City Almost Loses 450K to Keylogger

SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."

Obligatory...

[dteichman2]

Pwned.

Physical Keylogger

[wdr1]

Ummmm... how exactly would having anti-virus or anti-spyware stop things, if it's a physical keylogger?

Do you know how these things work?

Re:

[creativeHavoc]

I STFA and I STFS but I found no trace of anyone refering to a "physical keylogger" ... only you.

Re:

[sesshomaru]

Actually, a physical keylogger is a device that plugs in between the keyboard and the PC. Or else it could be build into a keyboard. Here's an example KeyGhost [keyghost.com]. Of course, since it's a dongle that doesn't transmit anything, you need regular physical access to the device to retrieve memory.

I think it's main use is to find out if your wife/husband or live in girlfriend/boyfriend is cheating on you, stuff like that. I owuldn't trust it for a sensitive operation like the one described in the article, too

RTFA

[Anonymous Coward]

Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords

Antivirus/antispyware might not stop a physical keylogger, but that wasn't the problem here.

Re:Physical Keylogger

[ajanp]

There's no mention of the method used to install the keylogger onto the treasurer's computer. They mention it was a laptop, but its a pretty far leap to assume that the hacker used a physical keylogger when the entire thing is just as likely, if not more so, to have been done remotely.

It's also probably worth mentioning that the keylogger was likely active for atleast a minimum of a day or two, likely much longer, considering it's mentioned that the keylogger tracked the treasurer's keystrokes until the hacker discovered the appropriate passwords AND the hacker stole the money over a couple days. With this longer exposure, especially if the keystrokes were being monitored remotely, there's a good chance that an anti-virus program with heuristics scanning running in the background (or atleast a decent software firewall) could have flagged the suspicious behavior and perhaps identified the keylogger program being used.

At the least, I think the poster is trying to convey that proper computer security could have helped to secure the computer and identify the problem earlier (the larger amount of 358,000 was stolen on the second day) or helped stop it outright.

Re:Physical Keylogger

[SanityInAnarchy]

There's no mention of the method used to install the keylogger onto the treasurer's computer.

Yes there is.

Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords.

That is, unless they don't know what the word "spyware" means. Being reporters, they might just assume that spyware means what it sounds like -- any software used to spy on you, including something picking up keystrokes from a physical keylogger.

But then, it also seems like it would be difficult to make a physical keylogger that communicates reliably with the outside world:

Each time Treasurer Karen Avilla logged into her laptop computer in the morning, someone was looking--virtually--over her shoulder, watching every keystroke.

That sort of implies it's being done in realtime. Of course, they could always mean it was a physical keylogger, which the "hacker" then collected and dumped...

Then again, it's a laptop. If you have physical access to a laptop for long enough and with enough tools to install a physical keylogger, it's probably easier to carry the thing off and hope there's something valuable on the hard drive.

Re:

[jimicus]

You know what I reckon?

Keylogger was probably installed through some kind of widespread trojan - be it email or compromised website. My favourite is website, because that requires slightly more sophisticated monitoring to do the job properly than an email system, particularly if you give people laptops and let them take the laptop home and connect to their employer through a VPN.

One of two things is possible from this point:

1. Hacker was specifically targeting the treasurer's department. Regardless of th

I would have gotten away with it...

[Tatarize]

if it wasn't for you meddling kids.

Re:

[pionzypher]

As the other replies have stated, I don't remember them mentioning a physical keylogger. They do [keydevil.com] exist [keyghost.com] though. [keelog.com] They sit in between the keyboards ps/2 plug and the systems ps/2 slot (USB varieties work the same). It looks like they just intercept and log the keystrokes, no software to detect on the host pc and no login needed.

Re:

[derEikopf]

I don't think it was a physical keylogger since she was using a laptop.

Re:

[StikyPad]

Ummm... how exactly would you place a physical keylogger on a laptop?

Did you read the fscking article?

