City Almost Loses 450K to Keylogger

SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."

And nobody is really immune

[dn15]

but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home.

You can say that again. But you can't assume you're completely safe even on non-Windows system. A quick search on Mac software sites shows at least one keylogger and surely more are available. I'm sure equivalents exist for Linux, too. This sounds paranoid, yes, but the truth is if *anyone* else has access to your computer, either remotely or physically, there's a chance that everything you type is being recorded.

RTFA

Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords

Antivirus/antispyware might not stop a physical keylogger, but that wasn't the problem here.

Re:Physical Keylogger

[SanityInAnarchy]

There's no mention of the method used to install the keylogger onto the treasurer's computer.

Yes there is.

Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords.

That is, unless they don't know what the word "spyware" means. Being reporters, they might just assume that spyware means what it sounds like -- any software used to spy on you, including something picking up keystrokes from a physical keylogger.

But then, it also seems like it would be difficult to make a physical keylogger that communicates reliably with the outside world:

Each time Treasurer Karen Avilla logged into her laptop computer in the morning, someone was looking--virtually--over her shoulder, watching every keystroke.

That sort of implies it's being done in realtime. Of course, they could always mean it was a physical keylogger, which the "hacker" then collected and dumped...

Then again, it's a laptop. If you have physical access to a laptop for long enough and with enough tools to install a physical keylogger, it's probably easier to carry the thing off and hope there's something valuable on the hard drive.

Social Engineering

[jasonwea]

... it drives home the importance of keeping good anti-spyware and anti-virus software updated ...

Anti-malware software can only do so much. The real solution is to educate users so they are not vulnerable to social engineering attacks such as "OMG SMILIES FOR YOUR EMAIL", "I need to verify your username and password" and various other ways users are conned into having their boxes rooted and/or their passwords exposed.

Of course locking down corporate workstations is a very good idea. No admin access and a splash of group policies here and there does wonders at keeping the users away from things they can shoot their feet with.

Re:Physical Keylogger

[sesshomaru]

Actually, a physical keylogger is a device that plugs in between the keyboard and the PC. Or else it could be build into a keyboard. Here's an example KeyGhost. Of course, since it's a dongle that doesn't transmit anything, you need regular physical access to the device to retrieve memory.

I think it's main use is to find out if your wife/husband or live in girlfriend/boyfriend is cheating on you, stuff like that. I owuldn't trust it for a sensitive operation like the one described in the article, too easy to discover with routine maintenance.

One that was built into an identical keyboard would be better in that case.