Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

City Almost Loses 450K to Keylogger

Posted by CowboyNeal on Thu May 31, 2007 06:31 PM
from the never-too-safe dept.
Security The Almighty Buck
SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

City Almost Loses 450K to Keylogger 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Obligatory... (Score:3, Funny)

    by dteichman2 (841599) on Thursday May 31 2007, @06:34PM (#19345609) Homepage
    Pwned.
  • Ummmm... how exactly would having anti-virus or anti-spyware stop things, if it's a physical keylogger?

    Do you know how these things work?

    • Re: (Score:2, Interesting)

      by creativeHavoc (1052138)
      I STFA and I STFS but I found no trace of anyone refering to a "physical keylogger" ... only you.

    • RTFA (Score:2, Informative)

      by Anonymous Coward

      Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords


      Antivirus/antispyware might not stop a physical keylogger, but that wasn't the problem here.

    • Re:Physical Keylogger (Score:5, Insightful)

      by ajanp (1083247) on Thursday May 31 2007, @07:08PM (#19345941)
      There's no mention of the method used to install the keylogger onto the treasurer's computer. They mention it was a laptop, but its a pretty far leap to assume that the hacker used a physical keylogger when the entire thing is just as likely, if not more so, to have been done remotely.

      It's also probably worth mentioning that the keylogger was likely active for atleast a minimum of a day or two, likely much longer, considering it's mentioned that the keylogger tracked the treasurer's keystrokes until the hacker discovered the appropriate passwords AND the hacker stole the money over a couple days. With this longer exposure, especially if the keystrokes were being monitored remotely, there's a good chance that an anti-virus program with heuristics scanning running in the background (or atleast a decent software firewall) could have flagged the suspicious behavior and perhaps identified the keylogger program being used.

      At the least, I think the poster is trying to convey that proper computer security could have helped to secure the computer and identify the problem earlier (the larger amount of 358,000 was stolen on the second day) or helped stop it outright.

      • Re:Physical Keylogger (Score:4, Informative)

        by SanityInAnarchy (655584) <ninja@slaphack.com> on Friday June 01 2007, @01:23AM (#19348333) Journal

        There's no mention of the method used to install the keylogger onto the treasurer's computer.

        Yes there is.

        Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords.

        That is, unless they don't know what the word "spyware" means. Being reporters, they might just assume that spyware means what it sounds like -- any software used to spy on you, including something picking up keystrokes from a physical keylogger.


        But then, it also seems like it would be difficult to make a physical keylogger that communicates reliably with the outside world:

        Each time Treasurer Karen Avilla logged into her laptop computer in the morning, someone was looking--virtually--over her shoulder, watching every keystroke.

        That sort of implies it's being done in realtime. Of course, they could always mean it was a physical keylogger, which the "hacker" then collected and dumped...


        Then again, it's a laptop. If you have physical access to a laptop for long enough and with enough tools to install a physical keylogger, it's probably easier to carry the thing off and hope there's something valuable on the hard drive.

      • Re: (Score:3, Insightful)

        by jimicus (737525)
        You know what I reckon?

        Keylogger was probably installed through some kind of widespread trojan - be it email or compromised website. My favourite is website, because that requires slightly more sophisticated monitoring to do the job properly than an email system, particularly if you give people laptops and let them take the laptop home and connect to their employer through a VPN.

        One of two things is possible from this point:

        1. Hacker was specifically targeting the treasurer's department. Regardless of th

    • I would have gotten away with it... (Score:4, Funny)

      by Tatarize (682683) on Thursday May 31 2007, @07:09PM (#19345947) Homepage
      if it wasn't for you meddling kids.

    • Re: (Score:3, Insightful)

      by pionzypher (886253)
      As the other replies have stated, I don't remember them mentioning a physical keylogger. They do [keydevil.com] exist [keyghost.com] though. [keelog.com] They sit in between the keyboards ps/2 plug and the systems ps/2 slot (USB varieties work the same). It looks like they just intercept and log the keystrokes, no software to detect on the host pc and no login needed.
    • I don't think it was a physical keylogger since she was using a laptop.

