Kinko's Spy Case Illustrates Public Terminal Risk

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

Funny thing, the name...

[jkrise (535370)]

Sometime back, Passport passwords were hacked: Muhammed from Pakistan.

Adobe's eBook reader was cracked : Skylarov.

and now, Jiang.

Why isn't it Rob or Pete or Chris, ever??

-

Re:Funny thing, the name...

[aziraphale (96251)]

Well, to be fair, Muhammed and Jiang are two of the more common names in the world, simply by weight of population...

More interesting question: why is it never Amy, or Meiying, or Fatimah?

Clarification Please!

[rat7307 (218353)]

For us non-US'ers:

What is a Kinkos????

Thanks!

Re:Clarification Please!

[Jellybob (597204)]

I believe it's a photocopying/printing shop.

Don't quote me on that though.

Re:Clarification Please!

[mblase (200735)]

Kinko's stores are ridiculously popular in the US, especially near colleges and universities. Photocopies and printing, many are open 24 hours, and they offer computer terminals for rent with graphics and publishing apps already installed. They're so common now that they're practically an entry in the dictionary.

Re:Clarification Please!

[lewiz (33370)]

It's a good question, actually.

Google finds quite a lot. My guess is it's http://www.kinkos.com/:

Document Solutions - Done Right, Anytime, Anywhere

Core Values

1. Alignment and accountability: We accept responsibility for our actions. We make and support business decisions through experience and good judgment.
2. Customer Service Excellence: We are dedicated to satisfying customer needs and honoring commitments that we have made to them.
3. Teamwork: Our team is supportive of each other's effor

Re:Clarification Please!

[volsung (378)]

Photocopying, document printing, and some have public access Internet terminals (for a fee).

Re:Clarification Please!

[rat7307 (218353)]

That's what I thought too... they used a lowecase k so I was thinking kinko=pervert or something..

Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York.

Make that statement seem so much worse if you saw it like I did.... :]

What do people expect?

[fadeaway (531137)]

Why would anyone consider using public access points to access private/secure data? That's just asking for trouble.

It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly.

Re:What do people expect?

[squaretorus (459130)]

99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal

Are you sure? I've been sitting on a train as a guy opposite sat with his card on the table shouting the numbers into his mobile phone (he was ordering flowers for his wife - anniversary - £100 bunch - no ribbon - she hates ribbon - thinks its a waste - and nothing with those really thick stems - she always complains about those too - and just put 'hey' on the card - yes - just 'hey') gave his address for delivery, his postcode, his home and mobile numbers and his wifes name (Ruth - kind of old fashioned a name I thought) and a few other bits. Practically enough to get a passport with!

Maybe he was the 1%. So far as I could tell I was the only one logging all this info into a palm at the time tho - so no harm done!

is this viable for a class-action lawsuit?

[squarefish (561836)]

I used a NYC Kinko's during H2K2 last year on 7th Ave. I've been unable to find it now due to dilution of the story, but I found on online article the other day that said this had actually gone on for two years and that the person that discovered it had used a computer at one of their stores on 7th Ave, but they have two. I used the one at 500 N. 7th, store # 0961

I called their customer support line on Wednesday as soon as I saw this article, and they said they didn't know anything about it- the person I spoke to called me back and said that their corporate office would get back to me by the end of the day.... I'm still waiting.

I called the store directly last night and the manager, sounding like he was lying through his teeth, told me that they were absolutely not one of the stores.

So, I've very interested in knowing if this has class-action lawsuit potential since Kinko's was prosecuting this case and obviously had no intentions of notifying their customers of the risk they were at while using their store. If there is an existing lawsuit, how do I find it? Thanks!!!!

Re:is this viable for a class-action lawsuit?

[by Anonymous Coward]

yep, you went to the hacked store. Jiang says your password was "lutefisk" but fortunately you only used it to access nude pictures Cowboy Neal.

Out-of-order username & password entry

[G4from128k (686170)]

I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.

Some help, but not 100% effective

[by Anonymous Coward]

As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."

The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"

"Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.

Magic Lantern

[by Anonymous Coward]

An intelligent keylogger will only hook certain window classes

It is rumored that the FBI's Magic Lantern key logger does just this, and has specific hooks for the password entry dialog of known `terrorist` applications like PGPdisk, BestCrypt, KGB, etc.

You`re right that most key logging programs are stupid, though. The best way to detect a key logger is to go in Windows Explorer, do a search for files modified in the last day, then sort the list by modification date descending. Open any unusually named fil

Re:Magic Lantern

[lfourrier (209630)]

After all, key loggers have to keep a log somewhere!
but not necessarly on the PC.

http://www.thinkgeek.com/gadgets/electronic/5a05 /

Re:Out-of-order username & password entry

[by Anonymous Coward]

Curiously as you are using a mac-looking name, 2 of the most popular keystroke loggers for macs (when I used them, which was up until just before the OSX days) would take note of exactly this, and still get your password and your random typing as separate strings. I have no experience with PC loggers as I haven't investigated them since, I've learned to never trust a machine with details I couldn't afford to lose.

