PC Invader Costs a Kentucky County $415,000 192
plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky. "The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."
Windows TCO (Score:5, Insightful)
Don't forget to include this in your Windows TCO calculations.
Bank hold some responsibility (Score:5, Insightful)
Re:Windows TCO (Score:4, Insightful)
Yet we don't see much of that, do we? In spite of the massive *nix share of the server market, it's windows systems that prove easiest to compromise.
Re:Bank hold some responsibility (Score:5, Insightful)
No, I am being fair.
Direct connection or not, that login shouldn't have been able to reset the other one. There are several reasons why two people needed to approve transfers from that account. Being able to unilaterally reset the Judges credentials is a big fat security hole in its own right.
Sometimes an attack must rely on more than one vulnerability. This is one of those. Thus, I didn't say that the bank is 100% responsible, only that they hold some responsibility.
Re:Windows TCO (Score:3, Insightful)
keyloggers aren't used on servers as much...regardless of the OS.
Learn English (Score:1, Insightful)
Yes, I am a pedantic Grammar Nazi, and I anticipate a great modding down of this comment, but my need to say this is worse than any addict's craving for his next fix. There are few things I hate more than redundant words. "Co-conspirator" is about as redundant as it gets. A conspiracy is a group of people. People conspire to do something like this, and you call those people conspirators. What happens in a hundred years when we forget that "co-conspirator" was being used this way? Do we start saying "co-co-conspirator"?
Re:Windows TCO (Score:5, Insightful)
Re:Windows TCO (Score:5, Insightful)
I love the thought behind the comment, but I think we are arriving at a kind of plateau where it is not so much the OS as the users being stupid and uneducated while management policy is too lax when it comes to computer use.
With text-based computer usage, that was rarely if ever a problem simply because the fun things to do were rather limited and certainly didn't involve a live connection to a public internet. But the more connected we became, the more fun things there were for people to do. Suddenly with Windows + Internet access, the door flew wide open with everything from BonziBuddy to Weatherbug to all sorts of other gadgets, games and gizmos. This escalation of extra-curricular activity has never been treated as a threat or as a problem by many and has continued unabated.
What is needed, whether running Windows, Linux or MacOSX on the desktop, is a means to EFFECTIVELY prevent the installation of unauthorized software and data. That is a complicated trick for a variety of reasons not the least of which is the face that the file system doesn't care if a file is data or executable code no matter where it is located in the file system. (This is a problem that should be fixed in ALL OSes) There are effective tools to prevent a lot of such things, but all of them require what should have been done to begin with -- careful system software planning and implementation. There are limits to which the OS itself can be blamed and that's what I am really trying to get at.
On one hand, there is the threat of running as the superuser on any OS which is unquestionably a problem. On the other, there is running as the user. Running programs as a user, from a user's writeable data space is often enough to give malicious software operators what they are looking for anyway. Many of them seek personal information, so if they can get code running on a remote user's system that will give them access to that user's data, that's enough of a threat. Getting "superuser access" merely gives them a way to infiltrate the system at a much lower level and make removal much more difficult. So merely patching or preventing superuser access from being taken, assumed or otherwise utilized is only a part of the problem and one that is increasingly realized as irrelevant to malware authors.
In the end, the TCO of Windows, in this respect, is still lower if for no other reason than the likelihood that someone has a quick and easy way to reload the system clean is pretty high up there. There are fewer quick solutions to fixing or cleaning up a compromised system under Linux or MacOSX... with good reason -- they aren't your typical targets.
But I believe we are close to reaching a plateau at which there is only so much that can be done to secure an OS without proper planning and implementation taking the lead concern as it should have always been.
Re:HOW DID THE VIRUS/TROJAN get onto the PC? (Score:5, Insightful)
Find out if the bank manger smokes, or his/her sectary smokes. Note when they go for a smoke and where. Get a few of those USB thumb drives from trade shows and lace them with trojans and place them near the smokers outside break area and wait for them to pick it up and place them back in their machines when they get back inside. Because usually they will just to see what was on the drive.
