Slashdot Mirror
Kinko's Spy Case Illustrates Public Terminal Risk
tealwarrior writes "CNN reports in this
story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.
Sometime back, Passport passwords were hacked: Muhammed from Pakistan.
Adobe's eBook reader was cracked : Skylarov.
and now, Jiang.
Why isn't it Rob or Pete or Chris, ever??
-
If you keep throwing chairs, one day you'll break windows....
For us non-US'ers:
What is a Kinkos????
Thanks!
Burma?
Why would anyone consider using public access points to access private/secure data? That's just asking for trouble.
It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly.
I used a NYC Kinko's during H2K2 last year on 7th Ave. I've been unable to find it now due to dilution of the story, but I found on online article the other day that said this had actually gone on for two years and that the person that discovered it had used a computer at one of their stores on 7th Ave, but they have two. I used the one at 500 N. 7th, store # 0961
I called their customer support line on Wednesday as soon as I saw this article, and they said they didn't know anything about it- the person I spoke to called me back and said that their corporate office would get back to me by the end of the day.... I'm still waiting.
I called the store directly last night and the manager, sounding like he was lying through his teeth, told me that they were absolutely not one of the stores.
So, I've very interested in knowing if this has class-action lawsuit potential since Kinko's was prosecuting this case and obviously had no intentions of notifying their customers of the risk they were at while using their store. If there is an existing lawsuit, how do I find it? Thanks!!!!
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.
Two wrongs don't make a right, but three lefts do.
article is from AP, not CNN.
well, anyone using a public terminal to do online banking should know they're taking a huge risk anyway. I've been using computers since my Atari 400 and still won't do any banking over the 'net. paranoid? maybe. but safe
At the last 2600 meeting I attended, we joked about installing a chip to catch keystrokes into a keyboard. What if this was done instead of a piece of software? And who knows if something like this has been done or not. The "man on the street" does not understand one iota of computer security, so why should a public kiosk computer be any different than his home PC? As long as it does not affect them in any way they do not care! This is a wakeup call for "joe sixpack", do not trust any public PC (I don't).
You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)
Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.
Banks in brasil are using virtual keyboards, they are a numeric pad that apear in the screen with the numbers in a random order and/or in a random position. You must then click the password with a mouse. Of course if you own the machine you can save the HTML and mouse clicks to analise it latter, but it makes the life of keyloggers harder.
[]'s Victor Bogado da Silva Lins
^[:wq
10. Burning a spliff out by the dumpsters with your friends and giving them free copies.
hang brain.
I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.
Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?
Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.
I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it
Let's get one thing perfectly clear, I did not vote for George W Bush, and I do not endorse what he does or says.
"
I only use my online bank from home, and everytime Login I have to use a different password, on a list the bank provided to me.
I thought this was standard in all banking systems, one-use password.. It increases the security agains keylogger..
As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."
The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"
"Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.
Uh, do you type in sensitive information to public computers running Windows? Then you're a super-dolt!
There's no mention in the article of how he managed to install the software on the system. I'd assume that any public terminal would be logged in as a user with virtually no priveleges beyond access to internet, word-processing etc and a small temporary storage partition that is wiped on log-out. Or does kinkos just run win98 boxes?
When there were green screen termninals a student wrote a simple program that took a username and login told the user it was incorrect and logged him out.
He left it running on the lab on the VT100s. It worked. He used the first account to get more accounts. He didn't do anything with the accounts.. (I think the worst he did was some inflamitory emails to some band fan club..)
It did get traced back to him however, but he denied denied denied and they just took his account away.
Ever since then I always make sure the login sceen is correct before logging onto a public terminal in a school or lab.
Keystroke loggers make it worse.. This is why secure systems are so important..
When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.
Whoever was doing support for Kinko's didn't do their job.
Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?
Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.
The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.
Sigmund
You`re right that most key logging programs are stupid, though. The best way to detect a key logger is to go in Windows Explorer, do a search for files modified in the last day, then sort the list by modification date descending. Open any unusually named files and look inside. After all, key loggers have to keep a log somewhere!
You mean my COOKIES are in danger? That's it, I'm buying a gun and never leaving the house.
Banaaaana!
Yes they can. We're going to use a PC to authentica credit cards and the mag stripe reader just piggybacks onto the keyboard. There are also USB varients out there as well.