I used to use this exact same technique, then tried it on a couple of loggers I suspected. Some coders have too much time on their hands

Re:Out-of-order username & password entry

[jmichaelg (148257)]

Under Windows, logging clicks isn't any harder than logging keystrokes. My macro program, mgSimplify [greenes.com] uses the same dll to keep track of both events.

Instead of trying to be clever, you're probably better off not trusting a publically accessible computer.

Tinfoil Hat Linux

[mikeee (137160)]

Tinfoil Hat Linux [shmoo.com] is designed for just such a case. Boots of a CD-ROM, randomized keyboard for password entry, tempest-resistant fonts, PGP encryption and decryption (also of random files, in the background, to thwart timing attacks), and in a pinch "output console text to keyboard LEDs in morse code" mode.

Stupid users, Stupid Kinkos

[jsailor (255868)]

You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)

Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.

Virutal keyboards

[bogado (25959)]

Banks in brasil are using virtual keyboards, they are a numeric pad that apear in the screen with the numbers in a random order and/or in a random position. You must then click the password with a mouse. Of course if you own the machine you can save the HTML and mouse clicks to analise it latter, but it makes the life of keyloggers harder.

Re:Virutal keyboards

[liquidpele (663430)]

That might be a great idea for mozilla to do. Put in a "kiosk mode" where trying to use a password field brings up a virtual keyboard forcing the user to use it.

It might get Moz on a lot more machines and some publicity anyways...

Am I the only one not surprised?

[xThinkx (680615)]

I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.

Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.

I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it

I am typing this now from a Kinkos

[Hecateus (628867)]

I spend alot of time at my local kinkos. They do get paid at least 1/2 more than you suggest. It requires experience and training to deal with some of these copiers...as well as lots of patience for the many customers who know even less. (or don't even know what they want. They are one employer that is likely to keep many employees around for a long time to come despite the heavy automation. Sadly the training for the normal coworker doesn't seem to include internet security...which is fundamentaly the

Re:I am typing this now from a Kinkos

[BitchHead (464271)]

I worked at a Kinko's as a second job for a brief stint, and while I'll agree with you on the wages, I can't say as much for the training that most employees receive. The general guidelines that are given to employees are that the self-serve machines are just that: Self-serve. Don't spend a lot of time trying to explain things on the machines. If someone wants a job done, and can't figure it out on the self-serve machines, they can get it done behind the counter. The same rule holds true for the computers. It's part of the self-serve area. Help people only to the extent of not being discourteous, but the copy associates are not there to tell people how to work their email or perform tasks on Photoshop.
The majority of the training goes into learning how to work the supplementary process machines (folders, tape and coil binders, bookletizers, etc.) because those are the large batch jobs that bring in the most money. Very few employees, depending on the location and the shift, will actually know how to set up specialized features on the large DocuCenter machines. Day shifters and second shifters will typically run the small batch jobs that need to get out that day, and leave the rest of the work for the night shift. If you want the job done right, bring it there at 3am for a morning pickup. The night shift is usually only 2 people, many times just one (as was the case when it was my shift) and they need to know how to work everything in the shop.
The computers, however, are not upkept by the individual branch employees. There are regional network engineers who do the initial installation at a branch. After that, there is a Kinko's central hub help desk to take care of any questions that the manager/employees have, and a central station for remote administration of branch networks for a region. The managers are expected to be able to follow a colour coded wall chart in the network closet if they want to move equipment or add machines. Ours was an absolute nightmare. Serious technicolour spaghetti, and totally misconnected according to the wall chart. The managers and employees receive zero training on any network essentials, so don't expect them to know anything about security measures. The manager at the branch I worked at couldn't tell you the difference between a keystroke logger and a timber logger.

Re:Am I the only one not surprised?

[xpulsar87x (305131)]

Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.

Sloppy.

[MImeKillEr (445828)]

When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.

Whoever was doing support for Kinko's didn't do their job.

Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?

Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.

RTA -- He did not sign up for GoToMyPC...

[Fallen Kell (165468)]

Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...

Passwords are an obsolete form of authentication

[Dratman (552554)]

Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.

Re:Passwords are an obsolete form of authenticatio

[richie2000 (159732)]

Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense.

By anyone. Most banks are moving away from magnetic stripes exactly because the readers are so inexpensive and easy to install on public terminals and ATMs. In addition to the official readers. The smartcards are coming.

Re:Passwords are an obsolete form of authenticatio

[hackstraw (262471)]

Everytime passwords get mentioned on slashdot, I say they suck with little to no moderation. Regarding the lack of standard protocols and software packages try:

Multos [multos.com]
EMV (Europay-Mastercard-Visa) Specifications [visa.com]
JavaCard [sun.com]
OpenCard [opencard.org]
PC/SC Workgroup [smartcardsys.com]
Standards Committees and Standards Related to Smart Cards [demon.co.uk]

I attended the 10th annual smartcard convention in 1999, yet have not seen a smartcard outside of the places I used to work programming them. Maybe its time... The cards then were 1 or 2 dollars and the readers were about 6 or 7, hardly an expensive periferal on your computer.