Re:

[gilgongo]

how exactly would having anti-virus or anti-spyware stop things

Well said! The notion that desktop computing in the Internet age would be problem-free if only everyone installed anti-malware software is completely bogus and doesn't even stand up to the slightest scrutiny. Everyone and is dog runs anti-malware (you can't buy a new PC without the stupid stuff literally flying out of the screen at you the minute you boot it up), and everyone and his dog is hideously infested with malware. Talk about brain-dead

Damned politicians

[nurb432]

"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

Re:Damned politicians

[dreamchaser]

Because if they run out of redundant laws to pass they will be out of work.

Re:

[HoosierPeschke]

So you would call them... dupes? *ducks*

Re:

[asninn]

And also because she wants to get reelected, and for that, she needs to show the Joe Sixpacks who're infuriated now that OMGhackers stole their hard-earned tax dollars that she's doing something.

Think of it as political security theatre and/or CYA security - it doesn't actually do anything, but it mollifies the mob, and it allows her to point at the newly-passed laws and say "but I did something, you can't blame me!" when the same thing happens again later on.

Re:

[Tony Hoyle]

All the opponent has to do is to point out that if she hadn't been browsing porn/warez sites in the first place she wouldn't have got a trojan on her computer.

Oh and connecting a laptop into the internal coroprate net? In a lot of companies people would get fired on the spot for that, never mind waiting for the next election. Laptops should be *outside* the firewall not inside it.

Re:

[Acer500]

All the opponent has to do is to point out that if she hadn't been browsing porn/warez sites in the first place she wouldn't have got a trojan on her computer.

I think that particular misconception has been cleared here before - not that browsing porn/warez sites won't get you infected, but that you can't get it any other way. I was a network admin, and the largest spyware infection we had was with a weather toolbar which a user downloaded and shared (everyone has local admin privileges here).

My work doesn't have that much sensitive information (and we use the "default trust" approach with our employees), but, unlike her work, but you could conceivably allow l

Re:

[__aaclcg7560]

Maybe that was supposed to be "policy" that applies to a city as opposed to "legislation" that applies to a state. Obviously, they don't have a policy in place to guard their network against key loggers.

Re:

[bill_mcgonigle]

"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

How about:

The City of Carson shall maintain on its computer systems the level of information security required to prevent data loss, data theft, and accidental data disclosure. The City shall, on an annual basis, contract with a qualified third party to conduct an information security audit of the

Re:

[C0R1D4N]

That would be a good law/policy/ordinance, no?

Yes it is, which is exactly why it'll never happen

Re:

[budgenator]

Letting an employee have a company windows OSed laptop that they can take home for "work", and to connect to the internet to browse websites is like have sex without a condom; its just asking for trouble. There is a saying, "Keep your tools in the tool box and keep you toys in the toy box."

Re:

[Darlantan]

Because enforcing laws doesn't really _stop_ these kinds of things. Best case is that A) A law makes doing something so inconvenient that it is no longer worth the effort for the payoff, and B) offers a way to lock the criminal up after the fact. Case A isn't likely with this sort of thing, because no law is going to make it prohibitively hard to write a keylogger and get it installed on a number of boxes...especially not $450K worth of extra trouble. Case B might stop the idiots from repeating the crime by

Re:

[Tony Hoyle]

Robbery would be case A where the chance of being caught are high and the payoff is low.

Deterrence works well in that case. OTOH we still have robberies.. because A doesn't apply in all cases - firstly because the odds change.. stealing a million dollars worth of diamonds using a well planned robbery can seem like a good idea - and also there's the cases of faulty risk assessment (in the case of drug addicts etc.).

If you think of something like smoking cannabis, which has a low (nearly zero) risk of being

Re:

[nolife]

Article 4, section 34b

Do not allow "key logger" or equivalent key tracking software to be installed on network connected computers or terminals.

Problem solved.

Re:

[BVis]

Problem solved.

Not hardly. That law requires that the reader know what a '"key logger" or equivalent key tracking software' is, what a network is, what software is, and what a computer or terminal is.

