Slashdot Mirror
Arrested for Planting Spyware on College Compus
AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."
Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.
Happened at WPI a few years back. After taking an assembly class that showed him how to catch keyboard interrupts, he loaded a new interrupt handler that logged the keystroke and then called the real handler so that everything looked normal. He was caught, but I'm not sure what happened to him.
There is a kid doing this at almost every school, most of the time it goes undetected. Three people at my highschool did the same thing and were suspended, no one knew what kind of information they obtained but it was going on for over a week.
This kind of software causes a real headache for system admins.. I speak from personal experience. Our team of about 12 technicians look after approximately 1500 workstations, and about 2/3 of those are used by a theoretical maximum of about 6000 students on a weekly basis.
:)
Trying to keep tabs on this kind of thing can be nigh on impossible.
We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.
We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.
No, I dont work for Fortres Grand but thought it seemed appropriate to the subject!
"Hey! Unless this is a nude love-in, get the hell off my property!!"
He was part of a Internet backing project for a large European bank. This bank was one of the first to offer services over the Internet. He always used cash and did all of his banking with a real live teller. He didn't have any credit or banking cards. I think that says a lot.
I have been doing Internet based development exclusively for four plus years. I still do not use Internet banking. People are so willing to jump to use any service that makes thing easy without thinking about any potential consequences.
I think I have to find a new job, because I think people are too stupid to use computers. Sad but true.
Actually I was with the guy right up until he turned to the dark side and used the information to steal. I think the penalty for 'liberation of information' or white hat hacking should be pretty thin, but the minute someone steps over the line and does something bad with that information we lop off a hand (like they do in ?Muslim countries for stealing?) I figure that losing a hand is a pretty good way to keep someone from becoming a repeat offender (pretty difficult to work a computer if you lose both hands) and THAT will serve as a pretty strong warning to others.
Two thousand dollars will buy you a lot of McBurgers, but won't buy you another hand (even in Chiba City.)
Glonoinha the MebiByte Slayer
Never type a password on a public computer. Instead, cut and paste the characters from the screen using the mouse only. Of course, the problem is you have to have every letter and character displayed somewhere. You could browse to a site like this and paste character by character. It's slow but better than having your identity stolen.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
You know, there's something to be said for allowing users some degree of freedom. It's quite easy to cut off all kinds of access, but networks that have users with a wide variety of needs and interests and who can generally trust their users shouldn't do so.
At my school, we've got some computers in very public areas that are all full of restrictions, and people run into usability problems with them all the time. But on the computers in the library, users can install whatever they need. If I need to install a drawing program to help create a presentation, I should have the freedom to do so. If I want to install AIM to get files off my computer remotely or send myself information, I should be able to do this. These are important user rights in a computing age.
As such, it is important to monitor what is being placed on computers, but it is foolish to restrict everything outright.
Read jack phelps dot net
You only need to install your sniffers on a few boxes to get plenty of good credit card numbers and passwords and such. And if it's installed on only a few boxes, it would (unless they were specifically looking for this) be very hard to detect if done correctly.
And then if you're careful about the credit cards that you use (i.e. use only one or two, or only those that have bought stuff from a given site, etc.) they won't even suspect that people are sniffing at this one site. (If you use every credit card you find, the credit card companies will figure it out pretty quick by finding out what's in common with all the cards in question.)
In short, for every guy who's caught, there's probably dozens of guys who aren't caught.
Be afraid. Or, more importantly, be careful.
Boudreau, who faces up to 20 years in prison if convicted on all charges, was not immediately available for comment. Boston College said it suspended Boudreau, 21, last year once it learned of his scheme. Suspended? Do they think he'll continue his education in 20 years? How is it he's been suspended for a year and only now their just indicting him....gotta love the speed of justice. I spose they can't expell him until he's convicted (innocent till proven guilty and all)... So, do you think he had all the keystroke logs sent to his main email acct?
So I led the students to install keystroke loggers on all of the computers, and it was quite fun for a while.
I never got caught for that... but I did get caught for something much lesser the next year when Novell was installed on all of the machines.