    • Re: (Score:3, Insightful)

      by gilgongo (57446)
      how exactly would having anti-virus or anti-spyware stop things

      Well said! The notion that desktop computing in the Internet age would be problem-free if only everyone installed anti-malware software is completely bogus and doesn't even stand up to the slightest scrutiny. Everyone and is dog runs anti-malware (you can't buy a new PC without the stupid stuff literally flying out of the screen at you the minute you boot it up), and everyone and his dog is hideously infested with malware. Talk about brain-dead

  • Damned politicians (Score:5, Insightful)

    by nurb432 (527695) on Thursday May 31 2007, @06:37PM (#19345649) Homepage Journal
    "The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

    Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

    • Re:Damned politicians (Score:5, Insightful)

      by dreamchaser (49529) on Thursday May 31 2007, @06:39PM (#19345671) Homepage Journal
      Because if they run out of redundant laws to pass they will be out of work.
      • So you would call them... dupes? *ducks*

      • Re: (Score:3, Insightful)

        by asninn (1071320)
        And also because she wants to get reelected, and for that, she needs to show the Joe Sixpacks who're infuriated now that OMGhackers stole their hard-earned tax dollars that she's doing something.

        Think of it as political security theatre and/or CYA security - it doesn't actually do anything, but it mollifies the mob, and it allows her to point at the newly-passed laws and say "but I did something, you can't blame me!" when the same thing happens again later on.
    • Maybe that was supposed to be "policy" that applies to a city as opposed to "legislation" that applies to a state. Obviously, they don't have a policy in place to guard their network against key loggers.
    • "The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

      Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

      How about:

      The City of Carson shall maintain on its computer systems the level of information security required to prevent data loss, data theft, and accidental data disclosure. The City shall, on an annual basis, contract with a qualified third party to conduct an information security audit of the

      • Re: (Score:2, Insightful)

        by C0R1D4N (970153)

        That would be a good law/policy/ordinance, no?


        Yes it is, which is exactly why it'll never happen
    • Because enforcing laws doesn't really _stop_ these kinds of things. Best case is that A) A law makes doing something so inconvenient that it is no longer worth the effort for the payoff, and B) offers a way to lock the criminal up after the fact. Case A isn't likely with this sort of thing, because no law is going to make it prohibitively hard to write a keylogger and get it installed on a number of boxes...especially not $450K worth of extra trouble. Case B might stop the idiots from repeating the crime by

  • but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home.

    You can say that again. But you can't assume you're completely safe even on non-Windows system. A quick search on Mac software sites shows at least one keylogger and surely more are available. I'm sure equivalents exist for Linux, too. This sounds paranoid, yes, but the truth is if *anyone* else has access to your computer, either remotely or phys

    • The difference is that hitting someone with a software keylogger is much harder on a Linux box (especially SE Linux [wikipedia.org]). Last I checked, these usually require some sort of LKM [wikipedia.org], which has to be installed by the superuser. Getting superuser status from a normal user is much easier on a Windows box.

      As for hardware keyloggers, the best defense is superglue and a policy of checking attached devices after an extended period of time away from the machine.
      • Yeah, cause jumping su or sudo is so hard.

        I tell ya, sometimes I feel like I should start doing "irresponsible security research" again. At least in the old days people understood the risks because people would yell from the rooftops what was possible (and prove that it was) instead of keeping it all secret so they can sell it to the russians, or, worse yet, the vendors.

        • Yeah, cause jumping su or sudo is so hard.
          Umm.. it is. You need passwords for both of them unless you know about some kind of vulnerability in the version on the machine.

          • Re: (Score:2, Flamebait)

            by QuantumG (50515)
            Yeah, see, this is why I really should get around to posting to whatever passes as a risks mailing list these days.

            There's about a dozen ways to intercept su or sudo. They range in sophistication from adding an alias to the user's .bash_profile (or whatever shell they are using), to duplicating the effect of gksudo, to using the ptrace api to intercept exec syscalls and replace the command to execute. Some of this stuff is old school and doesn't need repeating.. I'm not aware of anyone who has published a
    • I'm sure equivalents exist for Linux, too.

      They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.

      Many are so discrete even an IT tech might not notice them.

      I've heard there are even some for Windows that can be programmed to inject keypresses.

      Hopefully I'm OK typing on my laptop's integrated keyboard here. ..>./ No you're not, ha, ha ./..,;,

      • They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.
        Just use a wireless keyboard and you're completely immune to physical keyloggers.
    • Nobody is immune from either Flu or Ebola. And yet, I know which one I am going to be concerned about.

      The simple fact is, that Windows IS easier to hit. And until the security tightens up, it will remain that way. *nix has decent security in it (due to a good initial design and years of work to get it right).

