Arrested for Planting Spyware on College Compus

AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."

MIT

[cristofer8]

Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.

Re:MIT

[RainbowSix]

Don't feel so secure. Here at CMU a long time ago someone stole passwords like this:

When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.

Don't think you're safe on a multiuser system either.

Happened Here Too

Happened at WPI a few years back. After taking an assembly class that showed him how to catch keyboard interrupts, he loaded a new interrupt handler that logged the keystroke and then called the real handler so that everything looked normal. He was caught, but I'm not sure what happened to him.

Nothing new...

[shaklee]

There is a kid doing this at almost every school, most of the time it goes undetected. Three people at my highschool did the same thing and were suspended, no one knew what kind of information they obtained but it was going on for over a week.

Re:Nothing new...

[cervo]

Back in high school for me they used novell so it was super easy. We forged a fake login screen and then called the real one, so after capturing a user name and password it would log it to a file on the C drive. Totally undetectable that it was any of us. We got a supervisor password and made life a living hell for our net admin. We gave random users supervisor rights and used their accounts based on other passwords we stole to have fun. Sometimes we would give group EVERYONE supervisor rights. People have been doing this kind of thing a long time. Our downfall was the net admin figured out one of the supervisor accounts of a guy who was fired was logging in, then set up a trap and boom caught us.

This guy was clearly more enterprising in that he stole some money, but the question is why didn't he steal more money? And what is with this installing ready made programs, now it is too easy. In the past you had to make TSR's, forge login screens, alter commands and so fourth it was actually not hard but not every idiot could do it. Now you just go to a website and download a packet sniffer or keystroke recorder. It is too easy to do. And because it is too easy to do you'd think net admins would be more aware and capable.

But then again all these compromised systems are non UNIX like. It is hard to compromise a UNIX system without root access. And joe public can't necessarily get his hands on root access or exploit a bug to steal it so at least UNIX is somewhat secure.

Also from the tone of the article it sounds like the college thinks that maybe the prosecutor went too far. The college seems to be more forgiving. For example "Smith said, noting that Boudreau could have used it with far more devastating consequences. ". So the security consultant is pointing out he could have done worse. And so is the spokesman for the college 'While we are grateful to the attorney general's office for their assistance in this case, it's important to state that Mr. Boudreau gathered personal identification numbers on students but never misused them in any way," said Jack Dunn, a spokesman for the college.' At least the schools aren't blowing the case out of proportion like the prosecutor is. Although he did steal $2000 so he shouldn't walk. It's one thing just to login and play pranks, but it is quite another to steal money or do other things.

This software...

[Chicane-UK]

This kind of software causes a real headache for system admins.. I speak from personal experience. Our team of about 12 technicians look after approximately 1500 workstations, and about 2/3 of those are used by a theoretical maximum of about 6000 students on a weekly basis.

Trying to keep tabs on this kind of thing can be nigh on impossible.

We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.

We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.

No, I dont work for Fortres Grand but thought it seemed appropriate to the subject! :)

This reminds me of a PM I had one time

[RodeoBoy]

He was part of a Internet backing project for a large European bank. This bank was one of the first to offer services over the Internet. He always used cash and did all of his banking with a real live teller. He didn't have any credit or banking cards. I think that says a lot.

I have been doing Internet based development exclusively for four plus years. I still do not use Internet banking. People are so willing to jump to use any service that makes thing easy without thinking about any potential consequences.

I think I have to find a new job, because I think people are too stupid to use computers. Sad but true.

Re:Actually...

[Glonoinha]

Actually I was with the guy right up until he turned to the dark side and used the information to steal. I think the penalty for 'liberation of information' or white hat hacking should be pretty thin, but the minute someone steps over the line and does something bad with that information we lop off a hand (like they do in ?Muslim countries for stealing?) I figure that losing a hand is a pretty good way to keep someone from becoming a repeat offender (pretty difficult to work a computer if you lose both hands) and THAT will serve as a pretty strong warning to others.

Two thousand dollars will buy you a lot of McBurgers, but won't buy you another hand (even in Chiba City.)

Cut and paste your passwords

[yog]

Never type a password on a public computer. Instead, cut and paste the characters from the screen using the mouse only. Of course, the problem is you have to have every letter and character displayed somewhere. You could browse to a site like this and paste character by character. It's slow but better than having your identity stolen.

Re:They may be shared machines

[tekunokurato]

You know, there's something to be said for allowing users some degree of freedom. It's quite easy to cut off all kinds of access, but networks that have users with a wide variety of needs and interests and who can generally trust their users shouldn't do so.

At my school, we've got some computers in very public areas that are all full of restrictions, and people run into usability problems with them all the time. But on the computers in the library, users can install whatever they need. If I need to install a drawing program to help create a presentation, I should have the freedom to do so. If I want to install AIM to get files off my computer remotely or send myself information, I should be able to do this. These are important user rights in a computing age.

As such, it is important to monitor what is being placed on computers, but it is foolish to restrict everything outright.

Re:Uh...wrong

[Minna+Kirai]

I guess it depends if su is installed

Even if its not, you can still collect passwords, just more slowly. If it can't su, the trickster software can just display an "authentication failed" message and quit to the real login screen. The victim just assumes she mistyped on the first try, and the attacker has a single new password to play with.

Tricks like this is why Microsoft added the "Press Control+Alt+Delete to Log In" feature. (At the DoD's behest)

Supposedly, it would be impossible for any user-level program to trap that keystroke, so you always can be sure you're seeing the real OS login screen. (Of course, given how easy it is to compromise the OS itself, this protection means little).

Old tech keylogging

[AndroidCat]

Back in the old days on the high school Teletype, we had a few successes capturing passwords by leaning on the paper tape punch on button. One time, someone spotted the moving tape after he'd logged in, stopped the tape, ripped it off, crumpled it and tossed the tape in the garbage. After he left the room, everyone dived for the garbage can. (A number of us could read paper tape manually.)

*ahem* but of course I haven't done that sort of thing in decades... ;^)

ATMs too

[kwenda]

I saw something, I want to say on Discovery - a documentary on counterfieting. Anyway, there was a group of people who wheeled an ATM into a mall and set it up to look like a legitimate bank machine. They left it there for a period of time, but it never dispensed any cash. Instead, it would read the magstripe on the card that was inserted, and then record the PIN number that the user entered. It then printed out a message that it was unable to contact the bank, or the customer was out of cash, or whatever. After that, the crooks came back and wheeled their ATM back out the door - along with hundreds of valid ATM card and PIN numbers.

Re:Hardware based keylogger from ThinkGeek.com!

[andfarm]

Note to self: whenever logging into an untrusted machine, check along the keyboard cable to computer. If you see anything strange, unplug it and crush it under leg of handy chair.Crunch. Oops, was that your keylogger?

Seriously, devices like these should be illegal. There's really no legitimate purpose for them -- no more than for those X10 spycams. (No, "maintenance and troubleshooting" isn't a real purpose -- most users don't enter a "command sequence" anyway, so that's a moot point.)