Gorkman
I spend alot of time at my local kinkos. They do get paid at least 1/2 more than you suggest. It requires experience and training to deal with some of these copiers...as well as lots of patience for the many customers who know even less. (or don't even know what they want. They are one employer that is likely to keep many employees around for a long time to come despite the heavy automation. Sadly the training for the normal coworker doesn't seem to include internet security...which is fundamentaly the responsibility of those persons who did the custom job on Win2k for them...so don't loosly blame the bubs in the blue aprons. oh, I am noticing this handy warning on top of the monitor here. "Be safe. Protect your personal information" sayeth the sign Instructions on how to delete the files one may have saved follow. Hmmm....let's go and see how many folks left their disks in the drives. ;)
As far as I know, it hasn't happened yet. But would it be illegal for the government to use keylogger software and other similar tactics on public terminals as part of their ongoing "must destroy all terrorists" campaign? I know that if they had a reason to do so, they would most definitely be allowed to. As the story mentions, the government used similar software to help convict a mob boss.
Still, the question remains: is it legal for the government to monitor our activities on public computers without our consent, and is there a chance it could already be happening?
Goo goo g'joob.
In order to install a keystroke logger, it seems to me that you would need root permission to do it on linux or else be able to (re-)boot such linux terminal from floppy or CD.
By taking out floppy/CD drive and simply applying user privileges, I can't imagine that anybody would be able to pull this off on linux terminals.
Therefore, isn't this typically a windows problem? Insecurity by design?
And magnetic strip writers are now just as easily obtanible. Its not too much more difficult to log a magetic strip on a system then it is to log a password.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
This is why some banks do not request full information for login.
For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:
Three digits from your four digit online PIN (in a random order, like second, first, fourth).
Three characters from your password, again a random selection in a random order.
While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.
It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.
rm -rf / is the evil of all root
Comment removed based on user account deletion
...can be found at SecurityFocus.
By anyone. Most banks are moving away from magnetic stripes exactly because the readers are so inexpensive and easy to install on public terminals and ATMs. In addition to the official readers. The smartcards are coming.
Money for nothing, pix for free
Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever NEVER access any critical data from a public terminal under any circumstances EVER.
The corallary to this maxim is to make sure that the password of an account that you access from a public terminal is different from any password that you access from a non-public terminal. Then again, the truly paranoid have different password anyway....
There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.
One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.
Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.
They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...
he didn't. he installed a hardware keylogger in line in the keyboard socket.
South African users recently got nailed by a similar type of scam. Check out http://www.news24.com/News24/Finance/Companies/0,, 2-8-24_1390144,00.html
for more detail
They obviously really understand security...
note (for the humour-impaired) : this is irony
On the card I have everything I might need from a PGP keychain to documents.
BOO! TERRO
Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.
Do they allow you to reboot the machines?
Since DMCA passed the Congress, USA is one of most totalitarian states out there. May be even worse than China.
Sklyarov was a victim of exactly same illusion as you have - he thought that USA is free country, he come there and was put into jail for the action which do not constitute crime at all by Russian laws - publishing information about security flaws in eBook, nd was done on Russian territory.
Note that Alan Cox of UK shares almost same opinion - he refuse to go to USENIX because after Sklyarov case he doesn't consider USA a safe place for programmer.
The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.
No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.
Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM.
What you refer to is known as multi factor authentication, IIRC. I agree that deploying authentication using the "need to have" and "need to know" dualism is way more secure than simple password authentication in principle. Besides that, the Kinko incident suffers from the problem that a public terminal cannot be trusted, and it wouldn't be more trustworthy by adding a magnetic card reader, since that card reader again is under control of the untrusted terminal.The equivalent to key loggers in using card readers is card loggers. There is no big difference between logging confidential key strokes and confidential digital data while being read by the computer, so I think this does not add to the security of public terminals at all.
What probably would help is
Both techniques still don't help against Woman-in-the-Middle or hijacking attacks, because they still have to trust the terminal device to transmit the authentication data in a manner the user intended it to.
This brings me to the question: Can anybody think up a way to use inherently untrustworthy public terminals in a trusted matter? How can you make the terminal transport sensitive data in a secured way? Any ideas?
The most promising answer to this problem to the paranoid (read: "sensible") roaming internet user seems to bring your own network-enabled devices, and find a way to connect them to the Net, for example through public WLAN hotspots. Then you can choose your own method to secure the data path, knowing that the end device is trustworthy because it is under your control (provided you run software and hardware that in fact can be considered trustworthy, for some profound reason, but that is another story I guess... .)
I thought they were originally a software company. No wonder people laugh at me when I ask if they know a good place to warez Kink OS.