Re:Learn English (Score:3, Insightful)
No, your grammar nazi-ing is not even correct. Co-conspirator and conspirator indicate different things, like specificity. If I am involved in a computer conspiracy, and another person is involved in a highway tax conspiracy, we are both conspirators. We are not, however, co-conspirators. We are not partners, we are not involved in the same conspiracy.
Also, it is possible for a conspirator to have a partner who is not part of the conspiracy. If a conspirator goes to someone and is able to get them to do a job with them, but withhold information regarding the conspiracy or its goals, then the conspirators new partner is not a co-conspirator.
The use of co-conspirator is used to denote the relation of one conspirator to another. It would actually be improper grammar to remove the "co", as it would imply ownership of one to the other. "His conspirator" and "his co-conspirator" have obviously different meanings. The use of co-conspirator removes ownership from the previous statement, and is therefore not redundant.
The first rule of the grammar nazi is only to make corrections when they are themselves correct. You, sir, and an epic fail.
P.S. Feel free to correct the poor grammar in that last sentence as if it were English, so I can call you wrong again. It's fun.
So impressed by basic tech (Score:3, Insightful)
I find it hilarious that basic TCP/IP networking stuff gets labeled as "interesting". Any idiot can initiate a connection to a host on the internet.
What's "interesting" is that the victim's machine was not firewalled to prevent this sort of thing from happening in the first place. Properly controlling outgoing traffic is of crucial importance, particularly when dealing with such sensitive information. A locked down network should be able to contain unknown connections from within, just as well as those from the great wide internet.
In my opinion, it's not the invader that cost Kentucky $415,000. The fault rests entirely on their network administrator(s).
Re:your tax money at work (Score:5, Insightful)
If you go with the normal route, and the normal route gets hacked, you won't be blamed.
If you setup a server on a system that your boss hasn't heard of, and you get hacked, you're fired.
The chances of the former are much greater in a lot of ways. But the risk to your job is basically zero. Whereas in the second way, you're fired because you decided to use that silly deamon thing instead of proper, professional, Enterprise-Ready (tm) Windows 7.
Re:Windows TCO (Score:5, Insightful)
I use Windows, OS X and Linux, and none of my PCs have ever been compromised, but the Windows one sure is harder to protect.
Re:Windows TCO (Score:1, Insightful)
Re:Windows TCO (Score:2, Insightful)
Linux is not the holly grail (Score:5, Insightful)
Re:Windows TCO (Score:5, Insightful)
simplified a bit :
Linux - don't run as root, install updates regularly, think twice before entering root password.
Windows - attempt to have the logged in user not running as admin, install updates regularly, install run update and monitor virus scanner + firewall software. think twice before entering admin password (if running as non-admin)
OSX - never had admin on OSX, from what i understand its the same as linux with respect to security.
the effort to run (pre vista) windows as non-admin is substantially harder than non-admin linux.
installing updates is approximately the same effort.
windows (currently) requires extra software installed to be secure.
Objectively windows is harder to secure (harder on 2 out of 3). (this also assumes that this is the minimum effort required to secure each system to the same level - on any system you could spend much more effort due to a lack of knowledge, or wrong pre-conceived ideas concerning security)
Re:Windows TCO (Score:3, Insightful)
In other words, is the user intelligence variable dependant upon the OS variable? if you change the OS, does the user IQ change with it?
Dispite the GPP being an AC, I think you missed his point (which was valid).
Re:Linux is not the holly grail (Score:3, Insightful)
I'll admit it's been about 15 years since I was in Banking, but either these bank people were all morons or things have really changed.
Re:Windows TCO (Score:4, Insightful)
are you implying that dumb users suddenly become intelligent...?