See, Novell has a nice feature called Novell Messaging. By default, there was no way to reach it... but if you create a shortcut to a Novell NetBIOS share (like //server_name/ ), you can right-click on it and tada: Novell Messaging. It will list every user who is currently online. And allow messages to pop up on their screens.
When I discovered this (on my own... the class was getting boring), I told everyone. But the Network Administrator for our school district wasn't that apt, she had files in the server directory that student accounts could delete (I just checked the permissions, I didn't actually delete anything). Anyway, I got banned from the computers for a couple weeks, blah blah blah.
I guess it depends if su is installed
Even if its not, you can still collect passwords, just more slowly. If it can't su, the trickster software can just display an "authentication failed" message and quit to the real login screen. The victim just assumes she mistyped on the first try, and the attacker has a single new password to play with.
Tricks like this is why Microsoft added the "Press Control+Alt+Delete to Log In" feature. (At the DoD's behest)
Supposedly, it would be impossible for any user-level program to trap that keystroke, so you always can be sure you're seeing the real OS login screen. (Of course, given how easy it is to compromise the OS itself, this protection means little).
*ahem* but of course I haven't done that sort of thing in decades... ;^)
One line blog. I hear that they're called Twitters now.
Sure that will clear out software running on the operating system but what if the logger is in hardware? "hardware keystroke logger" at google
There are devices that you just plug in between the keyboard and the computer that will log every key you press. I know PS/2 loggers exist. I'm not sure about USB though.
You can even get keyboards with the logging device build inside the case where people are much less likely to see it.
I saw something, I want to say on Discovery - a documentary on counterfieting. Anyway, there was a group of people who wheeled an ATM into a mall and set it up to look like a legitimate bank machine. They left it there for a period of time, but it never dispensed any cash. Instead, it would read the magstripe on the card that was inserted, and then record the PIN number that the user entered. It then printed out a message that it was unable to contact the bank, or the customer was out of cash, or whatever. After that, the crooks came back and wheeled their ATM back out the door - along with hundreds of valid ATM card and PIN numbers.
Having installed these programs on some of my school's machines, I can explain. The program itself is a low-level driver that basically sits between the OS and the hard drive. Whenever the OS wants to write to the HD, the driver does the writing and also makes a note of what was changed in a hidden location on the drive. When the machine boots, these notes are re-read, and the changes undone. This means that you can go to C:\, Select All, Delete, Empty Trash and it'll really be done (well, most of it; you can't delete certain things) - but the driver will remember those changes, and undelete everything when you reboot.
Can it be defeated? You bet. A classmate of mine demonstrated defeating Deep Freeze by booting from a Linux floppy and simply renaming the driver files, preventing the program from loading itself. He then proceeded to install StarCraft (back in Windows), then repeated the linux-boot procedure and restored the drivers, effectively preventing anyone who didn't know the Deep Freeze disable password (or the Linux solution) from deleting the game.
Neat, eh?
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
Seriously, devices like these should be illegal. There's really no legitimate purpose for them -- no more than for those X10 spycams. (No, "maintenance and troubleshooting" isn't a real purpose -- most users don't enter a "command sequence" anyway, so that's a moot point.)
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
let me clue you in to just a few things. a - a majority of the kids here do come from VERY wealthy families. Of course there are your fair share of typical college students, but there is more than enough people that probably wouldn't notice a few bucks missing. that being said, he was probably only taking a small emount from everyone. b - the "money" he stole [from my understanding] was what they call "eagle bucks", meaning it was good within the university, could be used the the bookstore, dining hall, etc etc. There's no real way to withdraw this money, so i'm guessing that there's really only so much stuff you can buy on campus, and $2000 will cover that. c - the real issue in this whole thing is the BC policy with PIN numbers. they assign you one at the start of freshman year [or when you're hired] and it never changes. when this whole issue surfaced IT had to scramble for a way to let everyone change their PINs. Now we're getting an entirely "new system", with new IDs and supposedly a bunch of other "security features" that don't sound all that innovative or secure. d - i can't believe that a cs major from BC made slashdot. although i didn't really know him, i think he was in a few of my CS classes.