Slashdot Mirror
Arrested for Planting Spyware on College Compus
AndrewM1 writes "In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online. He then stole $2000 with the information he gleamed."
Information wants to be free! I don't see that he did anything wrong. GNU forever!
Which is exactly why you shouldn't use single user windows systems. MIT has athena, a huge unix-based system. There's no way (barring finding the root password) for me to do this to any user other than myself.
But why weren't they locked down to prevent installations of software, etc?????? You would think that the admins should be on top of this. I know it's easier said than done, but it seems that someone should be watching this stuff!
Happened at WPI a few years back. After taking an assembly class that showed him how to catch keyboard interrupts, he loaded a new interrupt handler that logged the keystroke and then called the real handler so that everything looked normal. He was caught, but I'm not sure what happened to him.
The guy only managed to steal $2000? This guy must be stupid.
Help I'm a rock.
There is a kid doing this at almost every school, most of the time it goes undetected. Three people at my highschool did the same thing and were suspended, no one knew what kind of information they obtained but it was going on for over a week.
This kind of software causes a real headache for system admins.. I speak from personal experience. Our team of about 12 technicians look after approximately 1500 workstations, and about 2/3 of those are used by a theoretical maximum of about 6000 students on a weekly basis.
:)
Trying to keep tabs on this kind of thing can be nigh on impossible.
We have found some software that does work pretty well though - a company called Fortres Grand sell a package for Win9x/Me/2k/XP called Clean Slate that basically resets the machine to a previous state every time it is rebooted. If you wish to add software, you disable it, and put it back on once the software is installed. The machine then works from that 'save point'.
We try not to make machines 'too tied down' for students (like blocking downloading, any changes at all) so this software is ideal and not too intrusive.
No, I dont work for Fortres Grand but thought it seemed appropriate to the subject!
"Hey! Unless this is a nude love-in, get the hell off my property!!"
He was part of a Internet backing project for a large European bank. This bank was one of the first to offer services over the Internet. He always used cash and did all of his banking with a real live teller. He didn't have any credit or banking cards. I think that says a lot.
I have been doing Internet based development exclusively for four plus years. I still do not use Internet banking. People are so willing to jump to use any service that makes thing easy without thinking about any potential consequences.
I think I have to find a new job, because I think people are too stupid to use computers. Sad but true.
Actually I was with the guy right up until he turned to the dark side and used the information to steal. I think the penalty for 'liberation of information' or white hat hacking should be pretty thin, but the minute someone steps over the line and does something bad with that information we lop off a hand (like they do in ?Muslim countries for stealing?) I figure that losing a hand is a pretty good way to keep someone from becoming a repeat offender (pretty difficult to work a computer if you lose both hands) and THAT will serve as a pretty strong warning to others.
Two thousand dollars will buy you a lot of McBurgers, but won't buy you another hand (even in Chiba City.)
Glonoinha the MebiByte Slayer
Never type a password on a public computer. Instead, cut and paste the characters from the screen using the mouse only. Of course, the problem is you have to have every letter and character displayed somewhere. You could browse to a site like this and paste character by character. It's slow but better than having your identity stolen.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
You only need to install your sniffers on a few boxes to get plenty of good credit card numbers and passwords and such. And if it's installed on only a few boxes, it would (unless they were specifically looking for this) be very hard to detect if done correctly.
And then if you're careful about the credit cards that you use (i.e. use only one or two, or only those that have bought stuff from a given site, etc.) they won't even suspect that people are sniffing at this one site. (If you use every credit card you find, the credit card companies will figure it out pretty quick by finding out what's in common with all the cards in question.)
In short, for every guy who's caught, there's probably dozens of guys who aren't caught.
Be afraid. Or, more importantly, be careful.
The title to this article is not really accurate in this case. The person who was arrested stole $2000. He was arrested for that (or should have been). The keylogging software in this case was just the means to commit the crime. It shouldn't be illegal to install keylogging software (unless he's breaking the user agreement by installing software on that computer, etc.). To say he was "arrested for installing keylogging software" to represent theft could be compared to saying a murderer was "arrested for buying a gun and ammo."
Using a computer to commit a crime is no different than just commiting the crime. There should be no elevated charge just because he used a computer and software instead of a forged check or stolen credit card.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
Boudreau, who faces up to 20 years in prison if convicted on all charges, was not immediately available for comment. Boston College said it suspended Boudreau, 21, last year once it learned of his scheme. Suspended? Do they think he'll continue his education in 20 years? How is it he's been suspended for a year and only now their just indicting him....gotta love the speed of justice. I spose they can't expell him until he's convicted (innocent till proven guilty and all)... So, do you think he had all the keystroke logs sent to his main email acct?
This is still not adequate -- and is (in some ways) worse than nothing. Having managed a lab of student computers back when I was a grad student, often times people will simply sit down at an otherwise unused computer and start typing in URL's. If the attacker installs the software (not requiring a reboot) on a machine and walks away, the next user and any other users who use it without a reboot will still be vulnerable. The keystrokes can be recorded by sending them to an SMTP relay or open FTP server.
This is worse than nothing because if the machine is rebooted then you have just lost any chance at doing forensics on the attack.
There are far better solutions available. First, do NOT allow user software installations -- this should be a part of the TOS for such a lab. This in turn allows you to lock down the machines very tightly. Downloads can still be allowed to a user's network account or floppy or zip disk or USB keychain device.
In a managed environment such as a university, require students to log in to computers with campus-wide accounts. Win2k and XP, Mac OS X, and most unices support Kerberos logins, which are becoming widespread on campuses. This gives students their own home dirs automatically, with saved prefs, etc. It also allows much easier forensics on attacks as well. If you want to allow public access, post a public login to an account that has zero privileges on the wall of the lab.
By going this route, you can then use netbooted machines without internal hard disks, vastly simplifying maintenance and system administration. Netbooting is not always easy to set up, but the payoff is well worth it in such lab environments.
--Paul
Yes, I agree.
Maybe we should all have spyware installed on our machines so that all of our information can be "liberated".
If it wasn't for those meddling kids!
Join the elite! Post at score:2! Ghostwheel is online.
Absolutely. I think I'll build a few bombs in my garage, maybe brew up some anthrax or smallpox virus. Hey, as long as I don't do anything with them, the penalty shouldnt' be too severe... right?
Where do I go to get my white hat?
I am NOT a man!
I am a free number!
If it's a x86 box (does any other manufacturer use the PS/2 keyboard cord?), all you need is one of these babies. That'll catch the BIOS password (when/if it gets typed in) and all.
Ouch.
Of course, to do it right you'd probably need to power-cycle the machine (hate to fry the mobo while doing this...). Maybe try to get one right next to yours -- bump the power cord out of it...
But we're just talking here, aren't we friend?
Keep your packets off my GNU/Girlfriend!
Ever consider the possibility that he got snagged for only 2 grand but actually got away with more?
Il n'y a pas de Planet B.
yep! you can't get any more inconspicuous than a BRIGHT MAGENTA page with "Copy and paste into password forms:" in a 24 size bold font!
Not that I feel bad for him for being depressed or anything, but he's being viewed as a real criminal who stole from hundreds where all he really did was mess around on a computer.
/There are 10 types of people in this world; those who steal sigs and those don't
I guess it depends if su is installed
Even if its not, you can still collect passwords, just more slowly. If it can't su, the trickster software can just display an "authentication failed" message and quit to the real login screen. The victim just assumes she mistyped on the first try, and the attacker has a single new password to play with.
Tricks like this is why Microsoft added the "Press Control+Alt+Delete to Log In" feature. (At the DoD's behest)
Supposedly, it would be impossible for any user-level program to trap that keystroke, so you always can be sure you're seeing the real OS login screen. (Of course, given how easy it is to compromise the OS itself, this protection means little).
I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.
Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.
To clarify, Boston (in Massachusetts, United States) was named after Boston (in Lincolnshire, United Kingdom) - more information can be found here.
"Be vewy vewy quiet, I'm hunting wuntime ewwors!" - Elmer Fudd
I think the point was not that "MIT and unix rox0r w00t!" but more that there are ways to avoid problems like this. Had they implemented a system like the one at MIT, a software based attack would have been much harder, if even feasable at all.
