Slashdot Mirror
City Almost Loses 450K to Keylogger
SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."
Pwned.
Silence is golden... and duct tape is silver.
Ummmm... how exactly would having anti-virus or anti-spyware stop things, if it's a physical keylogger?
Do you know how these things work?
SlashSig Karma: Excellent (mostly affected by moderatio
"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "
Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!
---- Booth was a patriot ----
450 Kilobytes? Doesn't sound so bad.
Well, you've heard of a "five finger discount", right? Maybe this guy had a birth defect.
...the future crusty old bastards are already drinking the Kool-Aid.
> but it drives home the importance of keeping good anti-spyware and anti-virus software updated
> on both corporate systems as well as systems being used from home.
No. It drives the importance on controlling the flow of public money. If one person be it a president of California or what you call him, can make significant money transfers that are not audited and open that is something wrong with your system. Yes you fscking can make that bank *calls* you to approve any transfer above some ammount. Yes you can make that public transfers are open and visible.
So it is nothing to blame about the software since it is obvious that Windows in hands of non-technical people is insecure. The person making transfers should use different laptop perhaps? The one that IT department cares of not the one that he browses pron from?
It is just an example how retarded and uneucated people who have power to spend public money are.
How we know is more important than what we know.
"You have six fingers on your right hand. Someone is looking for you."
It is easier to build strong children than to repair broken men. -Frederick Douglass
He should really stay away from Spaniards with scars on their faces, then.
The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.
Yeah, because laws sure do stop those criminals from, you know, breaking the law.
When are politicians going to wise up and realize that laws don't stop criminals from doing anything, they just offer a means of punishing them _if_ they get caught after the fact? Completely different methods are required to prevent these kind of things -- like proper security procedures, in this case.
Fill in your four or five-letter word of wisdom here _ _ _ _ _.
I'm sure equivalents exist for Linux, too.
..>./ No you're not, ha, ha ./..,;,
They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.
Many are so discrete even an IT tech might not notice them.
I've heard there are even some for Windows that can be programmed to inject keypresses.
Hopefully I'm OK typing on my laptop's integrated keyboard here.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Antivirus/antispyware might not stop a physical keylogger, but that wasn't the problem here.
If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.
God I'm going to hell for writing that, and I'm a Linux user.
Just shows that keyboard technology will have to change to prevent this sort of problem. The devices are harder to produce for USB keyboards than PS/2 style as you need to understand the USB/HID protocol.
if it wasn't for you meddling kids.
It is no longer uncommon to be uncommon.
Just to echo a previous poster, the solution here is human. Even if you can create the transfer batch identically to the method used by the victim. The bank should sit on their hands until they call an authorized person and verify the amount of the transaction. If your payroll suddenly doubles, you might want to check into it. From the detail-sparse article it sounded like an unscheduled transfer anyway. It looks like they have no human interaction between bank and city. Freakin Kalamazoo was a nice touch though, hilarious.
The real problem would've been if they were smart enough to create a payroll entry for a non-existant employee and have it direct deposit somewhere. Hopefully this would be caught when a check stub for "John Smith" sat in a desk in the fake employees department and anyone with a clue noitced they hadn't handed it out...and for that matter didn't know John Smith.
Regardless the $90K should've been a red flag if they were actually getting confirmation calls from the bank.
To work around the confirmation call you'd need a mole high enough in the hierarchy to confirm the call or someone at the bank. Said person better flee quickly because they've put their name all over it.
* sigh *
Because people who would try and steal some $450,000 are going to be stopped by legislation making it even more illegal.
Maybe something like two factor authentication would be better? That way different numbers are needed every time. And better security on the laptop perhaps? Non administrator priviliges. Not allowing people to install software? All quite doable.
Sure, blame the criminals, but maybe the doors should be bolted too?
Yup, now that she has pleanty of time on her hands since she has been FIRED!
I hate slashdot
Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:
"Um, sir, do you bank at Bank of America?"
"Yeah, why?"
"Is your password 'Snoopy67'?"
Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.
Saying that GNU/Linux and Mac have the same problems Windoze does is a serious insult. I'm tired of hearing people tell me how much my OS needs an antivirus and spyware checker.
It's bullshit anyway. The pros can get through anything. Starting off with an OS that 99% of script kiddies can't own is a much better option than dragging down your computer's performance with snake oil. An OS like Debian, without Flash and other useless and insecure junk, is more appropriate for an office than Windoze with it's IE, Outlook and WMP burden. After that, AV can be done for mail servers and intrusion detection at the network level. Everything else is just so much busy work and waste of money.
While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?Yes, AV can be done for mail servers, and hell also on proxy servers. But how do you protect against the user in room 314 with a USB Memory key that he likes to use? you need AV on individual systems (I like ClamAV for *nix, but that's my personal choice)
Intrusion Detection at the network level, brilliant, and a useful tool, but not enough. How do you detect changes to important files on a local host? your NIDS isn't going to help you, a Host IDS might (Tripwire ring a bell?)
Not only that, but you still have to perform regular audits to ensure that the systems are working properly. You also have to review the logs.
It's all about Layers! there is no "Magic Bullet"
I will not give in to the terrorists. I will not become fearful.
They get us in so many ways. There's got to be a way for us to get them."
Well, yall can start by getting your heads our of your asses and implementing a descent security program, including limiting employees' access to their workstations..
Nobody is immune from either Flu or Ebola. And yet, I know which one I am going to be concerned about.
The simple fact is, that Windows IS easier to hit. And until the security tightens up, it will remain that way. *nix has decent security in it (due to a good initial design and years of work to get it right).
I prefer the "u" in honour as it seems to be missing these days.
That is far from what was intended in my (the grandparent) post. I think you read in between the lines and found something that wasn't supposed to be there. Despite what you may think, I was not implying that Linux and Mac systems "have the same problems" as Windows. That is an absurd statement. Perhaps I should have spelled it out and ended my first sentence with "if you run Windows" but I thought that goes without saying in a community like Slashdot.
Believe it or not, I actually agree with everything you said. In the original post I simply intended to say that any computer could fall victim to a keylogger, whatever the platform and whatever the status of your antivirus and antispyware protection. And you should absolutely use those things... if you run Windows. ;)
While I will agree with you that Windows is fundamentally less secure than GNU/Linux||BSD haven't you ever heard of "Defense in Depth"?
Sure, and that's what's needed. The easiest way to start it to throw the Windoze out and end the monoculture. Defense in depth starts with a diverse OS install that makes the whole 0wnership game that much more difficult and less profitable.
Most of the Windoze problems are problems of obnoxious non free software that get in the way of real security. Complex licensing and install mechanisms, bloat and ancient codebases are all detrimental. M$ admins run themselves silly keeping up with "patches" AV updates and other completely ineffective "products" sold to them by people who'd like to keep them in the dark about real security. Even if they could get their heads out of that, applying reasonable tools in a M$ shop is next to impossible. Vista takes up 15 GB of disk space, before you add anything useful to it, most of it designed to keep the user from "stealing" songs. How the hell do you audit that? We all know that hype about improved performance and security is going to be worth just as much as the XP hype was - the non free codebase remains as crusty as it ever was. Recovery in the non free world, thanks to licensing and install methods are a huge pain. In the free world, you can use A/V on detection to disinfect user files and simply wipe the binaries out often remotely. People in the non free world are screwed from start to finish. Even if the had the tools to identify all of the spyware and viruses, they don't have manpower to fix the problem or the time to learn how.
Friends don't help friends install M$ junk.
Congress wants to pass a law that would make spy-ware legal.
(IIRC, it is HR 950 - the "CAN SPY ACT". There was a /. post about it a few weeks back, but too hard to use PDA to search while riding on a bus.)
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
This doesn't bode well. What they need are some secure computing practices. Legislation won't prevent this, especially when the person lives outside her jurisdiction which happens to be most of the world.