No. It's that a regular (not necessarily dumb, just... regular) non-priv users have less (not zero!) chance of having (actively thru stupid clicking, or passively thru a worm) something unwanted installed on Linux/BSD than they do on Windows or OSX. Especially if they don't have the root password.
IOW, Windows is a slippery pistol with a low trigger pull weight in a fragile holster. BSD & Linux "pistols" have no-slip grips, heavy trigger pull weights and sturdy leather holsters. You can shoot yourself in the foot with either, but Windows makes it a *lot* easier...
Re:Lets fix the story: (Score:2, Insightful)
You are so wrong, it's not even funny
Re:We're talking about Kentucky! (Score:3, Insightful)
Idiots live everywhere (and keep in mind the plural of 'anecdote' isn't 'data'.) It might be that Kentucky has less money than other states, but I wouldn't say they're correspondingly "dumber" than other states.
Also, isn't that the same state that moron senator X is from?
That pretty much describes all 50 states.
Re:Linux is not the holly grail (Score:3, Insightful)
Some fat law enforcement officer should lift from a chair, buy an air ticket for 500 bucks and go to Kiev.
You really think it's that easy to get a foreign national into your court system????
Especially if they are clever enough to hide their digital tracks.
There is Interpol office in Kiev.
There are also lots of easily-bribed cops in Kiev.
Ukraine is a member of UN.
It is easy to say "Kiev" and do nothing.
Like it's easy to invoke the holy name "UN", and believe that Ban Ki-moon will swoop down and smite the enemy.
Do you also believe in Santa Clause???
Re:Windows TCO (Score:2, Insightful)
When will online bank understand that... (Score:1, Insightful)
When will online bank understand that the only 100% foolproof method is to mandate the presence of a hardware device on the user's side and to make the bank account number of the recipient you want to transfer the money to part of a cryptographic challenge?
That is 100% foolproof. You ain't wiring money to an account whose number hasn't been entered on the hardware device (say some www.vasco.com device). Full stop.
Some lowlife hacks my Windows (I'm not using for my online bank's website works fine under Linux) and intercepts in realtime my opened connection to my bank's website? OK, it's bad, the lowlife can see how much I have on my account. But making a transfer? How's the low-life going to generate the token validating another low-life's bank account without the hardware device... Good luck with that low-life.
There are already several banks in Europe where it works like that... It only takes a few more low-lifes to succeed stealing petty amounts like in TFA and banks shall start implement this everywhere.
Then it's "GG low-lifes"
Re:Windows TCO (Score:1, Insightful)
pwn2own says mac easier to pwn than windows (Score:3, Insightful)
> Every year I've read about it, the order from first to last compromised has been Windows, Mac, and Linux.
Which year? And which pwn2own contest are you talking about?
In 2006, there was no pwn to own cansecwest contest. ;).
In 2007, it was mac first, but only macs were prizes
In 2008, it was mac first again (out of OSX, Ubuntu and Vista) on day 2 (nobody managed to pwn anything under the day one rules), and vista only on day 3 (due to adobe flash exploit).
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture?info=EXLINK [tippingpoint.com]
Day 1 rules = remote exploit - no user interaction
Day 2 rules = default client apps
Day 3 rules = popular 3rd party apps.
In 2009, it was safari on OSX first again, on day 1, followed by IE8 on Win7, followed by safari on OSX again, followed by firefox on Win7 (however multiple platforms were actually vulnerable to nils' attack[1]). All in day 1.
http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits [tippingpoint.com]
http://blogs.zdnet.com/security/?p=2917 [zdnet.com]
http://blogs.zdnet.com/security/?p=2934 [zdnet.com]
[1] http://www.securityfocus.com/bid/34235 [securityfocus.com]
Rules: .net, quicktime. User goes to link. ... User goes to link
Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java,
Day 3: popular apps such as acrobat reader
And Charlie Miller one of the pwners says OSX is easier:
http://blogs.zdnet.com/security/?p=2941 [zdnet.com]
"It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."
"For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac."