Slashdot Mirror
City Almost Loses 450K to Keylogger
SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."
It's 'figures', sizzlechest.
Pwned.
Silence is golden... and duct tape is silver.
Ummmm... how exactly would having anti-virus or anti-spyware stop things, if it's a physical keylogger?
Do you know how these things work?
SlashSig Karma: Excellent (mostly affected by moderatio
"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "
Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!
---- Booth was a patriot ----
450 Kilobytes? Doesn't sound so bad.
> but it drives home the importance of keeping good anti-spyware and anti-virus software updated
> on both corporate systems as well as systems being used from home.
No. It drives the importance on controlling the flow of public money. If one person be it a president of California or what you call him, can make significant money transfers that are not audited and open that is something wrong with your system. Yes you fscking can make that bank *calls* you to approve any transfer above some ammount. Yes you can make that public transfers are open and visible.
So it is nothing to blame about the software since it is obvious that Windows in hands of non-technical people is insecure. The person making transfers should use different laptop perhaps? The one that IT department cares of not the one that he browses pron from?
It is just an example how retarded and uneucated people who have power to spend public money are.
How we know is more important than what we know.
how is it that one person has the contyrol over the entire cash flow of the city anyways? are they really spending enough cash that it is just too inconvenient for more than one person's authentication? for that matter, why is it that they even needed to login/withdraw cash from anywhere but their central location? cash on the go?
Sigs are too short to say anything truly profound so read the above post instead.
"You have six fingers on your right hand. Someone is looking for you."
It is easier to build strong children than to repair broken men. -Frederick Douglass
I would have gotten away with it if it weren't for those pesky kids and their stupid dog!
-- Will program for bandwidth
The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.
Yeah, because laws sure do stop those criminals from, you know, breaking the law.
When are politicians going to wise up and realize that laws don't stop criminals from doing anything, they just offer a means of punishing them _if_ they get caught after the fact? Completely different methods are required to prevent these kind of things -- like proper security procedures, in this case.
Fill in your four or five-letter word of wisdom here _ _ _ _ _.
I'm sure equivalents exist for Linux, too.
..>./ No you're not, ha, ha ./..,;,
They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.
Many are so discrete even an IT tech might not notice them.
I've heard there are even some for Windows that can be programmed to inject keypresses.
Hopefully I'm OK typing on my laptop's integrated keyboard here.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Antivirus/antispyware might not stop a physical keylogger, but that wasn't the problem here.
If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.
God I'm going to hell for writing that, and I'm a Linux user.
Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.
if it wasn't for you meddling kids.
It is no longer uncommon to be uncommon.
Just to echo a previous poster, the solution here is human. Even if you can create the transfer batch identically to the method used by the victim. The bank should sit on their hands until they call an authorized person and verify the amount of the transaction. If your payroll suddenly doubles, you might want to check into it. From the detail-sparse article it sounded like an unscheduled transfer anyway. It looks like they have no human interaction between bank and city. Freakin Kalamazoo was a nice touch though, hilarious.
The real problem would've been if they were smart enough to create a payroll entry for a non-existant employee and have it direct deposit somewhere. Hopefully this would be caught when a check stub for "John Smith" sat in a desk in the fake employees department and anyone with a clue noitced they hadn't handed it out...and for that matter didn't know John Smith.
Regardless the $90K should've been a red flag if they were actually getting confirmation calls from the bank.
To work around the confirmation call you'd need a mole high enough in the hierarchy to confirm the call or someone at the bank. Said person better flee quickly because they've put their name all over it.
* sigh *
Because people who would try and steal some $450,000 are going to be stopped by legislation making it even more illegal.
Maybe something like two factor authentication would be better? That way different numbers are needed every time. And better security on the laptop perhaps? Non administrator priviliges. Not allowing people to install software? All quite doable.
Sure, blame the criminals, but maybe the doors should be bolted too?
Yup, now that she has pleanty of time on her hands since she has been FIRED!
I hate slashdot
Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:
"Um, sir, do you bank at Bank of America?"
"Yeah, why?"
"Is your password 'Snoopy67'?"
Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.
You're an elitist idiot. Get out of mom's basement and into the real world and see how the IT world really works, as it's obvious you have no clue.
Saying that GNU/Linux and Mac have the same problems Windoze does is a serious insult. I'm tired of hearing people tell me how much my OS needs an antivirus and spyware checker.
It's bullshit anyway. The pros can get through anything. Starting off with an OS that 99% of script kiddies can't own is a much better option than dragging down your computer's performance with snake oil. An OS like Debian, without Flash and other useless and insecure junk, is more appropriate for an office than Windoze with it's IE, Outlook and WMP burden. After that, AV can be done for mail servers and intrusion detection at the network level. Everything else is just so much busy work and waste of money.
While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?Yes, AV can be done for mail servers, and hell also on proxy servers. But how do you protect against the user in room 314 with a USB Memory key that he likes to use? you need AV on individual systems (I like ClamAV for *nix, but that's my personal choice)
Intrusion Detection at the network level, brilliant, and a useful tool, but not enough. How do you detect changes to important files on a local host? your NIDS isn't going to help you, a Host IDS might (Tripwire ring a bell?)
Not only that, but you still have to perform regular audits to ensure that the systems are working properly. You also have to review the logs.
It's all about Layers! there is no "Magic Bullet"
I will not give in to the terrorists. I will not become fearful.
They get us in so many ways. There's got to be a way for us to get them."
Well, yall can start by getting your heads our of your asses and implementing a descent security program, including limiting employees' access to their workstations..
I never thought I'd say this, but after reading through some of the comments in recent Digg threads about Microsoft, I actually think Digg is getting better and Slashdot is going to hell. Why is this tripe allowed to float up to the default page view?
Nobody is immune from either Flu or Ebola. And yet, I know which one I am going to be concerned about.
The simple fact is, that Windows IS easier to hit. And until the security tightens up, it will remain that way. *nix has decent security in it (due to a good initial design and years of work to get it right).
I prefer the "u" in honour as it seems to be missing these days.
That is far from what was intended in my (the grandparent) post. I think you read in between the lines and found something that wasn't supposed to be there. Despite what you may think, I was not implying that Linux and Mac systems "have the same problems" as Windows. That is an absurd statement. Perhaps I should have spelled it out and ended my first sentence with "if you run Windows" but I thought that goes without saying in a community like Slashdot.
Believe it or not, I actually agree with everything you said. In the original post I simply intended to say that any computer could fall victim to a keylogger, whatever the platform and whatever the status of your antivirus and antispyware protection. And you should absolutely use those things... if you run Windows. ;)
While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?
Sure, and that's what's needed. The easiest way to start it to throw the Windoze out and end the monoculture. Defense in depth starts with a diverse OS install that makes the whole 0wnership game that much more difficult and less profitable.
Most of the Windoze problems are problems of obnoxious non free software that get in the way of real security. Complex licensing and install mechanisms, bloat and ancient codebases are all detrimental. M$ admins run themselves silly keeping up with "patches" AV updates and other completely ineffective "products" sold to them by people who'd like to keep them in the dark about real security. Even if they could get their heads out of that, applying reasonable tools in a M$ shop is next to impossible. Vista takes up 15 GB of disk space, before you add anything useful to it, most of it designed to keep the user from "stealing" songs. How the hell do you audit that? We all know that hype about improved performance and security is going to be worth just as much as the XP hype was - the non free codebase remains as crusty as it ever was. Recovery in the non free world, thanks to licensing and install methods are a huge pain. In the free world, you can use A/V on detection to disinfect user files and simply wipe the binaries out often remotely. People in the non free world are screwed from start to finish. Even if the had the tools to identify all of the spyware and viruses, they don't have manpower to fix the problem or the time to learn how.
Friends don't help friends install M$ junk.
"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "
It shall be a Class I felony to fail to protect a computer containing confidential information is such a manner that an unauthorized third party can gain access to the information or that the computer itself can be stolen. If it is not possible to determine the specific employee who should have safeguarded the confidential information or hardware, any corporate officer will be held accountable.
It's more effective to punish the inept employees and management than the perpetrators; at least you'll get rid of a lot of the deadwood and motivate the people who can be most effective in fixing the problem of lax security and "I don't give a shit" attitudes about safeguarding confidential information.
Congress wants to pass a law that would make spy-ware legal.
(IIRC, it is HR 950 - the "CAN SPY ACT". There was a /. post about it a few weeks back, but too hard to use PDA to search while riding on a bus.)
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
It'$ bull$hit anyway. The pro$ can get through anything. $tarting off with an O$ that 99% of $cript kiddie$ can't own i$ a much better option than dragging down your computer'$ performance with $nake oil. An O$ like Debian, without Fla$h and other u$ele$$ and in$ecure junk, i$ more appropriate for an office than Windows with it'$ IE, Outlook and WMP burden. After that, AV can be done for mail $erver$ and intru$ion detection at the network level. Everything el$e i$ ju$t $o much bu$y work and wa$te of money.
Does anyone here actually use online banking? If you do, aren't you worried about your account being compromised? What measures do you take to address the numerous security issues?
Personally, there's no way I'd sign up for online banking, there's just too much risk. I prefer to either visit my bank in person or (rarely) speak to someone at the bank over the phone. I understand that the phone is also risky, but I figure that there's much more risk for an attacker since there will be a record of from where the call was placed.
I do place quite a few orders online using my credit card, but that's because it offers some legal protections, like only being responsible for the first $50 of a fraudulent charge.
This doesn't bode well. What they need are some secure computing practices. Legislation won't prevent this, especially when the person lives outside her jurisdiction which happens to be most of the world.
He said that Linux does not suffer the same nor as many issues as MS. You attack him and say that he lives in parents basement, telling him to see the real world? So what is in the real world? ALL of the MS systems that I see are running AV and there are still daily attacks against MS. OTH, I have not seen ANY of the *nix boxes cracked. I have seen security compromised when somebody obtained a login/password from a cracked Windows system, but that is not the same. All in all, he is more in the real world that you ACs are.
I prefer the "u" in honour as it seems to be missing these days.
Just 450K? Meh, post it when they steal at least a couple hundred megabytes.
Leben Sie jetzt die Fragen.
Why the fuck do they think anti-malware software is the answer?
Three words: Hardware key logger.
Fools and their money are soon parted.
Question everything
It just goes to prove the old saying, no one will ever need more than 640k...
I like my coffee the way I like my women - roasted and ground up into little tiny pieces.
My luggage has that many passwords.
Perhaps I should have spelled it out and ended my first sentence with "if you run Windows" but I thought that goes without saying in a community like Slashdot.
I can only read what you write. Mind reading is something I gave up long ago, it just never worked.
Friends don't help friends install M$ junk.
"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy."
Yeah... more "rules" against this kind of behavior will fix it. It's not illegal enough... that's the reason it happens. Criminals care about consequences. Dumb ass.
This just in... Pink Elephant Doesn't Steal Gazillion Dollars From Dead President.
I love it when things not happening classify as news.
With physical access, you can put a hardware keylogger into the cable. Or into the keyboard. Or into the computer. The keyboard is probably safest, since who opens a keyboard? I do it once a year to clean it, but that is it.
Then there is current research on doing audio-keylogging (by recognizing the individual key-sounds), and that seems to work reasonably well. There is Tempest monitoring for the keyboard. This one is a bit more effort, not because the signal is weak, but it is not too suitable for conventional receivers. Works for the key-matrix and the cable. There are doubtless many other options.
The easisest thing at the moment is probably to build your own keylogger software and use it sparingly. That way its signature will not get into the typically used malware detectors.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Someone mail this to the treasurer! These test will prevent key logging by the ole distract em trick!
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Sure, and that's what's needed. The easiest way to start to start it to throw the Twitter out and end the monoculture. Defense in depth starts with a diverse user base that makes the whole 0wnership game that much more difficult and less profitable. Most of the Slashdot problems are problems of obnoxious free software supporters that get in the way of real content. Complex GPL3 licensing and hippie ideals, bloat and support of ancient BSD/UNIX codebases are all detrimental. twitter run himself silly keeping up with kernel "patches", point released updates and other completely ineffective "products" sold to them by slashdot posters who'd like to keep him in the dark about real security. Even if he could get his head out of that, applying reasonable tools in twitter's mom's basement is next to impossible. twitter's text file copies of GPL license takes up 15 GB of disk space, before you add anything useful to it, most of it designed to keep the user from "stealing" source. How the hell do you audit that? We all know that hype about improved performance and security is going to be worth just as much as the Linux 2.6 hype was - the free codebase remains as incompatible as it ever was. Recovery in the free world, thanks to licensing and install methods are a huge pain. In the non-free world, you can use A/V on detection to disinfect user files and simply wipe the binaries out often remotely. People in twitter's world are screwed from start to finish. Even if the had the tools to identify all of the problems with his theories, they don't have manpower to fix the problem or the time to teach him.
If I don't keep good updated security software on my home computer, somebody will steal six figure amounts from me?
I'd like to see them try. Blood, stone and all that.
Look everybody, twitter is insulted...