To say, "No, you mentioned unix and MIT so therefore you must be a zealot and cannot have a point," is stupid. Saying that the useage of computers is irrelevent in this case is just as ignorant. The point of the story was not just to say crime happens. By alerting people to specific kinds of crime, people know to be cautous or to look for ways to avoid being victomized. For example, if the article was about someone using a defect in a specific brand of lock to break into houses and steal things, would you claim that the story isn't about locks or defects but instead only about a thief and his breaking and entering? I should hope not. More likely, you would check to make sure that you weren't using that kind of lock and if you were, you'd replace it to make sure you weren't vulnerable. Just because there is a theif does not mean that the general problem and solutions to it must be ignored.
Now, how about indicting and convict Kazaa and those of the same ilk who pepper their users' computer with all sorts of spyware without explicitly warning them right upfront???
This makes me glad I use Knoppix.
When I am forced to go to the local community college computers to do some homework, I bring along my trusty Knoppx CD. Pop it in, boot up, and poof. Instant security. Knoppix even grabs one of their local DHCP addrsses and gets online right away. Of course, I could still be monitored if they really want to do it, but the runo-of-the-mill key loggers would be thwarted, and that makes me feel much safer. The fact that it's an effective local log/cookie deleter doesn't hurt either.
They have a policy about using unauthorized software, but after careful reading I decided that its intent was to prevent system instability and whatnot by disallowing all software installs. They might still disallow me if someone in charge knew, but I don't care.
I want my Cowboyneal
*ahem* but of course I haven't done that sort of thing in decades... ;^)
One line blog. I hear that they're called Twitters now.
In reality, $2000 isn't much money when talking about the possibility of how much the guy could have stole with that many victims.
If your going to ruin your life over fraud, you might as well go all out.
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
I saw something, I want to say on Discovery - a documentary on counterfieting. Anyway, there was a group of people who wheeled an ATM into a mall and set it up to look like a legitimate bank machine. They left it there for a period of time, but it never dispensed any cash. Instead, it would read the magstripe on the card that was inserted, and then record the PIN number that the user entered. It then printed out a message that it was unable to contact the bank, or the customer was out of cash, or whatever. After that, the crooks came back and wheeled their ATM back out the door - along with hundreds of valid ATM card and PIN numbers.
Having installed these programs on some of my school's machines, I can explain. The program itself is a low-level driver that basically sits between the OS and the hard drive. Whenever the OS wants to write to the HD, the driver does the writing and also makes a note of what was changed in a hidden location on the drive. When the machine boots, these notes are re-read, and the changes undone. This means that you can go to C:\, Select All, Delete, Empty Trash and it'll really be done (well, most of it; you can't delete certain things) - but the driver will remember those changes, and undelete everything when you reboot.
Can it be defeated? You bet. A classmate of mine demonstrated defeating Deep Freeze by booting from a Linux floppy and simply renaming the driver files, preventing the program from loading itself. He then proceeded to install StarCraft (back in Windows), then repeated the linux-boot procedure and restored the drivers, effectively preventing anyone who didn't know the Deep Freeze disable password (or the Linux solution) from deleting the game.
Neat, eh?
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
Most of us do, it is called Windows XP (or Windows 2000 sp3.0.)
Glonoinha the MebiByte Slayer
let me clue you in to just a few things. a - a majority of the kids here do come from VERY wealthy families. Of course there are your fair share of typical college students, but there is more than enough people that probably wouldn't notice a few bucks missing. that being said, he was probably only taking a small emount from everyone. b - the "money" he stole [from my understanding] was what they call "eagle bucks", meaning it was good within the university, could be used the the bookstore, dining hall, etc etc. There's no real way to withdraw this money, so i'm guessing that there's really only so much stuff you can buy on campus, and $2000 will cover that. c - the real issue in this whole thing is the BC policy with PIN numbers. they assign you one at the start of freshman year [or when you're hired] and it never changes. when this whole issue surfaced IT had to scramble for a way to let everyone change their PINs. Now we're getting an entirely "new system", with new IDs and supposedly a bunch of other "security features" that don't sound all that innovative or secure. d - i can't believe that a cs major from BC made slashdot. although i didn't really know him, i think he was in a few of my CS classes.