chances are that you’re using a machine or network that has some form of keylogging software installed. The recording of keystrokes and mouse clicks is a major principle behind many PC monitoring or parental control systems.

There are however, many malicious uses for keylogging software, most examples of which are spread through various forms of adware and spyware.

The software is used by criminals to secretly monitor and record everything that a user types or clicks on your PC in order to harvest your log-in names, passwords, and other sensitive information, before sending it on to the hackers. This can also include any passwords or user names that you may have asked your computer to remember for you, as these are usually held as cookies on your PC.

Some keyloggers also allow the creators to ‘target’ information entered into websites which could be of greater interest to criminals, such as online banking for example.

The software is one of the many reasons behind the growth in identity fraud over recent years and, had the Sumitomo Mitsui Bank come off, it would not have been the first financial institution to come unstuck.

In 2007, keylogging software was used to steal more than US$1m from the Swedish bank Nordea and in the same year, users of an American retirement savings and investment plan for federal employees were targeted by keyloggers, resulting in $35,000 going missing.

With the most common distribution methods for keyloggers being through over forms of malware, including adware, Trojans and spyware, the advice is to ensure that your firewall and antivirus software remains updated and that their copy of Windows is fully patched with the latest security updates.