Kinko's Spy Case Illustrates Public Terminal Risk

tealwarrior writes "CNN reports in this story that a hacker by the name of Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York. These were then used to open bank accounts online. The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts. Also mentioned are similar schemes perpetrated at Boston College." Be careful out there, folks. Sometimes there's even sneakier things than just stealing one's cookies.

Funny thing, the name...

[jkrise]

Sometime back, Passport passwords were hacked: Muhammed from Pakistan.

Adobe's eBook reader was cracked : Skylarov.

and now, Jiang.

Why isn't it Rob or Pete or Chris, ever??

-

Re:Funny thing, the name...

[TwistedGreen]

...Kevin?

Re:Funny thing, the name...

[mirko]

Or perhaps it's an attack on the US by people who don't love freedom :)-

Do you mean "whatever formerly related to the France" ? ;-)

Re:Funny thing, the name...

[aziraphale]

Well, to be fair, Muhammed and Jiang are two of the more common names in the world, simply by weight of population...

More interesting question: why is it never Amy, or Meiying, or Fatimah?

Re:Funny thing, the name...

[digidave]

They seem to be smart enough to avoid you.

Re:Funny thing, the name...

[overunderunderdone]

As a rule, most folks who get arrested, sued, punished and publicised are from countries regarded as anti-US during the cold-war, at any rate.

Pakistan?!? What kind of history do they teach at your school?

Clarification Please!

[rat7307]

For us non-US'ers:

What is a Kinkos????

Thanks!

Re:Clarification Please!

[Jellybob]

I believe it's a photocopying/printing shop.

Don't quote me on that though.

Re:Clarification Please!

[lewiz]

It's a good question, actually.

Google finds quite a lot. My guess is it's http://www.kinkos.com/:

Document Solutions - Done Right, Anytime, Anywhere

Core Values

1. Alignment and accountability: We accept responsibility for our actions. We make and support business decisions through experience and good judgment.
2. Customer Service Excellence: We are dedicated to satisfying customer needs and honoring commitments that we have made to them.
3. Teamwork: Our team is supportive of each other's efforts, loyal to one another, and care for each other both personally and professionally.
4. Balance: We are flexible, helping team members strike a healthy work and life balance.
5. Community and environment: We strive to help and improve the communities where we work and live. We are concerned about the environment and promote the use of recyclable products and renewable energy.
6. Integrity: We act with honesty and integrity, not compromising the truth.
7. Passion for results: We show pride, enthusiasm and dedication in everything that we do. We are committed to selling and delivering high quality products and services.
8. Respect: We treat our team members, customers, partners and suppliers with mutual respect and sensitivity, recognizing the importance of diversity. We respect all individuals and value their contributions.
9. Open Communication: All team members are encouraged to openly share their opinions and views.

Re:Clarification Please!

[volsung]

Photocopying, document printing, and some have public access Internet terminals (for a fee).

Re:Clarification Please!

[rat7307]

That's what I thought too... they used a lowecase k so I was thinking kinko=pervert or something..

Jiang was charged with installing keystroke loggers to record passwords in 14 differnet kinkos in New York.

Make that statement seem so much worse if you saw it like I did.... :]

Re:Clarification Please!

[mblase]

Kinko's stores are ridiculously popular in the US, especially near colleges and universities. Photocopies and printing, many are open 24 hours, and they offer computer terminals for rent with graphics and publishing apps already installed. They're so common now that they're practically an entry in the dictionary.

Re:Clarification Please!

[skurk]

What is a Kinkos????

My first thought was like "Huh? Kino Kiosk?", because that's what it sounds like to me, but if you check out http://www.kinkos.com/ you can see that they offer a service where they print and ship documents (or photos) for you. Apparently they have a set of terminals around in the US where you may log on to, download and e-mail them your documents, and pay by credit card.

Re:Clarification Please!

[Jester99]

The short answer: It's a photocopy store.

The better answer: It's like a business office you can rent by the hour.

I think they started doing "just photocopying jobs," but they'll also print large glossy posters and other stuff too. They have basically offices for rent -- you can videoconference from a Kinkos, and you can use computers to access the Internet, etc.

What do people expect?

[fadeaway]

Why would anyone consider using public access points to access private/secure data? That's just asking for trouble.

It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly.

Re:What do people expect?

[squaretorus]

99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal

Are you sure? I've been sitting on a train as a guy opposite sat with his card on the table shouting the numbers into his mobile phone (he was ordering flowers for his wife - anniversary - £100 bunch - no ribbon - she hates ribbon - thinks its a waste - and nothing with those really thick stems - she always complains about those too - and just put 'hey' on the card - yes - just 'hey') gave his address for delivery, his postcode, his home and mobile numbers and his wifes name (Ruth - kind of old fashioned a name I thought) and a few other bits. Practically enough to get a passport with!

Maybe he was the 1%. So far as I could tell I was the only one logging all this info into a palm at the time tho - so no harm done!

Re:What do people expect?

[JaredOfEuropa]

"It's amazing. 99% of people have the sense not to give out their CC # over a payphone in a crowded bus terminal. Online Banking however, why not. Silly."