      • Saying that GNU/Linux and Mac have the same problems Windoze does is a serious insult. I'm tired of hearing people tell me how much my OS needs an antivirus and spyware checker.

        It's bullshit anyway. The pros can get through anything. Starting off with an OS that 99% of script kiddies can't own is a much better option than dragging down your computer's performance with snake oil. An OS like Debian, without Flash and other useless and insecure junk, is more appropriate for an office than Windoze with it's IE, Outlook and WMP burden. After that, AV can be done for mail servers and intrusion detection at the network level. Everything else is just so much busy work and waste of money.

        While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?

        Yes, AV can be done for mail servers, and hell also on proxy servers. But how do you protect against the user in room 314 with a USB Memory key that he likes to use? you need AV on individual systems (I like ClamAV for *nix, but that's my personal choice)
        Intrusion Detection at the network level, brilliant, and a useful tool, but not enough. How do you detect changes to impo

      • Saying that GNU/Linux and Mac have the same problems Windoze does is a serious insult. I'm tired of hearing people tell me how much my OS needs an antivirus and spyware checker.

        That is far from what was intended in my (the grandparent) post. I think you read in between the lines and found something that wasn't supposed to be there. Despite what you may think, I was not implying that Linux and Mac systems "have the same problems" as Windows. That is an absurd statement. Perhaps I should have spelled it out

  • Fscking dumb (Score:5, Insightful)

    by kosmosik (654958) <konrad AT kosmosik DOT net> on Thursday May 31 2007, @06:47PM (#19345753) Homepage
    > but it drives home the importance of keeping good anti-spyware and anti-virus software updated
    > on both corporate systems as well as systems being used from home.

    No. It drives the importance on controlling the flow of public money. If one person be it a president of California or what you call him, can make significant money transfers that are not audited and open that is something wrong with your system. Yes you fscking can make that bank *calls* you to approve any transfer above some ammount. Yes you can make that public transfers are open and visible.

    So it is nothing to blame about the software since it is obvious that Windows in hands of non-technical people is insecure. The person making transfers should use different laptop perhaps? The one that IT department cares of not the one that he browses pron from?

    It is just an example how retarded and uneucated people who have power to spend public money are.
    • I would rather it drives home the importance of controlling any flow of money. Say someone gets ahold of my online banking password. They should only have the ablitlity to transfer money from checking to savings or perhaps pay my cable bill. They should not be able to transfer it to an account that isn't one of my accounts with the same bank. They shouldn't be able to set themselves up as a payee able to recieve electronic payments from my account. They should be able to transfer funds to a different bank.
      • It is possible here where I live (Poland). But I guess such account conditions imply some additional costs.

    • Re: (Score:3, Insightful)

      by _Sharp'r_ (649297)
      In the nonprofit school that I'm on the board of, our policy is that anything over a certain amount must be approved and signed by multiple officers, up to all four main officers for really large amounts.

      What kind of idiot sets up a financial system for a city (that deals with a lot more money that we ever will) in which one user can on their own authority transfer over a quarter of a million dollars to a random bank account? Whoever the controller for the city is should probably be fired at this point.

      Even

  • it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home.

    Uhh, no. If the keylogging software is some off the shelf crap, sure, that might work, but if it is something the attacker has written specifically for this attack, forget it. We don't live in a world where software is assured. You can't ever say "my keystrokes are on a secure path". Although, two factor security things like RSA's Secureid [rsa.com] can help.

  • The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

    Yeah, because laws sure do stop those criminals from, you know, breaking the law.

    When are politicians going to wise up and realize that laws don't stop criminals from doing anything, they just offer a means of punishing them _if_ they get caught after the fact? Completely different methods are required to prevent these kind of things -- like proper security procedures, in this case.

  • Well, well... (Score:5, Insightful)

    by GFree (853379) on Thursday May 31 2007, @07:01PM (#19345883)
    If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.

    God I'm going to hell for writing that, and I'm a Linux user.
  • Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.

    • gilesjuk writes: Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.

      Actually, the article says that the compromise happened on a laptop, which implies a software keylogger, not a device -- the software loggers tap into the keyboard events in the OS, so it doesn't matter how the keyboard is plugged in.