At Cornell, the machine would just wipe its hard disk and reimage over the network after the last user walked out. I can't believe this isn't a standard feature for public terminals by now...
last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...
Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...
and also, too bad for installing key loggers then ..
With that aggravating beauty, Lulu Walls.
This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
They'd have a still list of exactly the characters you use. That'd take all of 30 seconds to crack.
You'd better just copy and paste the letters from around the page you're looking at. I mean if you're going for paranoid you might as well go all out.
I'd be more shocked to find out that this is the first time something like this has happened. Surely some other clerk was underhanded enough to think of this before.
DeviantArt Page
NSFWAs others have pointed out, there really is no software solution to prevent keyloggers, because there are also hardware models you put on the keyboard port to intercept keystrokes before they even go to the PC. The only defense against those would be a visual check, and I wouldn't be surprised if there are even more sophisticated models that are harder to spot.
Check out my world simulator thingy.
That's what I used to think, but it's not really true. For example, try printing to a HP720C printer from NT or WIN2K, without administrative privilege? The HP720C printer driver creates its temporary files in such a wrong places, that you are forced to assume root privilege, just to use the printer. Another fact you forget, is that Windows relies on the ability for a program to surreptitiously install stuff without the knowledge of the user. Shareware does it, to prevent you from installing again. Microsoft themselves need it all the time and DRM is simply based on it. The user may be at fault, but certainly not through his own negligence. His true mistake is to trust Microsoft and proprietary vendors, who have encouraged and even required this behaviour in order to take advantage from it to the point that they even brought UCITA along, which would give them the legal permission to disable software remotely. Insidiously hiding the facts and what is really running on the computer is a way of life for Microsoft and its minions. The user is simply being misled.
I'm a manager at Kinko's.
You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".
What a world.
The horse is dead. Either fuck it or walk away, but please stop beating it.
Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.
... something a number of PCs, USB printers, etc. already provide, and something public terminals could add at minimal expense.
USB is even more ubiquitous. Almost all (if not in fact all) new hardware comes with USB, and all modern operating systems support it. It is cross platform, accessible to GNU/Linux, OS X, and even that other obscure operating system from Redmond, WA.
Banks have to provide their customers with credit cards anyway. Why not a small memory chip, insertable into any USB card reader? Indeed, if they use an already widespread standard, the only cost will be installing the actual USB readers
No need to rewrite any software, other than the authentication routines at the server end.
The Future of Human Evolution: Autonomy
The haberdasher called. Your new tin-foil hat is ready.
The US more totalitarian than China? Maybe with respect to foreign policy, but you have quite a case to make with respect to domestic matters. I am no lover of the DMCA, or the way Congressmen like Berman fawn over the RIAA/MPAA, but that is a far cry from life in the PRC.
While the majority of Kinko's stores do reside in the U.S. there are Kinko's stores in other countries too. China, Korea, Japan, UK, Netherlands, and Australia are a couple of the other countries that come to mind.
Kinko's is just a copy shop that happens to have publically accessible computer terminals.
The horse is dead. Either fuck it or walk away, but please stop beating it.
Ah, thank goodness for one time passwords. For work, I have what we call an 'Enigma' which is a little device that you enter a PIN into and it spits out an 8 character password for you to log in with. Enter a wrong PIN three times and you get locked out of the Enigma. It's great because between SSH or SSL web sites and one time passwords, you don't need to worry about people key logging, sniffing, or even looking over your shoulder while typing in a password. The only problem is I basically bring mine wherever I go, should I need to login.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
well, people who have experimented with that kind of thing (buying smartcard writers to play with security stuff) have been sent letters demanding $3500 and the kit by directtv haven't they? might be considered a bit off putting to some.
dave
In other news:
Where do you get the 30 second figure? Reordering the username and password is potentially NP-hard (in reality humans are none too random, so many permutations of the string are highly unlikely). A 20 character combined username and password string has over 10^18 (=20!) possible entry permutations. Even if you can discriminate between chars entered into the two fields, you still have 10^13 (=10!^2) possibilities. Again, if I where exploiting the output of a keylogger, I would take the easy-to-use cleartext entries and disregard any harder-to-decode entries.
BTW, your suggestion to copy-paste chars from the page is ingenious. Thanks!
Two wrongs don't make a right, but three lefts do.