All this information is beyond most private sector workers, and nearly all public servants. While ignorance of the law is not a defense, if the idea is to prevent the crime in the first place, this is a miserable failure. Any attempt by IT personnel (if the city even has them) to educate their workers will b

Re:

[SanityInAnarchy]

To my knowledge, "piracy" has two definitions:

1. Armed robbery on the high seas.
2. Copyright infringement.

I really, really wish the people writing these stories would bother to at least try to get the jargon right. After all, there's no mention of the word "keylogger", or the fact that it's a really fucking obvious and common attack. I bet they either thought or are trying to pretend that this kind of thing has never happened before...

Re:

[timmarhy]

unless legislation is a 6'8" black dude (think office linebacker) who runs around smashing the thieves before they install the software, it won't prevent jack shit.

this kind of idiocy they thinks a law will prevent a crime infuriates me.

Re:

[volpe]

Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

Legislation can do more than simply make something illegal. It can provide additional means of enforcement (e.g. PATRIOT act (I don't like it, but it's an example)), or make it more difficult to commit the crime in the first place (e.g. Brady Bill).

450K ?

[Anonymous Coward]

450 Kilobytes? Doesn't sound so bad.

Re:

[Weaselmancer]

It's a keylogger! 450k of passwords is a BUNCH.

Re:450K ?

[joe 155]

450K should be enough for anyone!

And nobody is really immune

[dn15]

but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home.

You can say that again. But you can't assume you're completely safe even on non-Windows system. A quick search on Mac software sites shows at least one keylogger and surely more are available. I'm sure equivalents exist for Linux, too. This sounds paranoid, yes, but the truth is if *anyone* else has access to your computer, either remotely or phys

Re:

[dteichman2]

The difference is that hitting someone with a software keylogger is much harder on a Linux box (especially SE Linux [wikipedia.org]). Last I checked, these usually require some sort of LKM [wikipedia.org], which has to be installed by the superuser. Getting superuser status from a normal user is much easier on a Windows box.

As for hardware keyloggers, the best defense is superglue and a policy of checking attached devices after an extended period of time away from the machine.

Re:

[dn15]

Thanks for pointing that out. Good to know. :)

Re:

[QuantumG]

Yeah, cause jumping su or sudo is so hard.

I tell ya, sometimes I feel like I should start doing "irresponsible security research" again. At least in the old days people understood the risks because people would yell from the rooftops what was possible (and prove that it was) instead of keeping it all secret so they can sell it to the russians, or, worse yet, the vendors.

Re:

[dteichman2]

Yeah, cause jumping su or sudo is so hard.

Umm.. it is. You need passwords for both of them unless you know about some kind of vulnerability in the version on the machine.

Re:

[QuantumG]

Yeah, see, this is why I really should get around to posting to whatever passes as a risks mailing list these days.

There's about a dozen ways to intercept su or sudo. They range in sophistication from adding an alias to the user's .bash_profile (or whatever shell they are using), to duplicating the effect of gksudo, to using the ptrace api to intercept exec syscalls and replace the command to execute. Some of this stuff is old school and doesn't need repeating.. I'm not aware of anyone who has published a

Hardware Loggers

[bill_mcgonigle]

I'm sure equivalents exist for Linux, too.

They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.

Many are so discrete even an IT tech might not notice them.

I've heard there are even some for Windows that can be programmed to inject keypresses.

Hopefully I'm OK typing on my laptop's integrated keyboard here. ..>./ No you're not, ha, ha ./..,;,

Re:

[Dragonslicer]

They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.

Just use a wireless keyboard and you're completely immune to physical keyloggers.

Re:

[bill_mcgonigle]

Just use a wireless keyboard and you're completely immune to physical keyloggers.

I actually know nothing about Bluetooth line crypto, but assuming it's any good, having a paired device might not be a bad idea.

Who modded you Troll?

Yes, but

[WindBourne]

Nobody is immune from either Flu or Ebola. And yet, I know which one I am going to be concerned about.

