Slashdot Mirror
Kinko's Spy Case Illustrates Public Terminal Risk
tealwarrior writes "CNN reports in this
story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.
I believe it's a photocopying/printing shop.
Don't quote me on that though.
article is from AP, not CNN.
It's a good question, actually.
Google finds quite a lot. My guess is it's http://www.kinkos.com/:
Document Solutions - Done Right, Anytime, Anywhere
Core Values
1. Alignment and accountability: We accept responsibility for our actions. We make and support business decisions through experience and good judgment.
2. Customer Service Excellence: We are dedicated to satisfying customer needs and honoring commitments that we have made to them.
3. Teamwork: Our team is supportive of each other's efforts, loyal to one another, and care for each other both personally and professionally.
4. Balance: We are flexible, helping team members strike a healthy work and life balance.
5. Community and environment: We strive to help and improve the communities where we work and live. We are concerned about the environment and promote the use of recyclable products and renewable energy.
6. Integrity: We act with honesty and integrity, not compromising the truth.
7. Passion for results: We show pride, enthusiasm and dedication in everything that we do. We are committed to selling and delivering high quality products and services.
8. Respect: We treat our team members, customers, partners and suppliers with mutual respect and sensitivity, recognizing the importance of diversity. We respect all individuals and value their contributions.
9. Open Communication: All team members are encouraged to openly share their opinions and views.
Kinko is the brand name of the shop that these computers were based in.
Video Game cheats, hints a
Photocopying, document printing, and some have public access Internet terminals (for a fee).
As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."
The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"
"Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.
Curiously as you are using a mac-looking name, 2 of the most popular keystroke loggers for macs (when I used them, which was up until just before the OSX days) would take note of exactly this, and still get your password and your random typing as separate strings. I have no experience with PC loggers as I haven't investigated them since, I've learned to never trust a machine with details I couldn't afford to lose.
I used to use this exact same technique, then tried it on a couple of loggers I suspected. Some coders have too much time on their hands
Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Instead of trying to be clever, you're probably better off not trusting a publically accessible computer.
You mean like this.
If I was to do this I would use one of the versions that uses a a private IRC channel to communcicate, that way you never have to go back to the machine again, yet can control it from almost anywhere with a lesser chance of being found.
This is why secure operating systems use an SAK, system attention key. Windows NT and its brethren require you to press ctrl-alt-del to log in because that key sequence cannot be trapped by an application (though there are other problems with the NT logon process unrelated to the three-fingered salute). Linux has an SAK too; unfortunately, it's only available through the kernel magic debug keys by default (alt-sysrq-k if you have magic keys enabled) - the SAK under Linux will kill all programs on the current TTY, thus forcing init to spawn you a fresh login process which, assuming the system is otherwise secure, is not going to steal your password. Some *nix terminals actually have a key labelled 'SAK' on their keyboards.
Torne
...can be found at SecurityFocus.
There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.
he didn't. he installed a hardware keylogger in line in the keyboard socket.
South African users recently got nailed by a similar type of scam. Check out http://www.news24.com/News24/Finance/Companies/0,, 2-8-24_1390144,00.html
for more detail
Review one. Review two.
Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.
Do they allow you to reboot the machines?
The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.
No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.
Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Kinko's stores are ridiculously popular in the US, especially near colleges and universities. Photocopies and printing, many are open 24 hours, and they offer computer terminals for rent with graphics and publishing apps already installed. They're so common now that they're practically an entry in the dictionary.
At Cornell, the machine would just wipe its hard disk and reimage over the network after the last user walked out. I can't believe this isn't a standard feature for public terminals by now...
This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
What is a Kinkos????
My first thought was like "Huh? Kino Kiosk?", because that's what it sounds like to me, but if you check out http://www.kinkos.com/ you can see that they offer a service where they print and ship documents (or photos) for you. Apparently they have a set of terminals around in the US where you may log on to, download and e-mail them your documents, and pay by credit card.
www.6502asm.com - Code 6502 assembly or.. DIE!!
I be seeing many frustrated customers here at kinkos in this regard. It is surprising how many don't know about ThumDrives. The Dell black boxes they have here even have USB ports accessible on the fronts...not sure which version. As for bigjobs, one can goto http://weborder.kinkos.com/ and upload files there. They can also use the Print2Kinkos service 1-800-2-kinkos for quick service with LIVE cust rep.