I have used a Kinkos machine in Columbus Ohio (near Ohio State) and here is what I found:
1. Windows 2000 with the user logged in as poweruser or administrator.
2. Pop up software installed (unknown spyware).
3. I could not find a USB port so I stood up and moved the PC and plugged in in the back. No comment from staff.
The only "security" I saw was protecting the billing app.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
Can anybody think up a way to use inherently untrustworthy public terminals in a trusted matter? How can you make the terminal transport sensitive data in a secured way?
That is easy, just make sure the data is encrypted as it leaves your fingertips
Free cell phone tracking
'ta
Seriously, magnetic readers are not going to be any better security. It may be a "practical" alternative but it will never come close to smart cards. (Ever check out all that Gold in them?) And the bad part about the smart cards is that if you loose that card you are 100% screwed if someone "finds" and abuses it. Perhaps at that point, you would be forced to trade in your smartcard on a rope for some soap on a rope. (if you catch my drift)
;o)
Also Kinkos, a great place to leave something stupid like a briefcase, or even a wallet laying around, your busy working on something and you simply forget.
better security is a smart card embeded in side of your head, but even then someone will figure out how to crack into it.
Love Music? Got a Band? Are you a Label? http://garageradio.com
Delta, in their airport clubs, installed PCs with internet connectivity. After seeing what people leave there (private letters, still logged on to email or other web sites, even 3.5 floppies with files), I'm not surprised that this sort of stuff happens, but that more people haven't been screwed by their own stupidity.
Of course, this is not a new phenomena - when the first paper tape terminals were rolled out, people through printouts with all sorts of info intio the trash. It was the trash, and who digs into trash anyway?
For some reason, people think that because they are familar with a certain technology that it is secure.
I'm a consultant - I convert gibberish into cash-flow.
go look up the definition of "totalitarian", then come back and explain in what way the US is "totalitarian". make reference to the chinese subjugation of Tibet, please.
Isn't it still easy to get the BIOS passwords that the manufacturers use? This is just an example.
The solution to this problem is well-known: use one-time passwords. You can travel with a printed list of passwords, each to be used only once. There are probably some packages for Linux that support this.
A more sophisticated version are challenge-response systems or time-based systems like SecurID, but they require extra hardware and don't give you any extra security.
If you ignore sunrise, sunset and night.
The Earth rotates around the Sun!
Actually, it revolves around a common center of gravity with the Sun, and that's ignoring the other planets for the moment.
I will never sleep with Natalie Portman.
Is this a prediction or statement of desire should the oppurtunity arise?
--- Ban humanity.
Ah, kinda reminds you of school, with the script kiddies who installed keyloggers and harvested hotmail passwords, those were the days (not that i had anything to do with it ofcourse...)
This comment does not represent the views or opinions of the user.
Copy the letters from various news websites (out of order if you wish). Of course, you could end the process of the key logger. The news websites chanfge content alot - a forum website would be good for this too. Of course people could just walk in to your bank and claim to be you these days.
Even better, use a random password generator several times.
The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM
Please explain to me how this is better security.
Currently, I type a series of numbers (for all intents and purposes, a password is a series of numbers) into the keyboard, it goes down a wire, and into the computer. A USB dongle attached to the end of the wire may surreptitiously record all the numbers I typed in. This lets someone scan my password and use it themselves.
You propose that I do the above, but have a little box attached to the computer through a second wire. When I swipe a card through the box, a series of numbers are shot down to the computer through the wire. I fail to see how this couldn't be logged.
Hell, it wouldn't even have to be a USB dongle. What's to stop someone from switching a legit card reader with one with a memory chip inside? Then you couldn't even peek behind the PC and see if there was a logging device attached.
Card, biometrics, passwords... when it comes down to it, they're all just numbers on a wire. And no one of them is any more secure than any other.
Yeah.....
What's so wrong with her????
Everytime passwords get mentioned on slashdot, I say they suck with little to no moderation. Regarding the lack of standard protocols and software packages try:
Multos
EMV (Europay-Mastercard-Visa) Specifications
JavaCard
OpenCard
PC/SC Workgroup
Standards Committees and Standards Related to Smart Cards
I attended the 10th annual smartcard convention in 1999, yet have not seen a smartcard outside of the places I used to work programming them. Maybe its time... The cards then were 1 or 2 dollars and the readers were about 6 or 7, hardly an expensive periferal on your computer.
Let me reiterate. Passwords have nothing to do with authentication, they only say that someone knows your password. Even having a magstripe card at least says that you know a password and were able to obtain phyisical access to the card. The best is a biometric reader with a smartcard. I think bioreaders are about 50 dollars.
