PC Invader Costs a Kentucky County $415,000 192
plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky. "The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."
Re:Windows TCO (Score:2, Informative)
That is a complicated trick for a variety of reasons not the least of which is the face that the file system doesn't care if a file is data or executable code no matter where it is located in the file system.
Please elaborate. You sound more intelligent than this, so I assume I misunderstand you.
Most filesystems do keep tabs on which files are executable, and which ones are not. Of course, Windows defaults to executable, and the rest of the world defaults to not-executable. On the other end, processors now recognize the no-execute bit on memory. This makes it possible (easier?) to avoid accidentally running data in an executing program (ex: some buffer overflows). Of course, for these things to work properly, the OS bears a lot of responsibility.
What is needed, whether running Windows, Linux or MacOSX on the desktop, is a means to EFFECTIVELY prevent the installation of unauthorized software and data.
On Linux, the Distros needs to keep their repositories clean (they usually do) and users should generally avoid installing software that isn't in the repository. It's generally a very safe practice, and usually practical.
Re:Linux is not the holly grail (Score:3, Informative)
Things have changed, at least for ordinary commercial accounts. Money transfers are done via web browser. And nobody except a couple of imaginative slashdotters said anything about USB drives -- TFA says only that it was a "zbot Trojan" but doesn't identify the infection path.
The auditors and security people obviously approved the "two people requirement" but failed to identify the weaknesses in the implementation. Yes, that's certainly a failing, but unless you have a CISSP on staff you probably don't even know that you need one. An auditor who learned his trade 25 years ago (and hasn't kept up his education) might not recognize what needs to be secured in this environment.
Re:Windows TCO (Score:2, Informative)
Also from the point of view of exposed services and access requred for various functions.
OS X shares nothing by default, and allows the firewall to lock out anyone not on the local subnet.
RPC requires a whole shotgun full og holes in a firewall to allow AD login across secure zones, LDAP directories are realy simple in comparison
For Linux, I only install the software for services I want, and allows much better control of who can do what as root using sudo, (and the same with OS X too)
SSH provides a secure remote connection between my boxes. Can be done with Windows too, it just seems to take more effort to locate the software and configure it.
Want to backup/image a disk - OS X and Linux have dd to duplicate a disk, or rsync to keep folders replicated on network drives. FOr Windows, this all has to be added on.
who modded this garbage up INSIGHTFULL (Score:3, Informative)
- The attackers somehow got the Zeus Trojan [washingtonpost.com] on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access e-mail and the county's bank account.
- The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection.
- Once logged in, the criminals changed the judge's password, as well as e-mail address tied to the judge's account, so that any future notifications about one-time passphrases would be sent to an e-mail address the attackers controlled.
- They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved.
- The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an e-mail with the challenge passphrase to an e-mail address the attackers controlled.
- The attackers then retrieved the passphrase from the e-mail, and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.
Re:Windows TCO (Score:1, Informative)
As far as protecting users from themselves goes, Linux isn't any better at all.
What about the protection they get from downloading 99% of their software from trusted signed repositories instead of some random website? Are you seriously claiming that's worth nothing?
most users will know the root password and you still need to know how to use the terminal to install anything not in APT.
Your ignorance is showing here. Ubuntu has the root account disabled by default and users are encouraged to do all admin via sudo or gui equivalent. And you don't need to use the terminal to install non-repo applications (assuming that's what you mean by the nonsense term 'not in APT') if they are packaged as debs - you just double click to install.