I wonder how many "security consultants" will now deluge the city of Carson's IT department with solutions for their problems? Really, you have to feel sorry for the IT department, they had a VIP enduser, who took her laptop outside of their network where it was most likely was infected. Perhaps now they can get something in their budget, so this doesn't happen again.
How about keeping vital systems off the interwebs? Jesus H. Christ.
Yes, I am a smart ass; it's better than the alternative.
I know it's not going to fix anything, but there are a few simple, simple steps:
This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.
And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:
Don't thank God, thank a doctor!
Anti-malware software can only do so much. The real solution is to educate users so they are not vulnerable to social engineering attacks such as "OMG SMILIES FOR YOUR EMAIL", "I need to verify your username and password" and various other ways users are conned into having their boxes rooted and/or their passwords exposed.
Of course locking down corporate workstations is a very good idea. No admin access and a splash of group policies here and there does wonders at keeping the users away from things they can shoot their feet with.
If someone is able to steal my username _and_ password for my bank account he may be able to _look_ into my account but still not able to draw money from it. He does not have access to the TAN one need to authorize the transfer. Even changing the way the TAN is provided would be visible for me. :-)
I'm Dutch and have a Dutch bank account
Hacked root? Well, why do you need to hack sudo then?
If you run SELinux or the personality module you need to hack the account (unused otherwise) that controls the personality mode to get root to do anything other than what root has been allowed to. Or it can be locked down that root cannot do this. You'll now need to work out what user account can do what nefarious deed you need and hack that account.
These "disaster avoided" stories are numbingly boring. Wake me up when money actually gets transferred and there are dead dogs and crying executives in the streets. This is America, people, home of the kiss-kiss-bang-bang, for crying out loud. Please gauge your notion of "news" accordingly.
PS: Just curious: how would it be possible to transfer 450mil out of a bank and go undetected? How are these big things pulled off?
Mircosfot make great benefit to nation America!
you had me at #!
Since the state thinks that legislation can be used to solve all their problem there are just 2 things they need to outlaw: ignorance and stupidity. I sure it would be just as effective as creating new laws covering crimes that are already covered by other laws.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
twitter run himself silly keeping up with kernel "patches", point released updates and other completely ineffective "products" sold to them by slashdot posters who'd like to keep him in the dark about real security.
apt-get update; apt-get upgrade
Done, no need to reboot. A managed GNU/Linux desktop is even easier. Free software is easy because it lacks restrictions. The end result for the user is a system that incorporates the best security practices with next to no effort. Effort for the developer is also reduced by code sharing, each is free to concentrate on the thing they enjoy while the rest takes care of itself.
Silly Microturd AC, no one believes your bullshit. Bill Gates can spend ALL of his money making Slashdot carry his message, but no one will believe it. The game is over because the lies are so transparent. Windoze can't win the security, features or ease of use race. Hardware makers have realized that and the M$ domination is ending. Soon it will be over and your favorite OS will sink to the market share it deserves. If you think Vista lacks improvements and features a normal person would expect from five years of development, just wait till you see what M$ comes up with when they lose their monopoly rent revenue. Non free is dead.
Friends don't help friends install M$ junk.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I'm not sure he really gives a fuck, to be honest. When you're a billionaire ex-CEO of one of the world's largest and most successful companies, whose time is increasingly devoted to running a charity foundation to distribute AIDS drugs and whatnot, I really doubt your top concern is astroturfing Slashdot. ... It's depressing in and of itself that someone can be as mouth-foamy as you are about some fscking software.
M$ spends about a billion dollars a month on marketing. I spend a few minutes a day.
Bill Gates' supposed charity is his bid to 0wn medicine and education. Big drug companies like his "IP" ideas and the crappy laws he got passed but they won't like what he does to them and medicine. Those same "IP" laws have doomed millions to die without otherwise cheap medicine. Everything he does comes with strings attached, such as pledging to use M$ software, respect their patents and other nonsense that has nothing to do with medicine or education. For every dollar spent, the typically "leverages" nine in public spending but demands complete control of the results. Worse, he's used foundation funds to purchase independent newspapers that have looked into his misdeeds.
Friends don't help friends install M$ junk.
Yes, AC, "shit" is how M$ is pronounced.
Friends don't help friends install M$ junk.
and what do we call teh insulting twitter? it's spelled "turd"!
Meanwhile a new legislation bans keyloggers and people involved in the manufacture, development, distribution of keyloggers will be sentenced to a minimum of 5 years in prison.
O this learning! What a thing it is - William Shakespeare