Tinfoil Hat Linux is designed for just such a case. Boots of a CD-ROM, randomized keyboard for password entry, tempest-resistant fonts, PGP encryption and decryption (also of random files, in the background, to thwart timing attacks), and in a pinch "output console text to keyboard LEDs in morse code" mode.
Sounds like a good market for Larry Ellison's old network computer, one that's completely hardwired to boot into a browser, nothing else, no chance to load stealthware of any sort, no cookies, etc.
One could sell a lot of these after incidents like this become more common place.
...went and changed ALL their password out of paranoia?
1. Did you actually type anything sensitive into a kinko's machine? If so, I hope it was in order to access the us.gov's ICBM systems. Otherwise, shame on you.
2. There is no "N. 7th" in Manhattan. It's either 7th Avenue, or it's E./W. 7th Street.
After standing at the pulic terminals at a security conference and thinking to myself, "I must be an idiot for typing my password into these", I investigated some one time password (OTP) alternatives. Back in the telnet days, people used S/Key to keep from sending re-usable passwords in the clear. Basically, it sends you a challenge, you type it and your password into your Palm, and type the generated one time password into the computer. If you're Palm-less or lazy, you can print a sheet of your next 100 OTPs and keep it in your wallet. If your wallet gets stolen, just login to your box and you can invalidate those 100 passwords and print a new sheet. It's a lot easier than reporting your credit cards stolen.
You sir are a shining beacon of the human spirit. If only we had more people like you in power, we could finally nuke all those damn Middle Easterners off the map. God bless you, you righteous Christian saviour!
The goverment can monitor ANYTHING they please with no warrant, if its under the guise of 'national security'. ( or anything, for any reason, if they have a warrant )
If you have to ask 'is it already happening' then you are in for a mighty rude awakening.
---- Booth was a patriot ----
Why'd ya need a key logger in school? Every password was either drug-related, sex-related, or the name of a sports team. :p
Unless you meant college, then every password was either drug-related, sex-related, the name of a sports team, or an obscure science-fiction/anime reference.
It's easy to overlook the obvious when you live there.
Anyone could infect these floppys. Who would be dumb enough to install from them?
The GoToMyPC subscriber was home at the time and suddenly saw the cursor on his computer move around and files open as if by themselves.
Thank God he was using Windows!
MjM
XKCD:Xeric Knowledge Comically Dispen
Quote from article:
Kinko's spokeswoman Maggie Thill said the company takes security seriously and believes it has "succeeded in making a similar attack extremely difficult in the future." She would not provide details, saying that to do so could make systems less secure.
Security through obscurity- my favorite.
By reading this sig, you agree to be bound by all terms and conditions I choose.
Yes, but wouldn't this mean every privately-owned PC would also have to be fitted with a magnetic stripe reader so that we could all log in to our PCs and our various online accounts? That would take years to roll out. Also, couldn't the bits flowing out of the magnetic stripe reader be captured the same as a keylogger program captures keystrokes? Or do they work the opposite way (i.e. the PIN/password is sent from the keyboard/PC to the magstripe reader, which then authenticates the PIN/password against the info on the card, and then just reports an encrypted result code back to the system, which decrypts the result code into basically either a thumbs up or thumbs down). I have seen reports that criminals already use small portable card readers to steal magstripe information from credit cards and then use it to make working card duplicates.
I cam eup with this scheme a while ago, not sure if it would work but its interesting.
1. Make a personal website with CGI/PHP/ASP/Whatevrer. Install a big image map form onto it
2. Make a CGI app that generates an image of a `10x10 grid with alphanumeric chars. The positions of the chars on the grid should be random.
3. What you do is this : The grid is returned as the imagemap. Your CGI cript detects where in the grid you clicked on the map. As you click on the grid, the form is submitted, and the next time the page comes up the number you clicked is tacked onto the page inside a password text box ( a text box with *** ).
So basically you click out the password on this random imagemap. Then when the password is done, you highlight it, CTRL+C, CTRL+V into whereever it goes.
This should defeat any but the most complex keylogger. Keyboard grabbing does nothing, since there are no kepresses involved in generating your password via this method. Also, capturing the mouse clicks is useless, since the keypad is random.
The only way a keylogger could get this password is if it was monitoring all password text areas for change events. I am not even sure if this is possible.
Comments?
You can hook a key logger on the ps2 port. Thinkgeek or Compgeek sells them...
-- Leeeter than leet
That might stop keystroke loggers, except it would make old-fashioned shoulder surfing (looking over someone's shoulder while typing a PIN) WAY easier.