I online bank and in 3 years have never changed my password. I don't log in from internet cafes or anything. My bank says I am covered no matter what. Other than not changing my password I have good security. I use a Mac on an IP filter and wep network and ND magnet my old hard drives. As a general rule I don't give out my bank info to anyone from Nigeria, the only banking thing that I do that bothers me is I have a paypal account that connects to my bank account and that kinda gives me the creeps.
I hate slashdot
He said that Linux does not suffer the same nor as many issues as MS. You attack him and say that he lives in parents basement, telling him to see the real world? So what is in the real world? ALL of the MS systems that I see are running AV and there are still daily attacks against MS. OTH, I have not seen ANY of the *nix boxes cracked. I have seen security compromised when somebody obtained a login/password from a cracked Windows system, but that is not the same. All in all, he is more in the real world that you ACs are.
I prefer the "u" in honour as it seems to be missing these days.
Just 450K? Meh, post it when they steal at least a couple hundred megabytes.
Leben Sie jetzt die Fragen.
Why the fuck do they think anti-malware software is the answer?
Three words: Hardware key logger.
Fools and their money are soon parted.
Question everything
It just goes to prove the old saying, no one will ever need more than 640k...
I like my coffee the way I like my women - roasted and ground up into little tiny pieces.
I use online banking too, without any problems. I've even logged on to their secure site from my PDA on an unencrypted network at a bus terminal to transfer some money so I could afford a bus ticket home. Technology to the rescue!
I've never changed my password either, and just like the other sibling post, the paypal account that's tied into my bank account also gives me the creeps, but it's still useful, and it's actually saved my ass on a botched ebay auction. (Paypal refunded me when the seller screwed up.)
A recent login to my bank's site yielded a prompt for more security information. I was prompted to select 5 questions, such as "What is your favorite chocolate bar?" and was told that they would occasionally ask me to answer them. My biggest complaint is they do not allow passwords longer than 8 characters. I guess it's either their encryption doesn't support it, or they have problems with people forgetting long passwords. Please, let me choose them if I want!
Unlike porn, which yada yada rimshot hey-ooh!
"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy."
Yeah... more "rules" against this kind of behavior will fix it. It's not illegal enough... that's the reason it happens. Criminals care about consequences. Dumb ass.
With physical access, you can put a hardware keylogger into the cable. Or into the keyboard. Or into the computer. The keyboard is probably safest, since who opens a keyboard? I do it once a year to clean it, but that is it.
Then there is current research on doing audio-keylogging (by recognizing the individual key-sounds), and that seems to work reasonably well. There is Tempest monitoring for the keyboard. This one is a bit more effort, not because the signal is weak, but it is not too suitable for conventional receivers. Works for the key-matrix and the cable. There are doubtless many other options.
The easisest thing at the moment is probably to build your own keylogger software and use it sparingly. That way its signature will not get into the typically used malware detectors.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Someone mail this to the treasurer! These test will prevent key logging by the ole distract em trick!
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
If I don't keep good updated security software on my home computer, somebody will steal six figure amounts from me?
I'd like to see them try. Blood, stone and all that.
You can mark me as mildly "data paranoid" but I still use on-line banking and on-line access to my 401K. I'm on cable modem - behind a router that I've changed the admin psswd - and either on a Mac or a Linux system also both running SW firewalls. And rarely I've used my XP-Pro system to do such stuff - but am in the final stages of moving all my stuff to Mac / Linux. And since I'm a security nut I'm a very good security system on the PC and its always up to date.
But I'm also a technology professional - so all this is normal / natural for me. For the rest of the 90% plus of people who don't know squat about the basics of how to be minimally secure - this case underscores the point that you can have computer security in place - but if you ignore it - don't update it - change the settings - etc. Then you are a prime target - especially if you are a prime target like an account manager etc.
Its not the years, its the mileage
I find it funny that people who are wary of online banking (not necessarily the OP here) seem to have no problem handing their credit card to the waitor and letting them walk out of sight with it. Much less expertise needed to steal that one!
How about keeping vital systems off the interwebs? Jesus H. Christ.
Yes, I am a smart ass; it's better than the alternative.
I know it's not going to fix anything, but there are a few simple, simple steps:
This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.
And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:
Don't thank God, thank a doctor!
Anti-malware software can only do so much. The real solution is to educate users so they are not vulnerable to social engineering attacks such as "OMG SMILIES FOR YOUR EMAIL", "I need to verify your username and password" and various other ways users are conned into having their boxes rooted and/or their passwords exposed.
Of course locking down corporate workstations is a very good idea. No admin access and a splash of group policies here and there does wonders at keeping the users away from things they can shoot their feet with.
These "disaster avoided" stories are numbingly boring. Wake me up when money actually gets transferred and there are dead dogs and crying executives in the streets. This is America, people, home of the kiss-kiss-bang-bang, for crying out loud. Please gauge your notion of "news" accordingly.
PS: Just curious: how would it be possible to transfer 450mil out of a bank and go undetected? How are these big things pulled off?
Mircosfot make great benefit to nation America!
you had me at #!
First , how many small counties offices are running linux let alone SE ? These places get by on using the most common stuff they can find. To make it easy on the city worker.
These folks run MS and fail to apply security updates , do you really think they will run updates on a linux box ? A badly patched linux box is much more dangerous then windows boxen that are not patched. A linux box you can control much more of the box then an MS box. It just happens with having more control over the platform there is more that can be done with it. Linux is a superior platform in that respect and that makes it more dangerous.
This package Does Not Contain a Winner
Since the state thinks that legislation can be used to solve all their problem there are just 2 things they need to outlaw: ignorance and stupidity. I sure it would be just as effective as creating new laws covering crimes that are already covered by other laws.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I think you mean Meddling kids.
Damn, second post and I figured out some formatting, but it looks like I need to force line breaks. Sorry for the block of text.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy
apt-get update; apt-get upgrade
Done, no need to reboot.
And when your apt-get upgrades include a new kernel, what do you do then?
Bill Gates can spend ALL of his money making Slashdot carry his message, but no one will believe it
I'm not sure he really gives a fuck, to be honest. When you're a billionaire ex-CEO of one of the world's largest and most successful companies, whose time is increasingly devoted to running a charity foundation to distribute AIDS drugs and whatnot, I really doubt your top concern is astroturfing Slashdot.
Non free is dead.
Yes, of course, because nobody runs Windows or Mac OS, or even the NVidia drivers under Linux. Must be dead.
Jesus, why is it I come away from your posts thinking I need to get my Prozac dosage upped? It's depressing in and of itself that someone can be as mouth-foamy as you are about some fscking software.
By summer it was all gone...now shesmovedon. --
I'm not sure he really gives a fuck, to be honest. When you're a billionaire ex-CEO of one of the world's largest and most successful companies, whose time is increasingly devoted to running a charity foundation to distribute AIDS drugs and whatnot, I really doubt your top concern is astroturfing Slashdot. ... It's depressing in and of itself that someone can be as mouth-foamy as you are about some fscking software.
M$ spends about a billion dollars a month on marketing. I spend a few minutes a day.
Bill Gates' supposed charity is his bid to 0wn medicine and education. Big drug companies like his "IP" ideas and the crappy laws he got passed but they won't like what he does to them and medicine. Those same "IP" laws have doomed millions to die without otherwise cheap medicine. Everything he does comes with strings attached, such as pledging to use M$ software, respect their patents and other nonsense that has nothing to do with medicine or education. For every dollar spent, the typically "leverages" nine in public spending but demands complete control of the results. Worse, he's used foundation funds to purchase independent newspapers that have looked into his misdeeds.
Friends don't help friends install M$ junk.
Meanwhile a new legislation bans keyloggers and people involved in the manufacture, development, distribution of keyloggers will be sentenced to a minimum of 5 years in prison.
O this learning! What a thing it is - William Shakespeare