The simple fact is, that Windows IS easier to hit. And until the security tightens up, it will remain that way. *nix has decent security in it (due to a good initial design and years of work to get it right).

Re:

[drsmithy]

The simple fact is, that Windows IS easier to hit. And until the security tightens up, it will remain that way.

How do you suggest they "tighten" it up ?

*nix has decent security in it (due to a good initial design and years of work to get it right).

Seems you don't know your history.

Re:

[WindBourne]

Actually, I know it very well. Unix had a good design from the git-go; Basically, an add-on compentent approach. Security was not really part of it, but it was fairly mallable to it. Unlike Windows which was originally a new version of VMS, it was still too tightly designed and built (and I have seen the windows 3.51 code while working at HP; a side team ported to PA-Risc). Unix's minimum and sparseness allowed for relatively easy changes to be bolted on, and later to be added into the kernel. I no longer

Re:

[spikedvodka]

Saying that GNU/Linux and Mac have the same problems Windoze does is a serious insult. I'm tired of hearing people tell me how much my OS needs an antivirus and spyware checker.

It's bullshit anyway. The pros can get through anything. Starting off with an OS that 99% of script kiddies can't own is a much better option than dragging down your computer's performance with snake oil. An OS like Debian, without Flash and other useless and insecure junk, is more appropriate for an office than Windoze with it's IE, Outlook and WMP burden. After that, AV can be done for mail servers and intrusion detection at the network level. Everything else is just so much busy work and waste of money.

While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?

Yes, AV can be done for mail servers, and hell also on proxy servers. But how do you protect against the user in room 314 with a USB Memory key that he likes to use? you need AV on individual systems (I like ClamAV for *nix, but that's my personal choice)
Intrusion Detection at the network level, brilliant, and a useful tool, but not enough. How do you detect changes to impo

Non free is just screwed.

[twitter]

While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?

Sure, and that's what's needed. The easiest way to start it to throw the Windoze out and end the monoculture. Defense in depth starts with a diverse OS install that makes the whole 0wnership game that much more difficult and less profitable.

Most of the Windoze problems are problems of obnoxious non free software that get in the way of real security. Complex licensin

Re:

[jb.hl.com]

apt-get update; apt-get upgrade

Done, no need to reboot.

And when your apt-get upgrades include a new kernel, what do you do then?

Bill Gates can spend ALL of his money making Slashdot carry his message, but no one will believe it

I'm not sure he really gives a fuck, to be honest. When you're a billionaire ex-CEO of one of the world's largest and most successful companies, whose time is increasingly devoted to running a charity foundation to distribute AIDS drugs and whatnot, I really doubt your top concern is

foamy mouth and sham charity.

[twitter]

I'm not sure he really gives a fuck, to be honest. When you're a billionaire ex-CEO of one of the world's largest and most successful companies, whose time is increasingly devoted to running a charity foundation to distribute AIDS drugs and whatnot, I really doubt your top concern is astroturfing Slashdot. ... It's depressing in and of itself that someone can be as mouth-foamy as you are about some fscking software.

M$ spends about a billion dollars a month on marketing. I spend a few minutes a day.

B

Re:

[jb.hl.com]

M$ spends about a billion dollars a month on marketing. I spend a few minutes a day.

Marketing, yes. Not astroturfing Slashdot.

Bill Gates' supposed charity is his bid to 0wn medicine and education... Everything he does comes with strings attached, such as pledging to use M$ software, respect their patents and other nonsense that has nothing to do with medicine or education ... For every dollar spent, the typically "leverages" nine in public spending... he's used foundation funds to purchase independent news

Re:

[dn15]

Saying that GNU/Linux and Mac have the same problems Windoze does is a serious insult. I'm tired of hearing people tell me how much my OS needs an antivirus and spyware checker.

That is far from what was intended in my (the grandparent) post. I think you read in between the lines and found something that wasn't supposed to be there. Despite what you may think, I was not implying that Linux and Mac systems "have the same problems" as Windows. That is an absurd statement. Perhaps I should have spelled it out

What did he say that was wrong?