      I recently noticed Thinkgeek [thinkgeek.com] is now offering the "Ke

  • From the article:

    The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

    * sigh *

    Because people who would try and steal some $450,000 are going to be stopped by legislation making it even more illegal.

    Maybe something like two factor authentication would be better? That way different numbers are needed every time. And better security on the laptop perhaps? Non administrator priviliges. Not allowing people to install software? All quite doable.

    Sure, blame the criminals, but maybe the doors should be bolted too?

  • I've found keylogger cache files (Score:5, Interesting)

    by spywhere (824072) on Thursday May 31 2007, @07:30PM (#19346097)
    Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
    A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:

    "Um, sir, do you bank at Bank of America?"
    "Yeah, why?"
    "Is your password 'Snoopy67'?"

    Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.

    • Re: (Score:3, Funny)

      by Anonymous Coward
      Key points in this post:

      Before I 'retired'....

      and

      "Um, sir, do you bank at Bank of America?" ..

  • Thats it? (Score:4, Funny)

    by denttford (579202) on Thursday May 31 2007, @09:37PM (#19347029) Homepage
    Just 450K? Meh, post it when they steal at least a couple hundred megabytes.

  • lol (Score:3, Interesting)

    by pestilence669 (823950) on Thursday May 31 2007, @10:46PM (#19347529)

    "The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy."

    Yeah... more "rules" against this kind of behavior will fix it. It's not illegal enough... that's the reason it happens. Criminals care about consequences. Dumb ass.

  • As Los Angeles County sheriff's deputies and Secret Service investigators try to track down the crooks, Carson has fielded calls from officials worried about the security of municipal coffers. "They want to know how they can prevent this," Avilla said.

    I know it's not going to fix anything, but there are a few simple, simple steps:

    1. Linux. If you can't make that work, get a Mac, but really, do give Linux some serious consideration. Especially if you can standardize on things in the normal repositories, you basically kill any equivalent of the most common and easiest Windows attack vectors.
    2. Never let it out of your sight. If it's a desktop, it stays in a room that only you and trusted people have access to, like your office. When you're not there, lock the door. If it's a laptop, either keep it locked in a similar room, or carry it with you. If you MUST let it out of your sight, get one of those stupid-looking laptop locks and lock it to something solid. When you get back, check for tampering.
    3. Don't let anyone have unlimited access to it. If someone MUST use your computer, every time they touch it, it should be under some limited account, not yours. When they're done, nuke the account. And again, be in the room, paying enough attention that you'll notice if they try to open the case or unplug anything.
    4. Lock it down. Linux/Mac is part of the above, but even if you MUST use Windows, turn on the firewall, download some good, free antivirus and antispyware (and pay for some if you can't get it free, due to many of the "free" ones being free only for home use), and turn off AutoRun, even if you never plan to play music CDs. You could go farther, too -- on Mac/Windows, BitLocker/FileVault. On Linux, you could encrypt the entire disk except your boot partition, and you could put that on a removable flash thumbdrive. You could also use SELinux, which, on a distro that supports it, is complete overkill even for this -- every process has a set of rules defining what it can and cannot do.
    5. Use a secure browser, which basically means anything except IE. If you're on Vista, maybe IE 7, but I still prefer open source. And even then, disable crap you don't need, run Flash on a per-page click-to-play basis, and pay very close attention to the URLs you visit when accessing your bank.
    6. Use at least two-factor authentication. A thumbprint reader, a smartcard reader, or even a simple thumb-drive with a keyfile on it.
    7. Don't be stupid with passwords. Don't give them out for chocolate (has happened before). It is not enough to name it after your dog and add a year, your Fido1993 will be cracked in two minutes with a dictionary cracker, if you even bothered to capitalize the F. Make it hard enough that you have to write it down, and then make sure where you write it is sufficiently protected -- for example, on something in your pocket, or have the browser remember on that encrypted hard drive. (The encrypted drive, of course, will always have the same password, and that should be a hard one that you bite the bullet and memorize anyway. Or a very-obfuscated one that you can remember, for example, 2b||!2b could read "To be or not to be" (to a programmer), but beware that being predictable (such as pulling it out of my Slashdot comment) can make hard obfuscation easy.)

    This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.

    And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:

    The treasurer said she is now determined to try to write legi

  • YAY WINDOWS! (Score:3, Interesting)

    by toby (759) * on Friday June 01 2007, @07:47AM (#19350247) Homepage Journal
    Mircosfot make great benefit to nation America!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.