Banks should know better as well. Over here, banks are liable to some extend when a customer's online account is hacked or accessed illegaly. That is why all banks go to some lengths to prevent simple password sniffers to gain access to online banking services. They all use some sort of challenge-response system with a small device that turns the challenge into the response. The device issued by my bank requires me to insert my ATM card into it and enter the PIN before it will work. Verifying the PIN and the challenge/response mapping is actually done by the chip on the ATM card. So, I don't have any qualms about accessing my bank account from a dodgy web cafe.

90% of security concerns dealing with the human factor. Security and systems engineers are the ones to decide what to secure, how to secure it, and when to allow remote access. The average user cannot be trusted to make this kind of decisions.

is this viable for a class-action lawsuit?

[squarefish]

I used a NYC Kinko's during H2K2 last year on 7th Ave. I've been unable to find it now due to dilution of the story, but I found on online article the other day that said this had actually gone on for two years and that the person that discovered it had used a computer at one of their stores on 7th Ave, but they have two. I used the one at 500 N. 7th, store # 0961

I called their customer support line on Wednesday as soon as I saw this article, and they said they didn't know anything about it- the person I spoke to called me back and said that their corporate office would get back to me by the end of the day.... I'm still waiting.

I called the store directly last night and the manager, sounding like he was lying through his teeth, told me that they were absolutely not one of the stores.

So, I've very interested in knowing if this has class-action lawsuit potential since Kinko's was prosecuting this case and obviously had no intentions of notifying their customers of the risk they were at while using their store. If there is an existing lawsuit, how do I find it? Thanks!!!!

Re:is this viable for a class-action lawsuit?

yep, you went to the hacked store. Jiang says your password was "lutefisk" but fortunately you only used it to access nude pictures Cowboy Neal.

Re:is this viable for a class-action lawsuit?

I dunno, do you keep track of your finances? If you balance your checknook, occasionally check your credit rating (which shows open accounts), etc, you would have some clue whether or not you were affected.

If you don't do the above, why should Kinko's clean up your mess for you?

Re:is this viable for a class-action lawsuit?

[DoubleD]

Please tell me you are not just looking for a class action lawsuit because you smell easy money.

Take some responsibility for you own actions and think this through. Were you actually harmed by this? If not what makes you think you are entitled to compensation? Do not say emotional distress please or try the RIAA method of valuation inflation. If you were harmed by this then read all the other comments here about being smart with your sensitive information. Then decide if Kinkos is responsible for loss or just another victim.

The system is screwed up enough with all the lawsuits flying back and forth, save them for when you really need it.

Re:is this viable for a class-action lawsuit?

[squarefish]

The reason I'd like to see them get sued is because they knew that this had happened and made zero effort to contact their customers who may have been effected by this ASAP- I really feel that this type of disclosure is their responsibilty and I'm insulted that I had to find out about it via public news sources when they hadn't even notified their customer service reps about the possibility of inquiries regarding this.

This is not a situation I wanted to be in, but I was in NY for the conference and considered the network security at h2k2 to be considerably worse- it was much more of a known risk, fresh password lists were being post on boards every day.

with Kinko's being a paid service, I would expect a higher quality of service. If you goto a restaurant and they serve you the wrong food, you get them correct it right away. if you goto the dry cleaners and your clothes come out worse, you make them cover it. it's a quality of service issue. In this case I would expect to be notified ASAP by a company that I paid and trusted the service of, even if the discovery of the issue came up a year later. I don't know if I've been effected by this or not bacause they haven't disclosed the particular stores or dates involved, and in my opinion they should have been required to do so.

So, to finish this off- I don't know if I suffered any loss from this or not, I haven't noticed anything yet, but I wasn't looking and certainly didn't expect to see a story like this that may have effected me a year afterwards. Whether anyone suffered a loss or not, there should be something done so that the security of their customers isn't as at risk and they should have mechnism in place to notify those customers if something does happen- it's called customer satisfaction.

Out-of-order username & password entry

[G4from128k]

I use out-of-order username and password entry on public terminals. I type a couple of letters of either username or password, click in the middle of the typing entry in the other field, type more letters, etc. It only takes a bit of concentration to remember which password letters I have typed. Unless the logger is doing a full scan of exactly where I click, they get a disordered, mixed version of my username and password broken up by numerous mouseclicks.

Re:Out-of-order username & password entry

[lewiz]

I bet they're after you aren't they?

Re:Out-of-order username & password entry

Curiously as you are using a mac-looking name, 2 of the most popular keystroke loggers for macs (when I used them, which was up until just before the OSX days) would take note of exactly this, and still get your password and your random typing as separate strings. I have no experience with PC loggers as I haven't investigated them since, I've learned to never trust a machine with details I couldn't afford to lose.

I used to use this exact same technique, then tried it on a couple of loggers I suspected. Some coders have too much time on their hands

Re:Out-of-order username & password entry

[jmichaelg]

Under Windows, logging clicks isn't any harder than logging keystrokes. My macro program, mgSimplify uses the same dll to keep track of both events.

Instead of trying to be clever, you're probably better off not trusting a publically accessible computer.

And this should surprise us?

[nemaispuke]

At the last 2600 meeting I attended, we joked about installing a chip to catch keystrokes into a keyboard. What if this was done instead of a piece of software? And who knows if something like this has been done or not. The "man on the street" does not understand one iota of computer security, so why should a public kiosk computer be any different than his home PC? As long as it does not affect them in any way they do not care! This is a wakeup call for "joe sixpack", do not trust any public PC (I don't).

Re:And this should surprise us?

[will_die]

You mean like this.
If I was to do this I would use one of the versions that uses a a private IRC channel to communcicate, that way you never have to go back to the machine again, yet can control it from almost anywhere with a lesser chance of being found.

Re:And this should surprise us?

[Daniel+Rutter]

Woo! An excuse to pimp my old reviews of KeyGhost hardware key loggers!

Review one. Review two.

Stupid users, Stupid Kinkos

[jsailor]

You might be amazed at what people save on the hard disks. I've found all sorts of stuff including insurance letters complete with SSNs, addresses, etc. (of course, I've found similar stuff left on the copy machines - lower tech stupidity)

Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware. This doesn't seem like it would be too hard for Kinkos to do as well. If you've been to a Kinkos in NY, you would know that the copy specialists in the stores are not maintaining the machines.

Re:Stupid users, Stupid Kinkos

[Jim+Hall]

Easy Everything, now with a site in NY as well, essentially netboots all the PCs after each user so even if the previous performed some evil, the next user gets a new system free of any malware.

That works great, unless the Bad Person has installed a hardware keylogger. They are pretty cheap these days ... as low as $80.

Some neat features of this gadget:

* Records more than 130,000 keystrokes
* 64K of non-volatile memory. Now with 128K memory ($100)!
* It is Portable - move it from computer to computer.
* Installs in seconds - Just plug it in.
* Uses no system resources. Truly runs in the background.
* Works with all PC Operating Systems with PS/2 keyboards.
* Data is retained even during system lock-ups and power outages.

Re:Stupid users, Stupid Kinkos

[InSinU8]

Having worked at a Kinko's (not the NYC locations) I can say with a fair degree of authority that the people at the stores are the ones that maintain the equipment. There is Regional level support, but that's almost entirely for having them come to fix broken boxes. Granted the most any coworker is expected to do is simply reimage a machine and make some minor changes (add whatever printers are at the location). They aren't expected to actually know much of anything.

Additionally, I believe that while this story broke recently, Kinko's was aware of the problem having rolled out new "security" initiatives near the beginning of the year (around February - March), that included specific instructions to look for WAP's, keyloggers and other non-kinkos gear in the rental computer area.

While I agree that it's not all that intelligent to do anything of a sensitive nature on a public access machine, there are a _lot_ of people that do that sort of thing. More frightening is the number of Passports, Drivers Licenses, Social Security Cards along with the usual array of Mastercard, Visa and AMEX cards that get left on, near or around the copy machines.

I'm not sure that the system that they use for workstation security and the new "Express Pay" would work well with constant reboots (or some the fairly ancient equipment you can still find in branches).

Virutal keyboards

[bogado]

Banks in brasil are using virtual keyboards, they are a numeric pad that apear in the screen with the numbers in a random order and/or in a random position. You must then click the password with a mouse. Of course if you own the machine you can save the HTML and mouse clicks to analise it latter, but it makes the life of keyloggers harder.

Re:Virutal keyboards

[Lord_Dweomer]

But would it really be hard to make a "virtual keystroke logger" that simply took a screen shot everytime the mouse was clicked?

Am I the only one not surprised?

[xThinkx]

I mean, come on, there have to be tons of computer geeks like me out there that look at public libraries, kinkos, office max, internet cafes, etc; and think that a keystroke logger could be infinitely damaging.

Considering any schmuck could pick up a completely software undetectable and almost completely visually/physically undetectable hardware keystroke logger for under $100, this doesn't surprise me. Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Again this brings me back to the opinion that allowing any idiot to do whatever they please on a computer is a rediculous idea. I know this is beating a dead horse, but, do we let people drive a car or fly a plane without a license? Before you jump on my case I'm not saying people should need licenses to use computers, or that computers can physically kill a boatload of people like a car or plane could. What I am saying is that banks might require some for education or training, or even just provide literature, something, ANYTHING to let people know that it's probably not the best idea to do your internet banking from KINKOS!.

I'd also like to point out that gotomypc.com sucks, if I see one more ad for them, I'm going to gototheirpc and smash the living crap out of it

Re:Am I the only one not surprised?

[xpulsar87x]

Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Why is it that the general idea of most people that how much you get paid is directly related to how much effort you put into the job? I worked at Staples in high school, i was paid 6.25 an hour, and I did a pretty damn good job I might say. I didn't mope around my whole shift, I'd help people out, learn about things i didn't know (like printers, i don't print anyhting ever so i didn't know much about the technology in em), took time to learn how do work the machines in our copy center, etc etc. You trying to say that becuase Kinko's employees get paid x amount of dollars they won't bother with this stuff? They could be a budding geek like you and me, still in high school or college something, and they certainly would take an interest in it.

Re:Am I the only one not surprised?

[cybercuzco]

Does anyone think the employee at kinkos getting paid $6/hr cares enough to learn about keystroke logging or check it out?

Well not if they were born in the US I dont. How come people can come to america with $1 in their pocket and turn it into enoguh money to send their kids through college, but if you were born here, you expect to get paid $50 an hour at a job before you consider doing a good job at it? My cousin was a bar-certified lawyer with 5 kids, but he wouldnt take the job pushing papers in a law office (even though thats entry level) because it paid too low (~$12 hr) He wanted to be brought in as a partner, even though he was just out of law school and all (he was like 30 at this point though, law school takes longer with a bunch of kids) So what does he do with that new law degree? He paints houses and mooches off my uncle to make ends meet, still waiting, 5 hears and 2 more kids later for that partner position at a law firm. Do0nt be lazy! there are worse things in the world than getting paid $6 an hr to do light sales work.

Re:Am I the only one not surprised?

[/dev/trash]

Obviously you've never worked for that kind of money for longer than 2 or 3 months.

Some help, but not 100% effective

As does the strategy of opening Notepad (or some other app), typing a couple of characters into the password box, clicking to Notepad and mashing down the keyboard awhile, etc. until you've completed the password. An intelligent keylogger will only hook certain window classes, but most keyloggers are "all-or-nothing."

The real solution, though, is don't enter your passwords on an untrusted machine! I went to visit my aunt, uncle, and cousins in Nebraska last month. They know I work online and were totally perplexed as to why I wouldn't use their computer to check my email, my PayPal account, etc. "Well it's gonna take awhile to charge your laptop back up, why don't you just use our computer till then?"

"Because I don't trust your computer" isn't the kind of thing your relatives want to hear, so I emphasized the fact that I have no idea what's running on their computer. We did have a good discussion about spyware, and I downloaded Ad-Aware and showed 'em how to use it. They actually came up fairly clean (just that "satellite" program, I forget who makes it) but I still wouldn't use their machine for anything sensitive.

Re:Some help, but not 100% effective

And it's great that you have the option of only using your own computer. Many people do not.

For a lot of people, places like public libraries are their only Internet access. They have to use them to file unemployment claims, check their email, apply for student financial aid, look up medical information, apply for jobs... You get the idea.

In such cases, people essentially have to trust the security and/or take as much evasive action as possible.

The best way to handle this? Educating people how to use computers and how to be the most secure. Of course, if the general populace actually paid attention to signs explaining security procedures, that might help, but since a large portion of the populace can't seem to understand the usefulness of the print preview command in avoiding printing 3 billion excess pages, I'm not going to hold my breath.

Whoops. That last sentence was a bit bitter, even if it was dead on.

Sloppy.

[MImeKillEr]

When I worked in support, I was responsible for publicly available PCs. The first thing I did when I took over supporting these was to set policies in place BLOCKING the ability to install ANYTHING by anyone other than the administrator.

Whoever was doing support for Kinko's didn't do their job.

Same goes for any other publicly available PCs. Slap policy editor on the system and lock down the ability to install any additional applications, as well as the ability to change the look of the computer. How fscking hard is that to understand?

Failure to do so leads to incidents like this, as well as makes it easier for someone to install pirated software, pr0n, etc. on your systems.

Re:Sloppy.

First of all, blocking ability to install doesn't mean jack if they still have the ability to run any application they want. Locked down the shell pretty good with poledit?(hah!)

Don't forget about the ability to click a link to an executable in a browser and run it from location rather than saving it. Bottom line is that if someone has physical access to a machine, if you can't stand behind them and watch them as they use it, it's insecurable. Best bet for a safer internet terminal is a custom diskless X terminal. Easier to lock down, noone can install anything permanently, and you have the extra measure of security by obscurity because dumb hax0r kids won't have a billion keyloggers and trojans to pick from to install. It wouldn't be hard either to have a cron job shell script run some regexes on the list of running processes and send you an email when something runs that does not match the list of allowable applications.

Re:Sloppy.

[AndroidCat]

And if I have physical access to a Linux machine?

Re:Sloppy.

[MImeKillEr]

I'd be careful calling people sloppy if you aren't sure what safeguards they had in place.

I'd say its safe to assume that Kinko's didn't have anything in place to prevent this.

It seems a little absurd to expect someone to walk around and physically inspect every cord on every computer several times a day. Do you do this for any/all computers you're in charge of?

True, but if they took basic preventative measures like securing the CPU in such a way that the keyboard/mouse cables were inaccessible as well as software policies to prevent unauthorized installations or running unauthorized applications, then this wouldn't have occurred.

And as such, their lack of preventative measures can be labeled sloppy.

I really didn't have to check the systems to see if anyone put a hw logger on. The rooms the PCs were in were monitored by video camera (unfortunately, only after someone lifted procs and RAM from 6 systems). With the exception of the 'library', the room the systems were in was locked when not in use and only I, IT, and the cleaning staff had key.

The systems were locked down to prevent any unauthorized software installs. The software client agent's uninstaller was removed from add/remove, the program was hidden from taskmanager as well as from the systray. The client agent kept in constant contact with the server agent. If the system went down for any reason, I was notified and could trot over to investigate. For those in other states, a quick call to that site's IT manager got it looked into.

I put case locks on each PC to prevent further hardware shrinkage. I put BIOS passwords to prevent unauthorized access to BIOS. Bypassing or resetting required a jumper to be moved on the mobo -- if the jumper wasn't on a particular set of pins, you couldn't reset the pw even if you managed to get into the BIOS, and since the case locks were installed this would only be possible by breaking the case.

Once I took over, classroom uptime seriously increased. After I left the company I was told by a former coworker that the IT dept let the systems fall apart.

Re:Sloppy.

[antv]

Good idea, but won't help in Kinko's case.
They offer MS Word as a legitimate app. They let users open .doc files. There is a way for VB to export and invoke any win32 api function, including malloc() and CreateThread(). Therefore, a .doc file could be turned into keylogger.

RTA -- He did not sign up for GoToMyPC...

[Fallen+Kell]

Jiang did not sign people up for GoToMyPC. That is just how he was caught! Someone HAD GoToMyPC and because Jiang logged on and did what that person had done, he wound up starting the GoToMyPC services, with which, actually controls your home PC. The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities. That is how they caught him... Not him signing people up for GoToMyPC...

Re:risky business

[radish]

You're (fairly) safe from online fraud, but still perfectly vulnerable to real-world fraud, which is far more common (with regard to banks anyway). I wouldn't bask too much in your sense of security.

Still, everyone is perfectly entitled to judge the risk themselves and do what they want. I'm intrigued though - do you drive? smoke? drink? have sex? Those things are much more likely to cause problems (and they can be much more serious problems) than online banking. Do you exercise the same level of caution there?

Passwords are an obsolete form of authentication

[Dratman]

Even before the Kinko's case, the recent proliferation of fraudulent emails, supposedly from ebay and similar sites, which ask for passwords to be re-entered on a web site, illustrate that passwords are no longer an adequate form of security.

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM. Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense. Probably the most significant barrier to their widespread adoption is the lack of standard protocols and software packages.

Magic Lantern

An intelligent keylogger will only hook certain window classes

It is rumored that the FBI's Magic Lantern key logger does just this, and has specific hooks for the password entry dialog of known `terrorist` applications like PGPdisk, BestCrypt, KGB, etc.

You`re right that most key logging programs are stupid, though. The best way to detect a key logger is to go in Windows Explorer, do a search for files modified in the last day, then sort the list by modification date descending. Open any unusually named files and look inside. After all, key loggers have to keep a log somewhere!

Re:Magic Lantern

They could keep the log in RAM and then as long as the computer didn't crash but instead shut down normally, flush the buffer to dis.... ...oh it's a windows app hey. damn. kills that idea.

Re:Magic Lantern

[lfourrier]

After all, key loggers have to keep a log somewhere!
but not necessarly on the PC.

http://www.thinkgeek.com/gadgets/electronic/5a05 /

I am typing this now from a Kinkos

[Hecateus]

I spend alot of time at my local kinkos. They do get paid at least 1/2 more than you suggest. It requires experience and training to deal with some of these copiers...as well as lots of patience for the many customers who know even less. (or don't even know what they want. They are one employer that is likely to keep many employees around for a long time to come despite the heavy automation. Sadly the training for the normal coworker doesn't seem to include internet security...which is fundamentaly the responsibility of those persons who did the custom job on Win2k for them...so don't loosly blame the bubs in the blue aprons. oh, I am noticing this handy warning on top of the monitor here. "Be safe. Protect your personal information" sayeth the sign Instructions on how to delete the files one may have saved follow. Hmmm....let's go and see how many folks left their disks in the drives. ;)

Re:I am typing this now from a Kinkos

[BitchHead]

I worked at a Kinko's as a second job for a brief stint, and while I'll agree with you on the wages, I can't say as much for the training that most employees receive. The general guidelines that are given to employees are that the self-serve machines are just that: Self-serve. Don't spend a lot of time trying to explain things on the machines. If someone wants a job done, and can't figure it out on the self-serve machines, they can get it done behind the counter. The same rule holds true for the computers. It's part of the self-serve area. Help people only to the extent of not being discourteous, but the copy associates are not there to tell people how to work their email or perform tasks on Photoshop.
The majority of the training goes into learning how to work the supplementary process machines (folders, tape and coil binders, bookletizers, etc.) because those are the large batch jobs that bring in the most money. Very few employees, depending on the location and the shift, will actually know how to set up specialized features on the large DocuCenter machines. Day shifters and second shifters will typically run the small batch jobs that need to get out that day, and leave the rest of the work for the night shift. If you want the job done right, bring it there at 3am for a morning pickup. The night shift is usually only 2 people, many times just one (as was the case when it was my shift) and they need to know how to work everything in the shop.
The computers, however, are not upkept by the individual branch employees. There are regional network engineers who do the initial installation at a branch. After that, there is a Kinko's central hub help desk to take care of any questions that the manager/employees have, and a central station for remote administration of branch networks for a region. The managers are expected to be able to follow a colour coded wall chart in the network closet if they want to move equipment or add machines. Ours was an absolute nightmare. Serious technicolour spaghetti, and totally misconnected according to the wall chart. The managers and employees receive zero training on any network essentials, so don't expect them to know anything about security measures. The manager at the branch I worked at couldn't tell you the difference between a keystroke logger and a timber logger.

Re:Back in the day..

[Torne]

This is why secure operating systems use an SAK, system attention key. Windows NT and its brethren require you to press ctrl-alt-del to log in because that key sequence cannot be trapped by an application (though there are other problems with the NT logon process unrelated to the three-fingered salute). Linux has an SAK too; unfortunately, it's only available through the kernel magic debug keys by default (alt-sysrq-k if you have magic keys enabled) - the SAK under Linux will kill all programs on the current TTY, thus forcing init to spawn you a fresh login process which, assuming the system is otherwise secure, is not going to steal your password. Some *nix terminals actually have a key labelled 'SAK' on their keyboards.

Torne

root permissions?

[millenium]

In order to install a keystroke logger, it seems to me that you would need root permission to do it on linux or else be able to (re-)boot such linux terminal from floppy or CD.

By taking out floppy/CD drive and simply applying user privileges, I can't imagine that anybody would be able to pull this off on linux terminals.

Therefore, isn't this typically a windows problem? Insecurity by design?

This is why some banks...

[xneilj]

This is why some banks do not request full information for login.

For example, here in the UK, NatWest bank's online service will ask you for the following secure information to login:

Three digits from your four digit online PIN (in a random order, like second, first, fourth).

Three characters from your password, again a random selection in a random order.

While it initally irritated me that logging on to the system took a little more thought than normal (I have a long password and it's easier to type it out in full than work out what the eighth, fifth, and eleventh characters are), it's probably a much more secure system when people are going to be using public terminals.

It also makes people less liable to some sort of 'sniffer' attack, since the system dictates which characters to ask for and locks you out after several incorrect attempts. It would probably require somebody to observe more than one login session before they had enough information to do repeat it themselves, and unless you know which order the characters and PIN were requested, a plain keyboard capture program would be ineffective.

Comment removed

[account_deleted]

Comment removed based on user account deletion

More info on this case

[dki]

...can be found at SecurityFocus.

Re:Passwords are an obsolete form of authenticatio

[richie2000]

Magnetic stripe readers are now quite common and could be installed on public terminals at minimal expense.

By anyone. Most banks are moving away from magnetic stripes exactly because the readers are so inexpensive and easy to install on public terminals and ATMs. In addition to the official readers. The smartcards are coming.

And what have we learned?

[starX]

Never ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever ever NEVER access any critical data from a public terminal under any circumstances EVER.

The corallary to this maxim is to make sure that the password of an account that you access from a public terminal is different from any password that you access from a non-public terminal. Then again, the truly paranoid have different password anyway....

Keyboard Loggers...

[BJZQ8]

There are PS2-connector keyboard loggers sold in various places on the internet...although they're a bit more conspicuous, how often do you check for the presence of one? In a public-access machine, they can be set to record only usernames and passwords...It's just something you have to accept...that someone is probably watching, somewhere.

Bring your own OS?

[dschuetz]

One of the initial selling points for NeXT computers, way back when (has it really been 15 years? sheesh...) was the Optical drive. It was a 256 MB, 5"x1/4" hunk of plastic, and the intention was that you could carry your entire NeXTSTEP OS, home files, etc., around with you. Bring it to the public terminal in your dorm's basement, slap it in, and reboot.

Now, obviously, that didn't work (they were big, slow, and buggy). But today it should be even easier, almost trivial, to do something. Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive). If you can fit it on a business card CD, you can even keep it in your wallet.

They could even do this at the system-provider level -- have branded, mass-produced, customized versions of Knoppix in each machine, and encourage people to check the CD and reboot before they use it. Of course, this wouldn't work as well with the systems intended for graphic editing, etc. (with AI, Photoshop, etc.), but for simple internet access systems, it'd be pretty good...

Re:Bring your own OS?

[tomstdenis]

Kinkos is a print shop. What are you going todo? Take over their boxes, setup all the drivers for the printers, network, then print?

Here's a tip. If you have to use a kinkos to print something [e.g. massive quantity] just burn a copy to a CD [or put it on a floppy disk] and bring it with you instead remotely logging into something to fetch it.

Tom

Ham the can man? Troll.

Re:Bring your own OS?

[Hecateus]

I be seeing many frustrated customers here at kinkos in this regard. It is surprising how many don't know about ThumDrives. The Dell black boxes they have here even have USB ports accessible on the fronts...not sure which version. As for bigjobs, one can goto http://weborder.kinkos.com/ and upload files there. They can also use the Print2Kinkos service 1-800-2-kinkos for quick service with LIVE cust rep.

Re:Bring your own OS?

[Kaa]

Just bring a Knoppix CD with you whenever you go to a public access sytem (assuming they don't lock down the CD-ROM drive).

Won't help you against hardware loggers.

Do you really check that the keyboard cable plugs directly into the keyboard socket on the motherboard on each public machine that you use?

South African users get nailed

[vattern]

South African users recently got nailed by a similar type of scam. Check out http://www.news24.com/News24/Finance/Companies/0,, 2-8-24_1390144,00.html for more detail

we can be reassured....

[lfourrier]

Kinko's spokeswoman Maggie Thill said the company takes security seriously and believes it has "succeeded in making a similar attack extremely difficult in the future." She would not provide details, saying that to do so could make systems less secure .

They obviously really understand security...

note (for the humour-impaired) : this is irony

Re:we can be reassured....

[lfourrier]

according to m-w.com:
irony :
2 a : the use of words to express something other than and especially the opposite of the literal meaning
sarcasm : 2 a : a mode of satirical wit depending for its effect on bitter, caustic, and often ironic language that is usually directed against an individual

according to : http://humanities.byu.edu/rhetoric/Figures/I/irony .htm
irony : Speaking in such a way as to imply the contrary of what one says, often for the purpose of derision, mockery, or jest.
http://humanities.byu.edu/rhetoric/Figures/ S/sarca smus.htm
sarcasm : Use of mockery, verbal taunts, or bitter irony.

so I used irony, but was it sarcasm ?
I understand that what seems to caracterise sarcasm is bitterness. But I was targetting the +1 funny, not the +1 bitter, so I sure can affirm it was intended as irony, not sarcasm ;)

(and according to my experience, I should get some +1 interresting, even if I'm completely off-topic(those I'm quite sure to get also). Now, commenting on the moderation system is also a quite certain mean to get some -1 troll)

One time passwords?

[cras]

Aren't all banks using them? Pretty effectively makes the keyloggers useless. At least the largest banks in Finland do that before giving access to anything important.

Rather by the people who love freedom

[Vitus+Wagner]

Since DMCA passed the Congress, USA is one of most totalitarian states out there. May be even worse than China.

Sklyarov was a victim of exactly same illusion as you have - he thought that USA is free country, he come there and was put into jail for the action which do not constitute crime at all by Russian laws - publishing information about security flaws in eBook, nd was done on Russian territory.

Note that Alan Cox of UK shares almost same opinion - he refuse to go to USENIX because after Sklyarov case he doesn't consider USA a safe place for programmer.

OP is wrong

[nochops]

The article mentions Jiang signing people up for accounts with GoToMyPC then then using their own machine to open bank accounts.

No, the article does not mention that. The article says that Jiang used a keylogged password to gain access to someone's home machine via GoToMyPC. He then took control of the machine and used it to open a bank account. Similar, but wrong enough to warrant correcting.

Well, I guess if the OPs aren't going to read the articles they submit, and the editors aren't going to read the articles they post, why should the rest of us read the articles we comment on? Let's just have one massive offtoipc flame-fest! Yay!

Re:Passwords are an obsolete form of authenticatio

[teqo]

The most practical alternative at the present time appears to be use of a magnetic stripe card in addition to the password, similar to the authentication process for an ATM.

What you refer to is known as multi factor authentication, IIRC. I agree that deploying authentication using the "need to have" and "need to know" dualism is way more secure than simple password authentication in principle. Besides that, the Kinko incident suffers from the problem that a public terminal cannot be trusted, and it wouldn't be more trustworthy by adding a magnetic card reader, since that card reader again is under control of the untrusted terminal.

The equivalent to key loggers in using card readers is card loggers. There is no big difference between logging confidential key strokes and confidential digital data while being read by the computer, so I think this does not add to the security of public terminals at all.

What probably would help is

• One Time Passwords that by design don't allow for password stealing and reusage, or
• some device that work like the infamous SecurID cards, which basically take the one time password burden from the user and put it into a small smart device that generates and/or remembers them for you

Both techniques still don't help against Woman-in-the-Middle or hijacking attacks, because they still have to trust the terminal device to transmit the authentication data in a manner the user intended it to.

This brings me to the question: Can anybody think up a way to use inherently untrustworthy public terminals in a trusted matter? How can you make the terminal transport sensitive data in a secured way? Any ideas?

The most promising answer to this problem to the paranoid (read: "sensible") roaming internet user seems to bring your own network-enabled devices, and find a way to connect them to the Net, for example through public WLAN hotspots. Then you can choose your own method to secure the data path, knowing that the end device is trustworthy because it is under your control (provided you run software and hardware that in fact can be considered trustworthy, for some profound reason, but that is another story I guess... .)

Re:RTFA

[BenjyD]

Read it yourself. From the article:

Jiang had secretly installed, in at least 14 Kinko's copy shops, software that logs individual keystrokes.

Why can't more public terminals just use Ghost?

[rwa2]

At Cornell, the machine would just wipe its hard disk and reimage over the network after the last user walked out. I can't believe this isn't a standard feature for public terminals by now...

easy everything solution

[straybullets]

last time i went to an easyeverything cybercafe i noticed that on logout the pc would reboot and re-install a fresh image of the whole os on the disk. I think it got the image from the network but i can't recall what soft they used to do it (it had a strange name)...

Of course it takes some more time on rush hour (like 10-20mn) but they have lots of pc so ...

and also, too bad for installing key loggers then ..

Re:easy everything solution

[Henry+Pate]

I know one piece of software that does they, they used to use it at my high school, it worked pretty well. It's called Deep Freeze, you could do anything you wanted to the computer, and when you rebooted the system was back just the way it was before, with all software installed during the last session gone, everything. You can find it here

Re:easy everything solution

[whterbt]

Of course, that won't protect against the Key Katcher.

What about hardware loggers?

[nochops]

This would stop a keylogger application, but not a hardware logger between the keyboard and PS2 connector on the motherboard. They're small, and cheaper than software, and will work across any operating system.

From a Kinko's employee

[catfishmonkey]

I'm a manager at Kinko's.
You really would be shocked to see the kind of stuff people leave behind on the hard disks and in the copy machines. At least a dozen I.D. cards, birth certificates, credit cards, confidential company files, etc.. are left every day.
Just yesterday a customer came in and asked if we'd found her credit card. She said she'd left it in the copy machine a week ago and just noticed it gone. We couldn't find it and told her she'd probably wanna go ahead and cancel the damn thing. She replied, "nahh... too much trouble.. it'll turn up someplace".

What a world.

One Time Passwords

[pyite]

Ah, thank goodness for one time passwords. For work, I have what we call an 'Enigma' which is a little device that you enter a PIN into and it spits out an 8 character password for you to log in with. Enter a wrong PIN three times and you get locked out of the Enigma. It's great because between SSH or SSL web sites and one time passwords, you don't need to worry about people key logging, sniffing, or even looking over your shoulder while typing in a password. The only problem is I basically bring mine wherever I go, should I need to login.

Kinko's Security

[stinkydog]

I have used a Kinkos machine in Columbus Ohio (near Ohio State) and here is what I found:

1. Windows 2000 with the user logged in as poweruser or administrator.
2. Pop up software installed (unknown spyware).
3. I could not find a USB port so I stood up and moved the PC and plugged in in the back. No comment from staff.

The only "security" I saw was protecting the billing app.

SD

solution: one-time passwords

[73939133]

The solution to this problem is well-known: use one-time passwords. You can travel with a printed list of passwords, each to be used only once. There are probably some packages for Linux that support this.

A more sophisticated version are challenge-response systems or time-based systems like SecurID, but they require extra hardware and don't give you any extra security.

Re:Passwords are an obsolete form of authenticatio

[hackstraw]

Everytime passwords get mentioned on slashdot, I say they suck with little to no moderation. Regarding the lack of standard protocols and software packages try:

Multos
EMV (Europay-Mastercard-Visa) Specifications
JavaCard
OpenCard
PC/SC Workgroup
Standards Committees and Standards Related to Smart Cards

I attended the 10th annual smartcard convention in 1999, yet have not seen a smartcard outside of the places I used to work programming them. Maybe its time... The cards then were 1 or 2 dollars and the readers were about 6 or 7, hardly an expensive periferal on your computer.

Let me reiterate. Passwords have nothing to do with authentication, they only say that someone knows your password. Even having a magstripe card at least says that you know a password and were able to obtain phyisical access to the card. The best is a biometric reader with a smartcard. I think bioreaders are about 50 dollars.

Tinfoil Hat Linux

[mikeee]

Tinfoil Hat Linux is designed for just such a case. Boots of a CD-ROM, randomized keyboard for password entry, tempest-resistant fonts, PGP encryption and decryption (also of random files, in the background, to thwart timing attacks), and in a pinch "output console text to keyboard LEDs in morse code" mode.

S/Key OTP

[mackman]

After standing at the pulic terminals at a security conference and thinking to myself, "I must be an idiot for typing my password into these", I investigated some one time password (OTP) alternatives. Back in the telnet days, people used S/Key to keep from sending re-usable passwords in the clear. Basically, it sends you a challenge, you type it and your password into your Palm, and type the generated one time password into the computer. If you're Palm-less or lazy, you can print a sheet of your next 100 OTPs and keep it in your wallet. If your wallet gets stolen, just login to your box and you can invalidate those 100 passwords and print a new sheet. It's a lot easier than reporting your credit cards stolen.

Security through Obscurity

[Caharin]

Quote from article:
Kinko's spokeswoman Maggie Thill said the company takes security seriously and believes it has "succeeded in making a similar attack extremely difficult in the future." She would not provide details, saying that to do so could make systems less secure.

Security through obscurity- my favorite.

Don't use Kinko's machines... use your own!

[gregwbrooks]

Gotta agree that using any of the public machines at Kinko's is a fool's errand. OTOH, if you drag your laptop in, many of them have "laptop printing stations" with DHCP and a pipe out to the Internet.

In a Kinko's that doesn't have laptop stations? You can usually unhook the ethernet cable from one of their pay-for-use machines and use the connection yourself for no charge, as long as it's not busy.

Why would anyone bother? Well, it's a (relatively) fast connection, and an IP address no one can trace back to you because you didn't pay for it and all the cameras at Kinko's (last time I checked) are pointed at the registers rather than the computers.

I'd think the warez/Kazaa/terrorist crowds would find that plenty useful.

kodak picture maker history

[rottcodd]

This isn't exactly the same thing, but I was using a Kodak Picture Maker kiosk the other day- and it had a history button! I saw the pictures I had just printed, the pictures my brother-in-law had printed a couple hours before, and somebody's wedding photo.

There was an option for deleting the pictures (which I did, even the wedding photo) but I had had no idea that the stuff was there in the first place. That's a bad feature... I'll still use the kiosks, though-- the pictures turn out much nicer than any inkjet.

Who did he call?

[PCM2]

The person who's accounts were being accessed happened to be at home at the time that Jiang used his/her account and immediatly knew that someone had gained access through the GoToMyPC service and contacted the authorities.

I'll bite -- who are these "authorities"? Just curious ... so here I am, sitting at home in front of my computer, I've got my bag of corn nuts on one side and my 40 oz. of Olde English 800 on the other ... and my cursor starts moving by itself. OK, I establish that somebody is using my computer via GoToPC (I've never used this software, not really sure how it works) -- who do I call?

I'm really curious, probably mostly because I come from San Francisco, where if you call the cops and tell them there's been a car accident, they won't come unless you tell them someone's been injured.