[WindBourne]

He said that Linux does not suffer the same nor as many issues as MS. You attack him and say that he lives in parents basement, telling him to see the real world? So what is in the real world? ALL of the MS systems that I see are running AV and there are still daily attacks against MS. OTH, I have not seen ANY of the *nix boxes cracked. I have seen security compromised when somebody obtained a login/password from a cracked Windows system, but that is not the same. All in all, he is more in the real world t

Re:

[MicklePickle]

Yep, I agree with this. I am the senior sysadmin for 120+ UNIX servers. That's just two people managing 120+ servers. There's 8 people managing roughly the same number of Windows boxes. The Windows guys install spyware programs, anti-keyloggers, windows defender, anti-virus, yabbida, yabbida. We don't. Why bother? We do however run security scanners periodically, because we have users logging in to those boxes and we don't trust them.

Re:

[dn15]

The idea is if anyone else has access to your computer it's entirely possible and not that difficult to set up some kind of eavesdropping. If someone nefarious has physical access to your computer, all bets are off unless your OS is stored on a read-only device. And even then there certainly would be ways to do it via a pass-through device your keyboard could be plugged into.

Fscking dumb

[kosmosik]

> but it drives home the importance of keeping good anti-spyware and anti-virus software updated
> on both corporate systems as well as systems being used from home.

No. It drives the importance on controlling the flow of public money. If one person be it a president of California or what you call him, can make significant money transfers that are not audited and open that is something wrong with your system. Yes you fscking can make that bank *calls* you to approve any transfer above some ammount. Yes you can make that public transfers are open and visible.

So it is nothing to blame about the software since it is obvious that Windows in hands of non-technical people is insecure. The person making transfers should use different laptop perhaps? The one that IT department cares of not the one that he browses pron from?

It is just an example how retarded and uneucated people who have power to spend public money are.

Re:

[Original Replica]

I would rather it drives home the importance of controlling any flow of money. Say someone gets ahold of my online banking password. They should only have the ablitlity to transfer money from checking to savings or perhaps pay my cable bill. They should not be able to transfer it to an account that isn't one of my accounts with the same bank. They shouldn't be able to set themselves up as a payee able to recieve electronic payments from my account. They should be able to transfer funds to a different bank.

Re:

[kosmosik]

It is possible here where I live (Poland). But I guess such account conditions imply some additional costs.

Re:

[Timbotronic]

Agreed. Banks should, at a minimum, use virtual keyboards that you have to operate with a mouse as part of the login process. Yes, it's possible to get screen captures of where the mouse is clicking but it's quite a lot harder to do than keylogging. Smart card logins and RSA number generator cards are another option. Banks have been way too slow to adopt them.

Second, there's a whole range of things you can do to prevent dodgy payees being added to an account. I know of one bank here in Australia that sends

Re:

[narf]

That describes my bank (a credit union) pretty darn well!

Re:

[noidentity]

Better yet, logs of public money transfers could be made available for anyone to scrutinize, thus catching things like this. Oh, wait, that'd also catch things like this where the thief is also a public official, so I guess this isn't such a viable idea after all.

Re:

[icknay]

Actually making your general purpose computer secure is quite hard. What this shows is that we should have a little USB doohicky with a little display and a couple buttons that we use to sign/authenticate important transactions. For the final step of the transaction, you look at the display on the device and enter your pin on the device to confirm the transaction. The hardware for this is not that expensive, but the banking system has such organizational inertia, it's going to take them years to clue in to

Re:

[_Sharp'r_]

In the nonprofit school that I'm on the board of, our policy is that anything over a certain amount must be approved and signed by multiple officers, up to all four main officers for really large amounts.

What kind of idiot sets up a financial system for a city (that deals with a lot more money that we ever will) in which one user can on their own authority transfer over a quarter of a million dollars to a random bank account? Whoever the controller for the city is should probably be fired at this point.

Even

There is no way to protect yourself

[QuantumG]

it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home.