Let me reiterate. Passwords have nothing to do with authentication, they only say that someone knows your password. Even having a magstripe card at least says that you know a password and were able to obtain phyisical access to the card. The best is a biometric reader with a smartcard. I think bioreaders are about 50 dollars.

This is why some banks...

[xneilj (15004)]

This is why some banks do not request full information for login.

For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:

Three digits from your four digit online PIN (in a random order, like second, first, fourth).

Three characters from your password, again a random selection in a random order.

While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.

It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.

More info on this case

[dki (597803)]

...can be found at SecurityFocus [securityfocus.com].

Keyboard Loggers...

[BJZQ8 (644168)]

There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.

Bring your own OS?

[dschuetz (10924)]

One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.

Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.

They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...

What about hardware loggers?

[nochops (522181)]

This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.

we can be reassured....

[lfourrier (209630)]

Kinko's spokeswoman Maggie Thill said the company takes security seriously and believes it has "succeeded in making a similar attack extremely difficult in the future." She would not provide details, saying that to do so could make systems less secure .

They obviously really understand security...

note (for the humour-impaired) : this is irony

One time passwords?

[cras (91254)]

Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.

OP is wrong

[nochops (522181)]

The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.

No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.

Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!

easy everything solution

[straybullets (646076)]

last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...

Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...

and also, too bad for installing key loggers then ..

Re:easy everything solution

[Henry Pate (523798)]

I know one piece of software that does they, they used to use it at my high school, it worked pretty well. It's called Deep Freeze, you could do anything you wanted to the computer, and when you rebooted the system was back just the way it was before, with all software installed during the last session gone, everything. You can find it here [deepfreezeusa.com]

From a Kinko's employee

[catfishmonkey (538336)]

I'm a manager at Kinko's.
You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".

What a world.

Kinko's Security

[stinkydog (191778)]

I have used a Kinkos machine in Columbus Ohio (near Ohio State) and here is what I found:

1. Windows 2000 with the user logged in as poweruser or administrator.
2. Pop up software installed (unknown spyware).
3. I could not find a USB port so I stood up and moved the PC and plugged in in the back. No comment from staff.

The only "security" I saw was protecting the billing app.

SD

S/Key OTP

[mackman (19286)]

After standing at the pulic terminals at a security conference and thinking to myself, "I must be an idiot for typing my password into these", I investigated some one time password (OTP) alternatives. Back in the telnet days, people used S/Key to keep from sending re-usable passwords in the clear. Basically, it sends you a challenge, you type it and your password into your Palm, and type the generated one time password into the computer. If you're Palm-less or lazy, you can print a sheet of your next 100 OTPs and keep it in your wallet. If your wallet gets stolen, just login to your box and you can invalidate those 100 passwords and print a new sheet. It's a lot easier than reporting your credit cards stolen.

Don't use Kinko's machines... use your own!

[gregwbrooks (512319)]

Gotta agree that using any of the public machines at Kinko's is a fool's errand. OTOH, if you drag your laptop in, many of them have "laptop printing stations" with DHCP and a pipe out to the Internet.

In a Kinko's that doesn't have laptop stations? You can usually unhook the ethernet cable from one of their pay-for-use machines and use the connection yourself for no charge, as long as it's not busy.

Why would anyone bother? Well, it's a (relatively) fast connection, and an IP address no one can trace back to you because you didn't pay for it and all the cameras at Kinko's (last time I checked) are pointed at the registers rather than the computers.

I'd think the warez/Kazaa/terrorist crowds would find that plenty useful.

Re:risky business

[radish (98371)]

You're (fairly) safe from online fraud, but still perfectly vulnerable to real-world fraud, which is far more common (with regard to banks anyway). I wouldn't bask too much in your sense of security.

Still, everyone is perfectly entitled to judge the risk themselves and do what they want. I'm intrigued though - do you drive? smoke? drink? have sex? Those things are much more likely to cause problems (and they can be much more serious problems) than online banking. Do you exercise the same level of caution t

Re:And this should surprise us?

[will_die (586523)]

You mean like this [keyghost.com].
If I was to do this I would use one of the versions that uses a a private IRC channel to communcicate, that way you never have to go back to the machine again, yet can control it from almost anywhere with a lesser chance of being found.

Re:And this should surprise us?

[Daniel Rutter (126873)]

Woo! An excuse to pimp my old reviews of KeyGhost hardware key loggers!

Review one [dansdata.com]. Review two [dansdata.com].

Re:Back in the day..

[Torne (78524)]

This is why secure operating systems use an SAK, system attention key. Windows NT and its brethren require you to press ctrl-alt-del to log in because that key sequence cannot be trapped by an application (though there are other problems with the NT logon process unrelated to the three-fingered salute). Linux has an SAK too; unfortunately, it's only available through the kernel magic debug keys by default (alt-sysrq-k if you have magic keys enabled) - the SAK under Linux will kill all programs on the curren

Re:RTFA

[BenjyD (316700)]

Read it yourself. From the article:

Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes.