Kinko's Spy Case Illustrates Public Terminal Risk

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

is this viable for a class-action lawsuit?

[squarefish]

I used a NYC Kinko's during H2K2 last year on 7th Ave. I've been unable to find it now due to dilution of the story, but I found on online article the other day that said this had actually gone on for two years and that the person that discovered it had used a computer at one of their stores on 7th Ave, but they have two. I used the one at 500 N. 7th, store # 0961

I called their customer support line on Wednesday as soon as I saw this article, and they said they didn't know anything about it- the person I spoke to called me back and said that their corporate office would get back to me by the end of the day.... I'm still waiting.

I called the store directly last night and the manager, sounding like he was lying through his teeth, told me that they were absolutely not one of the stores.

So, I've very interested in knowing if this has class-action lawsuit potential since Kinko's was prosecuting this case and obviously had no intentions of notifying their customers of the risk they were at while using their store. If there is an existing lawsuit, how do I find it? Thanks!!!!

Re:Funny thing, the name...

[TwistedGreen]

...Kevin?

Stupid users, Stupid Kinkos

[jsailor]

You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)

Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.

Virutal keyboards

[bogado]

Banks in brasil are using virtual keyboards, they are a numeric pad that apear in the screen with the numbers in a random order and/or in a random position. You must then click the password with a mouse. Of course if you own the machine you can save the HTML and mouse clicks to analise it latter, but it makes the life of keyloggers harder.

Am I the only one not surprised?

[xThinkx]

I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.

Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.

I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it

Sloppy.

[MImeKillEr]

When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.

Whoever was doing support for Kinko's didn't do their job.

Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?

Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.

Re:Sloppy.

[MImeKillEr]

I'd be careful calling people sloppy if you aren't sure what safeguards they had in place.

I'd say its safe to assume that Kinko's didn't have anything in place to prevent this.

It seems a little absurd to expect someone to walk around and physically inspect every cord on every computer several times a day. Do you do this for any/all computers you're in charge of?

True, but if they took basic preventative measures like securing the CPU in such a way that the keyboard/mouse cables were inaccessible as well as software policies to prevent unauthorized installations or running unauthorized applications, then this wouldn't have occurred.

And as such, their lack of preventative measures can be labeled sloppy.

I really didn't have to check the systems to see if anyone put a hw logger on. The rooms the PCs were in were monitored by video camera (unfortunately, only after someone lifted procs and RAM from 6 systems). With the exception of the 'library', the room the systems were in was locked when not in use and only I, IT, and the cleaning staff had key.

The systems were locked down to prevent any unauthorized software installs. The software client agent's uninstaller was removed from add/remove, the program was hidden from taskmanager as well as from the systray. The client agent kept in constant contact with the server agent. If the system went down for any reason, I was notified and could trot over to investigate. For those in other states, a quick call to that site's IT manager got it looked into.

I put case locks on each PC to prevent further hardware shrinkage. I put BIOS passwords to prevent unauthorized access to BIOS. Bypassing or resetting required a jumper to be moved on the mobo -- if the jumper wasn't on a particular set of pins, you couldn't reset the pw even if you managed to get into the BIOS, and since the case locks were installed this would only be possible by breaking the case.

Once I took over, classroom uptime seriously increased. After I left the company I was told by a former coworker that the IT dept let the systems fall apart.

Re:Sloppy.

[antv]

Good idea, but won't help in Kinko's case.
They offer MS Word as a legitimate app. They let users open .doc files. There is a way for VB to export and invoke any win32 api function, including malloc() and CreateThread(). Therefore, a .doc file could be turned into keylogger.

Passwords are an obsolete form of authentication

[Dratman]

Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.

Re:What do people expect?

[squaretorus]

99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal

Are you sure? I've been sitting on a train as a guy opposite sat with his card on the table shouting the numbers into his mobile phone (he was ordering flowers for his wife - anniversary - £100 bunch - no ribbon - she hates ribbon - thinks its a waste - and nothing with those really thick stems - she always complains about those too - and just put 'hey' on the card - yes - just 'hey') gave his address for delivery, his postcode, his home and mobile numbers and his wifes name (Ruth - kind of old fashioned a name I thought) and a few other bits. Practically enough to get a passport with!

Maybe he was the 1%. So far as I could tell I was the only one logging all this info into a palm at the time tho - so no harm done!

Re:Passwords are an obsolete form of authenticatio

[teqo]

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM.

What you refer to is known as multi factor authentication, IIRC. I agree that deploying authentication using the "need to have" and "need to know" dualism is way more secure than simple password authentication in principle. Besides that, the Kinko incident suffers from the problem that a public terminal cannot be trusted, and it wouldn't be more trustworthy by adding a magnetic card reader, since that card reader again is under control of the untrusted terminal.

The equivalent to key loggers in using card readers is card loggers. There is no big difference between logging confidential key strokes and confidential digital data while being read by the computer, so I think this does not add to the security of public terminals at all.

What probably would help is

• One Time Passwords that by design don't allow for password stealing and reusage, or
• some device that work like the infamous SecurID cards, which basically take the one time password burden from the user and put it into a small smart device that generates and/or remembers them for you

Both techniques still don't help against Woman-in-the-Middle or hijacking attacks, because they still have to trust the terminal device to transmit the authentication data in a manner the user intended it to.

This brings me to the question: Can anybody think up a way to use inherently untrustworthy public terminals in a trusted matter? How can you make the terminal transport sensitive data in a secured way? Any ideas?

The most promising answer to this problem to the paranoid (read: "sensible") roaming internet user seems to bring your own network-enabled devices, and find a way to connect them to the Net, for example through public WLAN hotspots. Then you can choose your own method to secure the data path, knowing that the end device is trustworthy because it is under your control (provided you run software and hardware that in fact can be considered trustworthy, for some profound reason, but that is another story I guess... .)

easy everything solution

[straybullets]

last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...

Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...

and also, too bad for installing key loggers then ..

From a Kinko's employee

[catfishmonkey]

I'm a manager at Kinko's.
You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".

What a world.

Re:What do people expect?

[JaredOfEuropa]

"It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly."

Banks should know better as well. Over here, banks are liable to some extend when a customer's online account is hacked or accessed illegaly. That is why all banks go to some lengths to prevent simple password sniffers to gain access to online banking services. They all use some sort of challenge-response system with a small device that turns the challenge into the response. The device issued by my bank requires me to insert my ATM card into it and enter the PIN before it will work. Verifying the PIN and the challenge/response mapping is actually done by the chip on the ATM card. So, I don't have any qualms about accessing my bank account from a dodgy web cafe.

90% of security concerns dealing with the human factor. Security and systems engineers are the ones to decide what to secure, how to secure it, and when to allow remote access. The average user cannot be trusted to make this kind of decisions.

Re:I am typing this now from a Kinkos

[BitchHead]

I worked at a Kinko's as a second job for a brief stint, and while I'll agree with you on the wages, I can't say as much for the training that most employees receive. The general guidelines that are given to employees are that the self-serve machines are just that: Self-serve. Don't spend a lot of time trying to explain things on the machines. If someone wants a job done, and can't figure it out on the self-serve machines, they can get it done behind the counter. The same rule holds true for the computers. It's part of the self-serve area. Help people only to the extent of not being discourteous, but the copy associates are not there to tell people how to work their email or perform tasks on Photoshop.
The majority of the training goes into learning how to work the supplementary process machines (folders, tape and coil binders, bookletizers, etc.) because those are the large batch jobs that bring in the most money. Very few employees, depending on the location and the shift, will actually know how to set up specialized features on the large DocuCenter machines. Day shifters and second shifters will typically run the small batch jobs that need to get out that day, and leave the rest of the work for the night shift. If you want the job done right, bring it there at 3am for a morning pickup. The night shift is usually only 2 people, many times just one (as was the case when it was my shift) and they need to know how to work everything in the shop.
The computers, however, are not upkept by the individual branch employees. There are regional network engineers who do the initial installation at a branch. After that, there is a Kinko's central hub help desk to take care of any questions that the manager/employees have, and a central station for remote administration of branch networks for a region. The managers are expected to be able to follow a colour coded wall chart in the network closet if they want to move equipment or add machines. Ours was an absolute nightmare. Serious technicolour spaghetti, and totally misconnected according to the wall chart. The managers and employees receive zero training on any network essentials, so don't expect them to know anything about security measures. The manager at the branch I worked at couldn't tell you the difference between a keystroke logger and a timber logger.

Tinfoil Hat Linux

[mikeee]

Tinfoil Hat Linux is designed for just such a case. Boots of a CD-ROM, randomized keyboard for password entry, tempest-resistant fonts, PGP encryption and decryption (also of random files, in the background, to thwart timing attacks), and in a pinch "output console text to keyboard LEDs in morse code" mode.

Re:we can be reassured....

[lfourrier]

according to m-w.com:
irony :
2 a : the use of words to express something other than and especially the opposite of the literal meaning
sarcasm : 2 a : a mode of satirical wit depending for its effect on bitter, caustic, and often ironic language that is usually directed against an individual

according to : http://humanities.byu.edu/rhetoric/Figures/I/irony .htm
irony : Speaking in such a way as to imply the contrary of what one says, often for the purpose of derision, mockery, or jest.
http://humanities.byu.edu/rhetoric/Figures/ S/sarca smus.htm
sarcasm : Use of mockery, verbal taunts, or bitter irony.

so I used irony, but was it sarcasm ?
I understand that what seems to caracterise sarcasm is bitterness. But I was targetting the +1 funny, not the +1 bitter, so I sure can affirm it was intended as irony, not sarcasm ;)

(and according to my experience, I should get some +1 interresting, even if I'm completely off-topic(those I'm quite sure to get also). Now, commenting on the moderation system is also a quite certain mean to get some -1 troll)

S/Key OTP

[mackman]

After standing at the pulic terminals at a security conference and thinking to myself, "I must be an idiot for typing my password into these", I investigated some one time password (OTP) alternatives. Back in the telnet days, people used S/Key to keep from sending re-usable passwords in the clear. Basically, it sends you a challenge, you type it and your password into your Palm, and type the generated one time password into the computer. If you're Palm-less or lazy, you can print a sheet of your next 100 OTPs and keep it in your wallet. If your wallet gets stolen, just login to your box and you can invalidate those 100 passwords and print a new sheet. It's a lot easier than reporting your credit cards stolen.

Don't use Kinko's machines... use your own!

[gregwbrooks]

Gotta agree that using any of the public machines at Kinko's is a fool's errand. OTOH, if you drag your laptop in, many of them have "laptop printing stations" with DHCP and a pipe out to the Internet.

In a Kinko's that doesn't have laptop stations? You can usually unhook the ethernet cable from one of their pay-for-use machines and use the connection yourself for no charge, as long as it's not busy.

Why would anyone bother? Well, it's a (relatively) fast connection, and an IP address no one can trace back to you because you didn't pay for it and all the cameras at Kinko's (last time I checked) are pointed at the registers rather than the computers.

I'd think the warez/Kazaa/terrorist crowds would find that plenty useful.

kodak picture maker history

[rottcodd]

This isn't exactly the same thing, but I was using a Kodak Picture Maker kiosk the other day- and it had a history button! I saw the pictures I had just printed, the pictures my brother-in-law had printed a couple hours before, and somebody's wedding photo.

There was an option for deleting the pictures (which I did, even the wedding photo) but I had had no idea that the stuff was there in the first place. That's a bad feature... I'll still use the kiosks, though-- the pictures turn out much nicer than any inkjet.

Who did he call?

[PCM2]

The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities.

I'll bite -- who are these "authorities"? Just curious ... so here I am, sitting at home in front of my computer, I've got my bag of corn nuts on one side and my 40 oz. of Olde English 800 on the other ... and my cursor starts moving by itself. OK, I establish that somebody is using my computer via GoToPC (I've never used this software, not really sure how it works) -- who do I call?

I'm really curious, probably mostly because I come from San Francisco, where if you call the cops and tell them there's been a car accident, they won't come unless you tell them someone's been injured.