Can't help it...
Users are idiots. They need to be informed somehow. Who's at fault here? I think it's the user. If you buy a car and drive in the lake pretending you didn't know it would sink, well too bad, you lost your car. If you spill coffee on you well it's your...err.. no it's McDonalds fault for not telling you that coffee *IS* hot.
I mean, come on, this screams 100% idiocy. Why on earth would you do sensitive stuff on a public terminal is beyond me. Why not pay your bills using a credit card and using transparent enveloppes?
-- Leeeter than leet
This kind of fraud needs to be dealt with very harshly. I hope he gets 20 years. Scams involving stolen $$ and identity theft are rampant today. So maybe your nearest script kiddie (read uppermiddle class spoiled brat with nothing to do on his summer evenings except wank off and steal peoples passwords)will think twice before hurting others.
I'm sorry, but spammers, scammers, keyloggers, virus writers should just come to my house hog tied so i can KICK THE LIVING SHIT OUT OF THEM. Fuck them for being the spoiled pricks they are!
By the way, you all should be using one-time passwords on public terminals, too. If you run Linux, install the S/Key PAM module. FreeBSD supports OTPs out of the box.
At present, most would rate the U.S. as being more free and therefore less totalitarian than China.
However, anyone with even slight familiarity with both places would note that China is rapidly becoming more free, while the U.S. is rapidly becoming less free.
If these trends continue, it will not take a very long time before the Chinese are more free than we are in the U.S.
Nonaggression works!
"the mag stripe reader just piggybacks onto the keyboard"
That's why they wouldn't be secure either. All the reader does is read the data off the card and enter it in a text field. That's why it piggybacks on the keyboard and why a keylogger could log it too.
"Woman-in-the-Middle"
I think I saw a video of that one time.
If these trends continue, it will not take a very long time before the Chinese are more free than we are in the U.S.
I don't know how many chinese people you know (from china that is), but from what I hear it would take a long time indeed (maybe if you leave the very out we can agree) before China is more free than the U.S.
Yes this is true......unless the stripe reader has any sort of logic to it. It could encrypt the sequence and driver software could decrypt it. Then again, this points out why PHYSICAL security is as important as software/OS level security....IE you have these suckers inaccessible and keep them OFF the internet.
Gorkman
In a Kinko's that doesn't have laptop stations? You can usually unhook the ethernet cable from one of their pay-for-use machines and use the connection yourself for no charge, as long as it's not busy.
Why would anyone bother? Well, it's a (relatively) fast connection, and an IP address no one can trace back to you because you didn't pay for it and all the cameras at Kinko's (last time I checked) are pointed at the registers rather than the computers.
I'd think the warez/Kazaa/terrorist crowds would find that plenty useful.
"It was a summer's tale: Just a boy, his Linux, and a head full of dreams..."
How can you justify the actions of a thief? Are you a hacker as well that likes to steal bank accounts? The USA is the best country to live in, whether you think so or not. YOU have much more freedom here than any other country. Thiefs in other countries would not do jail time, they would be DEAD! So go smoke your crack pipe.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Comment removed based on user account deletion
This is why in an earlier rant about the DMCA I said that it was driving Tech out of the US. There are lots of conventions that will not meet in the US anymore. There is real science at stake here, and it's terrriibbbble to think the US is the place people are afraid to enter for fear that they won't be able to return. That used to be the USSR and East Germany and China and all those other countries. Now it's the US. Wonderful. I'm damn proud to be an American somtimes, and then other times I'm truly ashamed. That's right, I said it. Bite me if you don't like it. We're great, but we ain't perfect and we can be better. The DMCA is anti-constitutional and the Constitution (no, not hollywood of levis) is what makes America any better than the soviet union. make unconstitutional laws and you're much more anti-american than any foreigner.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
If you were to put the US at its most free, and set that as benchmark 100, and the RPC and it's least free, set that as 0. Then you could say that the US is at least a 95 and the RPC is a 10. We still have protection from arbitrary arrest, freedom to denounce the government, visit redlobster.com, etc. Oh, and my government, unlike many in Europe, doesn't require me to print, at my own cost, a response to a statement I have made. And it's nearly impossible for me to be succesfully sued for libel. The corporations may have a bit too much power in the US ATM, but the McLibel fiasco could not have happened here because of our brilliant libel laws. And if you think Russia has a free media, think again. Their constitution may guarantee it, but Putin does not have any respect for that document. Free media in Russia is being stamped out at a frightening pace. And a free media is a necessary component of real democracy.