Uhh, no. If the keylogging software is some off the shelf crap, sure, that might work, but if it is something the attacker has written specifically for this attack, forget it. We don't live in a world where software is assured. You can't ever say "my keystrokes are on a secure path". Although, two factor security things like RSA's Secureid [rsa.com] can help.

Re:

[hondo77]

E*Trade offers the RSA number generator as an option for their accounts. I held off for a while but then I found myself needing to login to E*Trade while I was travelling. That convinced me I needed to get it. How many other financial institutions offer these?

Curses

[rossz]

I would have gotten away with it if it weren't for those pesky kids and their stupid dog!

Because laws sure do _prevent_ things...

[Darlantan]

The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

Yeah, because laws sure do stop those criminals from, you know, breaking the law.

When are politicians going to wise up and realize that laws don't stop criminals from doing anything, they just offer a means of punishing them _if_ they get caught after the fact? Completely different methods are required to prevent these kind of things -- like proper security procedures, in this case.

Re:

[punkrockguy318]

Of course! If you don't like something, just illegalize it. It sure as hell has worked for drugs and underage drinking...

Well, well...

[GFree]

If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.

God I'm going to hell for writing that, and I'm a Linux user.

Re:

[webweave]

Well, from what I've seen of Vista in action when most users are confronted with the message "Running this program will install a keyloger that will comprimise your security and turn your banking passwords over to organized chrime" will have them slapping that "Accept" button even before all the text has time to render to the screen.

The article does not say what the compromised system was running but I guess if it weren't windows then it whould be news.

Keyloggers would become useless for passwords theives i

Re:

[Acer500]

If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.

That damn Accept button will be the ultimate CYA for Microsoft.

Vista asks you so many times (if you do interesting stuff, at least), that you have to either disable the UAC or pressing "Accept" will become a reflex. Of course, I don't use Vista, I only install and troubleshoot it, so my view is skewed (you won't have to press Accept to use Word too often).

Keyboard technology

[gilesjuk]

Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.

Re:

[Nonesuch]

gilesjuk writes: Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.

Actually, the article says that the compromise happened on a laptop, which implies a software keylogger, not a device -- the software loggers tap into the keyboard events in the OS, so it doesn't matter how the keyboard is plugged in.

I recently noticed Thinkgeek [thinkgeek.com] is now offering the "Ke

Have the bank call to verify

[caller9]

Just to echo a previous poster, the solution here is human. Even if you can create the transfer batch identically to the method used by the victim. The bank should sit on their hands until they call an authorized person and verify the amount of the transaction. If your payroll suddenly doubles, you might want to check into it. From the detail-sparse article it sounded like an unscheduled transfer anyway. It looks like they have no human interaction between bank and city. Freakin Kalamazoo was a nice touch t

Of course we need more legislation - that'll work.

[Boricle]

From the article:

The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

* sigh *

Because people who would try and steal some $450,000 are going to be stopped by legislation making it even more illegal.

Maybe something like two factor authentication would be better? That way different numbers are needed every time. And better security on the laptop perhaps? Non administrator priviliges. Not allowing people to install software? All quite doable.

Sure, blame the criminals, but maybe the doors should be bolted too?

unsecured terminal?

[proadventurer]

"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

Yup, now that she has pleanty of time on her hands since she has been FIRED!

Re:

[Salo2112]

If the Treasurer is elected, he or she can't be fired - they can only be impeached. They are a law unto themselves, as bad as judges.

I've found keylogger cache files

[spywhere]

Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:

"Um, sir, do you bank at Bank of America?"
"Yeah, why?"
"Is your password 'Snoopy67'?"

Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.

Re:

[Anonymous Coward]

Key points in this post:

Before I 'retired'....

and

"Um, sir, do you bank at Bank of America?" ..

Re:

[frostband]

"Um, sir, do you bank at Bank of America?"
"Yeah, why?"
"Is your password 'Snoopy67'?"
"No. It's the same as my luggage: 1, 2, 3, 4, 5."

hmmm

[pak9rabid]

They get us in so many ways. There's got to be a way for us to get them."

