Arrested for Planting Spyware on College Compus

AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."

Re:MIT

[jd142]

I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

Prevent booting from a floppy, password protect the bios and lock the case. Makes it much harder.

You could still do it, but the odds are that someone would notice that you were literally hacking in to the computer so you could set the dip switch on the motherboard to blank out the bios password.

And it should be obvious to the techs who do maintenance that someone has sawed through their lock.

Re:This software... -- is worse than useless

[plsuh]

This is still not adequate -- and is (in some ways) worse than nothing. Having managed a lab of student computers back when I was a grad student, often times people will simply sit down at an otherwise unused computer and start typing in URL's. If the attacker installs the software (not requiring a reboot) on a machine and walks away, the next user and any other users who use it without a reboot will still be vulnerable. The keystrokes can be recorded by sending them to an SMTP relay or open FTP server.

This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.

There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.

In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.

By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.

--Paul

Re:MIT

[anon*127.0.0.1]

And of course it wouldn't be hard at all to drop a hardware key logger like this on a system, do something to hose up the software, then call tech support.

Odds are if it's a pure software problem the tech will never look at the back of the machine. Once he's fixed the problem and wandered off, you can retrieve the keystroke monitor and you probably have the admin account name and password.

Re:Cut and paste your passwords

[Gudlyf]

You can do this using FPM.

Exaggeration

[KIondike]

The claims of stealing $2000 and other crimes are exaggerated. The story reported at CNet:

According to the attorney general's office, Boudreau began to install key-logging software around April 2002 and used intercepted information to add money to a stored-value card used in the campus dining and bookstore system. Boudreau is not, however, accused of misusing credit card numbers or profiting from selling any private information he allegedly gleaned.
A person at Boston College with knowledge of the situation said the attorney general's office exaggerated Boudreau's accomplishments in its press release, in an attempt to tout this prosecution as a high-visibility test case. "I feel bad for this kid," the person said. "He's not the appropriate test case. He's feeling bad. He has all these issues. He's been depressed."

Not that I feel bad for him for being depressed or anything, but he's being viewed as a real criminal who stole from hundreds where all he really did was mess around on a computer.

Hardware based keylogger from ThinkGeek.com!

[Dexheimer]

Key Katcher at ThinkGeek.com. There is much talk about blocking keylogging software in the first place, but what about something like this?

This is a device that can be connected to a keyboard to record all keystrokes. It has a changeable password, keyword search, enable/disable option, and stores URLs. Records more than 65,000 keystrokes and does not require any software. Monitor unauthorized access to your computer or your network. Use it to troubleshoot or make fixes by tracing back through a users command sequence.
Key Katcher plugs in between your keyboard and your computer. A microcontroller interprets the data, and stores information in the non-volatile memory (which retains the information even when there is a loss of power.) This means that the Key Katcher device can be unplugged, and the information will not be lost. Key Katcher plugs in between your keyboard and your computer. A microcontroller interprets the data, and stores information in the non-volatile memory (which retains the information even when there is a loss of power.) This means that the Key Katcher device can be unplugged, and the information will not be lost.
To access the recorded data, you simply type your password in a text editor and the Key Katcher comes to life. A menu is displayed with options to erase data, view data, search data for keywords, change password, or disable the device.

Re:Food for thought:

[jmauro]

You can lock access to the bios without preventing the computer from booting. And one can have a different password for booting and for changine the bios options. I doubt you'd be able to insert the device and get someone then editing the bios password to change options in any case.

Which one ?

[LiteForce]

...and I thought the article was referring to the original Boston College!

I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.

Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.

To clarify, Boston (in Massachusetts, United States) was named after Boston (in Lincolnshire, United Kingdom) - more information can be found here.

Re:MIT

[Rolo+Tomasi]

Bad idea. Many (most?) BIOSes have a manufacturer default password, which overrides the user password. Most mainboard manufacturers also don't bother changing it (you can view & change it for AWARD BIOSes with a program called modbin, which you will have to obtain illegally). You can also overwrite some of the CMOS RAM (takes about five lines of assembly), so the checksum will become invalid and the BIOS will load the setup defaults on the next boot. No more password.

The BIOS password is useless. Furthermore, even if it weren't, if you install a hardware keylogger, you will get the password anyway. If you want to do it professionally, install the keylogger inside the keyboard's case.

In short, if you have physical access to a machine, the possibilities of compromise (even non-invasive) are endless. And that's not even taking into account fake logins, trojans, OS & app exploits, etc. pp.

Re:MIT

[Reziac]

Dunno how illegal modbin can be, when it's available for download from ZDNet (among 600+ other places that came up on the most cursory search).

Re:Cut and paste your passwords

[Coolfish]

most keystroke monitors also store everything you copy to the "clipboard" in Windows.

thank you, try again.

Re:MIT

[Chester+K]

When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.

Don't think you're safe on a multiuser system either.

A Windows-based multiuser system would be safe from this sort of attack. Windows servers can be set to require the user to hit the system key combination, Ctrl-Alt-Del, before entering their login information. Ctrl-Alt-Del is not trappable in any fashion by any userspace program and can be set to always transfer control to the system. If you're on a Windows server and you hit Ctrl-Alt-Del, you can be absolutely sure that the window that pops up next is a legit system dialog.

Re:MIT

[Atzanteol]

Now, making all the network links switched will eliminate you ability to sniff packets (save for WiFi) and render the encryption issue moot.

Are you sure? Arp-poisoning can get around switches easily. Check out ettercap

Re:Food for thought:

[kasperd]

does any other manufacturer use the PS/2 keyboard cord?

AFAIK it is possible to use PS/2 keyboards on some Amiga models. And our NCD boxes (X-terminals) also use PS/2 keyboard and mouse. One of our happens to have a PS/2 keyboard from SGI, though I don't know if that one is identical to the keyboards connected to the SGI. I have noticed one functional difference on the keybards connected to the SGI though they look exactly like a standard PC keyboard. The software can see when the Pause/Break key is released, normally a PS/2 keyboard sends the key release code for that key already when it is being pressed.