Slashdot Mirror

← Back to Stories (view on slashdot.org)

City Almost Loses 450K to Keylogger

Posted by CowboyNeal on from the never-too-safe dept.

SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."

8 of 158 comments (clear)

  1. Re:Physical Keylogger by creativeHavoc · · Score: 2, Interesting

    I STFA and I STFS but I found no trace of anyone refering to a "physical keylogger" ... only you.

    --
    insight through the mind
  2. Re:Fscking dumb by Original+Replica · · Score: 2, Interesting

    I would rather it drives home the importance of controlling any flow of money. Say someone gets ahold of my online banking password. They should only have the ablitlity to transfer money from checking to savings or perhaps pay my cable bill. They should not be able to transfer it to an account that isn't one of my accounts with the same bank. They shouldn't be able to set themselves up as a payee able to recieve electronic payments from my account. They should be able to transfer funds to a different bank. Sure it might be slightly less convienent for me to have to go to the bank in person with ID in order to add a new payee, or to make a transfer to a different bank, but it seems a small price to pay for that security. I should be more worried about a keylogger screwing up my e-mail than emptying my bank account. This shouldn't be that tough folks.

    --
    We are all just people.
  3. I've found keylogger cache files by spywhere · · Score: 4, Interesting

    Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
    A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:

    "Um, sir, do you bank at Bank of America?"
    "Yeah, why?"
    "Is your password 'Snoopy67'?"

    Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.

    1. Re:I've found keylogger cache files by frostband · · Score: 2, Interesting

      "Um, sir, do you bank at Bank of America?"
      "Yeah, why?"
      "Is your password 'Snoopy67'?"
      "No. It's the same as my luggage: 1, 2, 3, 4, 5."

  4. lol by pestilence669 · · Score: 2, Interesting

    "The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy."

    Yeah... more "rules" against this kind of behavior will fix it. It's not illegal enough... that's the reason it happens. Criminals care about consequences. Dumb ass.

  5. Re:Fscking dumb by narf · · Score: 2, Interesting

    That describes my bank (a credit union) pretty darn well!

  6. My god, the simplest things... by SanityInAnarchy · · Score: 3, Interesting

    As Los Angeles County sheriff's deputies and Secret Service investigators try to track down the crooks, Carson has fielded calls from officials worried about the security of municipal coffers. "They want to know how they can prevent this," Avilla said.

    I know it's not going to fix anything, but there are a few simple, simple steps:

    1. Linux. If you can't make that work, get a Mac, but really, do give Linux some serious consideration. Especially if you can standardize on things in the normal repositories, you basically kill any equivalent of the most common and easiest Windows attack vectors.
    2. Never let it out of your sight. If it's a desktop, it stays in a room that only you and trusted people have access to, like your office. When you're not there, lock the door. If it's a laptop, either keep it locked in a similar room, or carry it with you. If you MUST let it out of your sight, get one of those stupid-looking laptop locks and lock it to something solid. When you get back, check for tampering.
    3. Don't let anyone have unlimited access to it. If someone MUST use your computer, every time they touch it, it should be under some limited account, not yours. When they're done, nuke the account. And again, be in the room, paying enough attention that you'll notice if they try to open the case or unplug anything.
    4. Lock it down. Linux/Mac is part of the above, but even if you MUST use Windows, turn on the firewall, download some good, free antivirus and antispyware (and pay for some if you can't get it free, due to many of the "free" ones being free only for home use), and turn off AutoRun, even if you never plan to play music CDs. You could go farther, too -- on Mac/Windows, BitLocker/FileVault. On Linux, you could encrypt the entire disk except your boot partition, and you could put that on a removable flash thumbdrive. You could also use SELinux, which, on a distro that supports it, is complete overkill even for this -- every process has a set of rules defining what it can and cannot do.
    5. Use a secure browser, which basically means anything except IE. If you're on Vista, maybe IE 7, but I still prefer open source. And even then, disable crap you don't need, run Flash on a per-page click-to-play basis, and pay very close attention to the URLs you visit when accessing your bank.
    6. Use at least two-factor authentication. A thumbprint reader, a smartcard reader, or even a simple thumb-drive with a keyfile on it.
    7. Don't be stupid with passwords. Don't give them out for chocolate (has happened before). It is not enough to name it after your dog and add a year, your Fido1993 will be cracked in two minutes with a dictionary cracker, if you even bothered to capitalize the F. Make it hard enough that you have to write it down, and then make sure where you write it is sufficiently protected -- for example, on something in your pocket, or have the browser remember on that encrypted hard drive. (The encrypted drive, of course, will always have the same password, and that should be a hard one that you bite the bullet and memorize anyway. Or a very-obfuscated one that you can remember, for example, 2b||!2b could read "To be or not to be" (to a programmer), but beware that being predictable (such as pulling it out of my Slashdot comment) can make hard obfuscation easy.)

    This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.

    And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:

    The treasurer said she is now determined to try to write legi

    --
    Don't thank God, thank a doctor!
  7. YAY WINDOWS! by toby · · Score: 2, Interesting

    Mircosfot make great benefit to nation America!

    --
    you had me at #!