Kinko's Spy Case Illustrates Public Terminal Risk

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

Some help, but not 100% effective

As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."

The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"

"Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.

Re:Out-of-order username & password entry

Curiously as you are using a mac-looking name, 2 of the most popular keystroke loggers for macs (when I used them, which was up until just before the OSX days) would take note of exactly this, and still get your password and your random typing as separate strings. I have no experience with PC loggers as I haven't investigated them since, I've learned to never trust a machine with details I couldn't afford to lose.

I used to use this exact same technique, then tried it on a couple of loggers I suspected. Some coders have too much time on their hands

RTA -- He did not sign up for GoToMyPC...

[Fallen+Kell]

Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...

Re:Out-of-order username & password entry

[jmichaelg]

Under Windows, logging clicks isn't any harder than logging keystrokes. My macro program, mgSimplify uses the same dll to keep track of both events.

Instead of trying to be clever, you're probably better off not trusting a publically accessible computer.

Re:And this should surprise us?

[will_die]

You mean like this.
If I was to do this I would use one of the versions that uses a a private IRC channel to communcicate, that way you never have to go back to the machine again, yet can control it from almost anywhere with a lesser chance of being found.

More info on this case

[dki]

...can be found at SecurityFocus.

Keyboard Loggers...

[BJZQ8]

There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.

Re:And this should surprise us?

[Daniel+Rutter]

Woo! An excuse to pimp my old reviews of KeyGhost hardware key loggers!

Review one. Review two.

One time passwords?

[cras]

Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.

OP is wrong

[nochops]

The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.

No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.

Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!

Re:Clarification Please!

[mblase]

Kinko's stores are ridiculously popular in the US, especially near colleges and universities. Photocopies and printing, many are open 24 hours, and they offer computer terminals for rent with graphics and publishing apps already installed. They're so common now that they're practically an entry in the dictionary.

What about hardware loggers?

[nochops]

This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.

Re:easy everything solution

[Henry+Pate]

I know one piece of software that does they, they used to use it at my high school, it worked pretty well. It's called Deep Freeze, you could do anything you wanted to the computer, and when you rebooted the system was back just the way it was before, with all software installed during the last session gone, everything. You can find it here