Arrested for Planting Spyware on College Compus

AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."

Re:MIT

[jd142]

I can easily hack into a UNIX system without nothing more than a floppy disk and the power switch.

Prevent booting from a floppy, password protect the bios and lock the case. Makes it much harder.

You could still do it, but the odds are that someone would notice that you were literally hacking in to the computer so you could set the dip switch on the motherboard to blank out the bios password.

And it should be obvious to the techs who do maintenance that someone has sawed through their lock.

Re:This software... -- is worse than useless

[plsuh]

This is still not adequate -- and is (in some ways) worse than nothing. Having managed a lab of student computers back when I was a grad student, often times people will simply sit down at an otherwise unused computer and start typing in URL's. If the attacker installs the software (not requiring a reboot) on a machine and walks away, the next user and any other users who use it without a reboot will still be vulnerable. The keystrokes can be recorded by sending them to an SMTP relay or open FTP server.

This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.

There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.

In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.

By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.

--Paul

Re:MIT

[anon*127.0.0.1]

And of course it wouldn't be hard at all to drop a hardware key logger like this on a system, do something to hose up the software, then call tech support.

Odds are if it's a pure software problem the tech will never look at the back of the machine. Once he's fixed the problem and wandered off, you can retrieve the keystroke monitor and you probably have the admin account name and password.

Hardware based keylogger from ThinkGeek.com!

[Dexheimer]

Key Katcher at ThinkGeek.com. There is much talk about blocking keylogging software in the first place, but what about something like this?

This is a device that can be connected to a keyboard to record all keystrokes. It has a changeable password, keyword search, enable/disable option, and stores URLs. Records more than 65,000 keystrokes and does not require any software. Monitor unauthorized access to your computer or your network. Use it to troubleshoot or make fixes by tracing back through a users command sequence.
Key Katcher plugs in between your keyboard and your computer. A microcontroller interprets the data, and stores information in the non-volatile memory (which retains the information even when there is a loss of power.) This means that the Key Katcher device can be unplugged, and the information will not be lost. Key Katcher plugs in between your keyboard and your computer. A microcontroller interprets the data, and stores information in the non-volatile memory (which retains the information even when there is a loss of power.) This means that the Key Katcher device can be unplugged, and the information will not be lost.
To access the recorded data, you simply type your password in a text editor and the Key Katcher comes to life. A menu is displayed with options to erase data, view data, search data for keywords, change password, or disable the device.

Re:MIT

[Rolo+Tomasi]

Bad idea. Many (most?) BIOSes have a manufacturer default password, which overrides the user password. Most mainboard manufacturers also don't bother changing it (you can view & change it for AWARD BIOSes with a program called modbin, which you will have to obtain illegally). You can also overwrite some of the CMOS RAM (takes about five lines of assembly), so the checksum will become invalid and the BIOS will load the setup defaults on the next boot. No more password.

The BIOS password is useless. Furthermore, even if it weren't, if you install a hardware keylogger, you will get the password anyway. If you want to do it professionally, install the keylogger inside the keyboard's case.

In short, if you have physical access to a machine, the possibilities of compromise (even non-invasive) are endless. And that's not even taking into account fake logins, trojans, OS & app exploits, etc. pp.

Re:MIT

[Reziac]

Dunno how illegal modbin can be, when it's available for download from ZDNet (among 600+ other places that came up on the most cursory search).

Re:Cut and paste your passwords

[Coolfish]

most keystroke monitors also store everything you copy to the "clipboard" in Windows.

thank you, try again.

Re:MIT

[Chester+K]

When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.

Don't think you're safe on a multiuser system either.

A Windows-based multiuser system would be safe from this sort of attack. Windows servers can be set to require the user to hit the system key combination, Ctrl-Alt-Del, before entering their login information. Ctrl-Alt-Del is not trappable in any fashion by any userspace program and can be set to always transfer control to the system. If you're on a Windows server and you hit Ctrl-Alt-Del, you can be absolutely sure that the window that pops up next is a legit system dialog.