Ah, thank goodness for one time passwords. For work, I have what we call an 'Enigma' which is a little device that you enter a PIN into and it spits out an 8 character password for you to log in with. Enter a wrong PIN three times and you get locked out of the Enigma. It's great because between SSH or SSL web sites and one time passwords, you don't need to worry about people key logging, sniffing, or even looking over your shoulder while typing in a password. The only problem is I basically bring mine wherever I go, should I need to login.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
The solution to this problem is well-known: use one-time passwords. You can travel with a printed list of passwords, each to be used only once. There are probably some packages for Linux that support this.
A more sophisticated version are challenge-response systems or time-based systems like SecurID, but they require extra hardware and don't give you any extra security.
The short answer: It's a photocopy store.
The better answer: It's like a business office you can rent by the hour.
I think they started doing "just photocopying jobs," but they'll also print large glossy posters and other stuff too. They have basically offices for rent -- you can videoconference from a Kinkos, and you can use computers to access the Internet, etc.
After all, let's say they've locked down the system so no applications can be installed and nothing software or operating system-related can be changed on the computer. Exactly how does this stop someone from installing keystroke logging hardware? Most require no software installation.
It seems a little absurd to expect someone to walk around and physically inspect every cord on every computer several times a day. Do you do this for any/all computers you're in charge of?
I work in a public library. teaching basic computer skills to the general public. (Yes,I drink heavily.) We have over forty public computers and maybe two people around at any given time. We have the computers locked down so nothing can be installed, and we're aware of the keylogging hardware issue and occasionally check all the machines, but I certainly can't swear that no one has managed to snap one on, give it a few hours, and then take it back.
Frankly, the only way I can see to completely avoid this would be to have very well educated patrons who take evasive action when entering passwords and information and who physically check a machine before sitting down. Since I can't get patrons to use print preview consistantly, I'm not going to hold my breath.
I know one piece of software that does they, they used to use it at my high school, it worked pretty well. It's called Deep Freeze, you could do anything you wanted to the computer, and when you rebooted the system was back just the way it was before, with all software installed during the last session gone, everything. You can find it here
Si Hoc Legere Scis Nimium Eruditionis Habes
Everytime passwords get mentioned on slashdot, I say they suck with little to no moderation. Regarding the lack of standard protocols and software packages try:
Multos
EMV (Europay-Mastercard-Visa) Specifications
JavaCard
OpenCard
PC/SC Workgroup
Standards Committees and Standards Related to Smart Cards
I attended the 10th annual smartcard convention in 1999, yet have not seen a smartcard outside of the places I used to work programming them. Maybe its time... The cards then were 1 or 2 dollars and the readers were about 6 or 7, hardly an expensive periferal on your computer.
Let me reiterate. Passwords have nothing to do with authentication, they only say that someone knows your password. Even having a magstripe card at least says that you know a password and were able to obtain phyisical access to the card. The best is a biometric reader with a smartcard. I think bioreaders are about 50 dollars.
Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware.
That works great, unless the Bad Person has installed a hardware keylogger. They are pretty cheap these days ... as low as $80.
Some neat features of this gadget:
* Records more than 130,000 keystrokes
* 64K of non-volatile memory. Now with 128K memory ($100)!
* It is Portable - move it from computer to computer.
* Installs in seconds - Just plug it in.
* Uses no system resources. Truly runs in the background.
* Works with all PC Operating Systems with PS/2 keyboards.
* Data is retained even during system lock-ups and power outages.
Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive).
Won't help you against hardware loggers.
Do you really check that the keyboard cable plugs directly into the keyboard socket on the motherboard on each public machine that you use?
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Having worked at a Kinko's (not the NYC locations) I can say with a fair degree of authority that the people at the stores are the ones that maintain the equipment. There is Regional level support, but that's almost entirely for having them come to fix broken boxes. Granted the most any coworker is expected to do is simply reimage a machine and make some minor changes (add whatever printers are at the location). They aren't expected to actually know much of anything.
Additionally, I believe that while this story broke recently, Kinko's was aware of the problem having rolled out new "security" initiatives near the beginning of the year (around February - March), that included specific instructions to look for WAP's, keyloggers and other non-kinkos gear in the rental computer area.
While I agree that it's not all that intelligent to do anything of a sensitive nature on a public access machine, there are a _lot_ of people that do that sort of thing. More frightening is the number of Passports, Drivers Licenses, Social Security Cards along with the usual array of Mastercard, Visa and AMEX cards that get left on, near or around the copy machines.
I'm not sure that the system that they use for workstation security and the new "Express Pay" would work well with constant reboots (or some the fairly ancient equipment you can still find in branches).