...public terminals are the worst. I would know, I'm a keylogger fiend myself. Although I prefer hardware keyloggers, those are oh so much sneakier and James Bond-ish. Though they have their drawbacks - you need to have physical access to the machine at least twice, and they cost money (around 50 a pop). But the information you can gather with one of those makes them worth a lot more then their weight in gold.
(Oh, but don't worry, I'm actually not malicious, although I easily could be. I just like have fun and wreak havoc, nothing serious like credit card fraud. I don't really consider myself a hacker/cracker or anything, just some punk kid having some fun.)
I belong to the ______ generation.
Check it out. Cool idea.
LoginGuardian is a simple javascript utility you insert in your login page to protect your site's visitors from keyloggers.
"Sometimes there's even sneakier things than just stealing one's cookies."
Yeah, they could also jack your karma.
This is precisely the problem which MIT solved in their public access labs by inventing Project Athena.
TWENTY GODDAMNED YEARS AGO!
Kerberos, remember? All that good stuff? Because
YOU CAN'T TRUST THE SOFTWARE ON PUBLIC ACCESS SYSTEMS
(it was presumed that you could trust the hardware because the labs were monitored for tampering)
This isn't exactly the same thing, but I was using a Kodak Picture Maker kiosk the other day- and it had a history button! I saw the pictures I had just printed, the pictures my brother-in-law had printed a couple hours before, and somebody's wedding photo.
There was an option for deleting the pictures (which I did, even the wedding photo) but I had had no idea that the stuff was there in the first place. That's a bad feature... I'll still use the kiosks, though-- the pictures turn out much nicer than any inkjet.
(this was pre-boom)
He'd moved out here thinking that working in Frys would be a good place to make connections and learn tech skills. He found out Frys treats their employees like dirt, there's no reward to knowing your job, and if you are capable of answering customer questions, there were other places which would pay you more, so why not work there?
So what you end up with is people who don't have the skills to work anywhere better-paying. It's different now - it's amazing how many people at Frys know what they're selling - but it won't last.
(And it's stupid on Frys part too - how often back then did you see a trainee-cashier with a trainer right behind him - did it not occur to them that if they paid better, they could keep their cashiers beyond the training period, and only have to pay one person instead of two?)
Keystroke loggers are easily defeated by the use of one-time passwords. Just carry an s-key app on your palmpilot. Or even a paper list of encrypted OTP's in your wallet (someone would have to both steal your wallet and keylog your decode key).
Actually, violet has the shortest wavelength of all colors, and the shorter the wavelength, the more the color gets scattered across the sky. Violet is scattered more than blue light. However, our eyes are much more sensitive to see blue than violet, therefore we see the sky as blue.
I'm really curious, probably mostly because I come from San Francisco, where if you call the cops and tell them there's been a car accident, they won't come unless you tell them someone's been injured.
Breakfast served all day!
His employer at work had installed keystroke loggers on the corporate equipment, and one of them logged all the keystrokes of a purchase he made at Amazon.com.
Unfortunatelly these keystroke-logs weren't kept secure, and someone had apparently stolen these logs and sold the credit card info to thieves.
He didn't find out about the logging until he worked with IT to find out how his credit card number might have been compromised!
Untill someone comes up with a cardswipe-trapper.
"R2D2, you know better than to trust a strange computer!"
Ignorance of the law is not an excuse; in ANY country. If I (an American) go to China and key a few cars, the law of that country demands I get caned. I can't expect to get a slap on the wrist and a $20 fine just because I'm an American. The law(s) may be different but the concept is the same: if common sense dictates your actions are wrong, there's probably a law against it. How much risk would YOU be willing to take in a foreign country?
[SIG] Remember Mattel handheld games?
Better idea: copy and paste characters to use in your username and password.
You fucking faggot.
Ok you have address, SSN of John Doe. You open up a Bank of America (BoA) account in his name.
Big deal. Now what? Transfer $1000 from Wells Fargo to BoA?? I think he'd notice that, and call up BoA and find out the fake account. Then BoA checks security tapes and you're arrested.
Let's say you're daring. Sign up for a new credit card using John Doe's SSN and address. What then? You have to have a phone number so the CC company can call you and you have to call them to verify if they actually send the card and you intercept it in John Doe's email.
So what phone to you use? You're screwed because the companies have logs of phones use so you can't use your cell phone or home phone.
So tell me what's so important about having someone's SSN and address??