Well, yall can start by getting your heads our of your asses and implementing a descent security program, including limiting employees' access to their workstations..

Except that...

[UnderCoverPenguin]

... it drives home the importance of keeping good anti-spyware ...

Congress wants to pass a law that would make spy-ware legal.

(IIRC, it is HR 950 - the "CAN SPY ACT". There was a /. post about it a few weeks back, but too hard to use PDA to search while riding on a bus.)

Who Uses Online Banking?

[h4ck7h3p14n37]

Does anyone here actually use online banking? If you do, aren't you worried about your account being compromised? What measures do you take to address the numerous security issues?

Personally, there's no way I'd sign up for online banking, there's just too much risk. I prefer to either visit my bank in person or (rarely) speak to someone at the bank over the phone. I understand that the phone is also risky, but I figure that there's much more risk for an attacker since there will be a record of from w

Re:

[proadventurer]

I online bank and in 3 years have never changed my password. I don't log in from internet cafes or anything. My bank says I am covered no matter what. Other than not changing my password I have good security. I use a Mac on an IP filter and wep network and ND magnet my old hard drives. As a general rule I don't give out my bank info to anyone from Nigeria, the only banking thing that I do that bothers me is I have a paypal account that connects to my bank account and that kinda gives me the creeps.

More legislation?

[Tracy Reed]

The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

This doesn't bode well. What they need are some secure computing practices. Legislation won't prevent this, especially when the person lives outside her jurisdiction which happens to be most of the world.

Thats it?

[denttford]

Just 450K? Meh, post it when they steal at least a couple hundred megabytes.

morons

[Thaelon]

Why the fuck do they think anti-malware software is the answer?

Three words: Hardware key [thinkgeek.com] logger [thinkgeek.com].

Fools and their money are soon parted.

lol

[pestilence669]

"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy."

Yeah... more "rules" against this kind of behavior will fix it. It's not illegal enough... that's the reason it happens. Criminals care about consequences. Dumb ass.

Will not be enough.

[gweihir]

With physical access, you can put a hardware keylogger into the cable. Or into the keyboard. Or into the computer. The keyboard is probably safest, since who opens a keyboard? I do it once a year to clean it, but that is it.

Then there is current research on doing audio-keylogging (by recognizing the individual key-sounds), and that seems to work reasonably well. There is Tempest monitoring for the keyboard. This one is a bit more effort, not because the signal is weak, but it is not too suitable for convent

Stupid

[bigtangringo]

How about keeping vital systems off the interwebs? Jesus H. Christ.

My god, the simplest things...

[SanityInAnarchy]

As Los Angeles County sheriff's deputies and Secret Service investigators try to track down the crooks, Carson has fielded calls from officials worried about the security of municipal coffers. "They want to know how they can prevent this," Avilla said.

I know it's not going to fix anything, but there are a few simple, simple steps:

1. Linux. If you can't make that work, get a Mac, but really, do give Linux some serious consideration. Especially if you can standardize on things in the normal repositories, you basically kill any equivalent of the most common and easiest Windows attack vectors.
2. Never let it out of your sight. If it's a desktop, it stays in a room that only you and trusted people have access to, like your office. When you're not there, lock the door. If it's a laptop, either keep it locked in a similar room, or carry it with you. If you MUST let it out of your sight, get one of those stupid-looking laptop locks and lock it to something solid. When you get back, check for tampering.
3. Don't let anyone have unlimited access to it. If someone MUST use your computer, every time they touch it, it should be under some limited account, not yours. When they're done, nuke the account. And again, be in the room, paying enough attention that you'll notice if they try to open the case or unplug anything.
4. Lock it down. Linux/Mac is part of the above, but even if you MUST use Windows, turn on the firewall, download some good, free antivirus and antispyware (and pay for some if you can't get it free, due to many of the "free" ones being free only for home use), and turn off AutoRun, even if you never plan to play music CDs. You could go farther, too -- on Mac/Windows, BitLocker/FileVault. On Linux, you could encrypt the entire disk except your boot partition, and you could put that on a removable flash thumbdrive. You could also use SELinux, which, on a distro that supports it, is complete overkill even for this -- every process has a set of rules defining what it can and cannot do.
5. Use a secure browser, which basically means anything except IE. If you're on Vista, maybe IE 7, but I still prefer open source. And even then, disable crap you don't need, run Flash on a per-page click-to-play basis, and pay very close attention to the URLs you visit when accessing your bank.
6. Use at least two-factor authentication. A thumbprint reader, a smartcard reader, or even a simple thumb-drive with a keyfile on it.
7. Don't be stupid with passwords. Don't give them out for chocolate (has happened before). It is not enough to name it after your dog and add a year, your Fido1993 will be cracked in two minutes with a dictionary cracker, if you even bothered to capitalize the F. Make it hard enough that you have to write it down, and then make sure where you write it is sufficiently protected -- for example, on something in your pocket, or have the browser remember on that encrypted hard drive. (The encrypted drive, of course, will always have the same password, and that should be a hard one that you bite the bullet and memorize anyway. Or a very-obfuscated one that you can remember, for example, 2b||!2b could read "To be or not to be" (to a programmer), but beware that being predictable (such as pulling it out of my Slashdot comment) can make hard obfuscation easy.)

This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.

And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:

The treasurer said she is now determined to try to write legi

Re:

[unick]

You forgot: 8. Do not re-use passwords. Of the gazzilion profiles I needed to create on the web there are not 2 with the same password. Use a "system" that will help remember the password, e.g.: fixed password + website acronym + another fixed password. I.e. 'foohmbar' as a password for hotmail, 'foogmbar' for gmail, etc. Or any other system that suits you.

Re:

[SanityInAnarchy]

I would say, be aware of where you're re-using passwords. The reason not to re-use a password is to prevent a compromise of one account on one site leading to a compromise of another account on another site -- and that compromise may come from inside.

For example, I really don't give a damn if MySpace can get into my free New York Times account, but that's basically what using the same password on both implies -- if someone 0wns MySpace, or MySpace itself becomes corrupt, they can get my password and use it

Social Engineering

[jasonwea]

... it drives home the importance of keeping good anti-spyware and anti-virus software updated ...

Anti-malware software can only do so much. The real solution is to educate users so they are not vulnerable to social engineering attacks such as "OMG SMILIES FOR YOUR EMAIL", "I need to verify your username and password" and various other ways users are conned into having their boxes rooted and/or their passwords exposed.

Of course locking down corporate workstations is a very good idea. No admin access and

Meh, happy endings suck..

[Plutonite]

These "disaster avoided" stories are numbingly boring. Wake me up when money actually gets transferred and there are dead dogs and crying executives in the streets. This is America, people, home of the kiss-kiss-bang-bang, for crying out loud. Please gauge your notion of "news" accordingly.

PS: Just curious: how would it be possible to transfer 450mil out of a bank and go undetected? How are these big things pulled off?

YAY WINDOWS!

[toby]

Mircosfot make great benefit to nation America!

California should just outlaw the root problem

[Fujisawa Sensei]

Since the state thinks that legislation can be used to solve all their problem there are just 2 things they need to outlaw: ignorance and stupidity. I sure it would be just as effective as creating new laws covering crimes that are already covered by other laws.

anti-?

[Sloppy]

it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home

That's funny. I see it as raising the importance of not installing/running spyware and viruses in the first place. The detection and removal of malware should be a distant afterthought, compared to that.

Re:6 digit theft?

[treeves]

Well, you've heard of a "five finger discount", right? Maybe this guy had a birth defect.

Ob: Princess Bride.

[weeboo0104]

"You have six fingers on your right hand. Someone is looking for you."

Re:

[Drooling Iguana]

He should really stay away from Spaniards with scars on their faces, then.