If you were to put the US at its most free, and set that as benchmark 100, and the RPC and it's least free, set that as 0. Then you could say that the US is at least a 95 and the RPC is a 10.
U BLING.HTMh tml?res=F50 917F8395F0C778CDDA10894DA404482
If you put the US at 100 and PRC at 0 then the US is 100 and PRC is 0. But you made these numbers up anyway so they mean nothing. The statement of the previous poster that the US is getting more totalitarian and the PRC is getting less totaliatrian is very true.
We still have protection from arbitrary arrest
Bzzzzzt! Wrong! We USED to have freedom from arbitrary arrest. These days the government can and does detain people indefinately without charges and without access to attorneys or family. The governemt frequently will not even tell the families the person is being held. There is no evidence, only a "suspicion". There are secret trials where neither the defendants nor their defense attorneys are able to see the evidence against them, and the defendants are not able to face their accusers as guaranteed in the Constitution. If the government gets a judge who demands the defendants get their Consitutional rights the government drops the charges, calls them an enemy combatant, and holds a secret military tribunal where defendants have no constitutional rights at all.
I used to be proud of America, but now we are a nation that tortures its prisoners, calling them enemy combatants and denying them any rights. Think I am making this up? US authorities frequently deprive prisoners of sleep for days, shine bright lights in their eyes, hang them from hooks so they have to stand on their toes for hours, and keep them in solitary confinement for weeks (the infamous prison camp "cooler").
And don't even get me started on the blood, electric shock, and screaming kind of torture. Maybe our people don't hold the knife, but they hand over the suspect to countries that will do it willingly and then use the information gained. How is that better? Why do you think so many prisners are being held at "an undisclosed location overseas"?
Are you aware that the government just declared that Guantanamo Bay Naval Base is not American soil, and as a result US laws do not apply? As a result they are free to do whatever they want for as long as they want to the detainees held there without any nasty little legal or constitutional issues.
Last month I saw pictures in the news of families lined up outside a US governent facility here in the US asking if their relatives were being held there by the Homeland Security department. Our great administration wouldn't even tell them yes or no. The US now has its own group of "disappeards" - citizens who just vanish off the street, kidnapped by the government and held with no charges. They call them "material witnesses", but what a crock. I was ashamed for America.
Don't beleive me? Here are two of many references...
http://www.jeanhay.com/COLUMNS/TRO
http://query.nytimes.com/gst/abstract.
And it's nearly impossible for me to be succesfully sued for libel....
What about the other side of that coin...what if your reputation is destroyed? Why is it good that it is almost impossible for you to correct that wrong by suing the perpetrator for libel? Libel is the publication of false, derogatory information. Explain to me again why not being able to correct that in the courts a good thing?
You and a lot of others need to wake up and take a hard look at the direction the Bush administration is taking this country. Most of the things I was taught in grammer school that made this country great that were GUARANTEED to us by the Constitution are now gone.
Would you like an idea, that you do something in USA
which is perfectly legal there. Say, you buy a gun,
and keep you in safe in you US home, than you come
in Russia and get arrested for illegal ownership
of firearms?
It is exactly reverse Sklyanrov situation.
Or say you are published some historical work,
which is concerned origins of Muslim religion.
Then you came to Iran and are executed for heresy.
Where you've seen thieft?
You shouldn't believe everything which said in mass-media.
Sklyarov did the following
1) Investigated protection scheme of eBook and found weakness there.
Reverse engineering and disassembling without vendor permission is explicitely allowed by Russian law in certain circumstances, for instanse when it is only way to make legally bought program to cooperate with your own program. Sklyarov case fits this description.
2. He published information about found weakness, in the internet. This falls under freedom of speach rule, Americans are so proud of.
It is essential to warn people who believed that eBook format would help them to protect their intellectual property (if they believe that such thing exist) that this format is worthless.
Moreover, he warned Adobe. Adobe found it is easier to sue him for disclosing this information rather than fix the bug.
BTW, some protection schemes used in banks are equally worthless. Banks are trying to conseal these information, because they think that fixing bugs is too expensive.
Speaking of ignorance of the law....
I dont think you know the penalty for keying cars in China.
The place I know where that was a punishment was in Singapore.
It was a theoretical......sheesh. So what IS the penalty in China?
[SIG] Remember Mattel handheld games?
I don't get your point; are you suggesting that just because someone is foreign to a specified region they are exempt from the law(s) of that region?
[SIG] Remember Mattel handheld games?