City Almost Loses 450K to Keylogger

SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."

Obligatory...

[dteichman2]

Pwned.

Physical Keylogger

[wdr1]

Ummmm... how exactly would having anti-virus or anti-spyware stop things, if it's a physical keylogger?

Do you know how these things work?

Re:Physical Keylogger

[creativeHavoc]

I STFA and I STFS but I found no trace of anyone refering to a "physical keylogger" ... only you.

Re:Physical Keylogger

[ajanp]

There's no mention of the method used to install the keylogger onto the treasurer's computer. They mention it was a laptop, but its a pretty far leap to assume that the hacker used a physical keylogger when the entire thing is just as likely, if not more so, to have been done remotely.

It's also probably worth mentioning that the keylogger was likely active for atleast a minimum of a day or two, likely much longer, considering it's mentioned that the keylogger tracked the treasurer's keystrokes until the hacker discovered the appropriate passwords AND the hacker stole the money over a couple days. With this longer exposure, especially if the keystrokes were being monitored remotely, there's a good chance that an anti-virus program with heuristics scanning running in the background (or atleast a decent software firewall) could have flagged the suspicious behavior and perhaps identified the keylogger program being used.

At the least, I think the poster is trying to convey that proper computer security could have helped to secure the computer and identify the problem earlier (the larger amount of 358,000 was stolen on the second day) or helped stop it outright.

Re:Physical Keylogger

[pionzypher]

As the other replies have stated, I don't remember them mentioning a physical keylogger. They do exist though. They sit in between the keyboards ps/2 plug and the systems ps/2 slot (USB varieties work the same). It looks like they just intercept and log the keystrokes, no software to detect on the host pc and no login needed.

Re:Physical Keylogger

[SanityInAnarchy]

There's no mention of the method used to install the keylogger onto the treasurer's computer.

Yes there is.

Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords.

That is, unless they don't know what the word "spyware" means. Being reporters, they might just assume that spyware means what it sounds like -- any software used to spy on you, including something picking up keystrokes from a physical keylogger.

But then, it also seems like it would be difficult to make a physical keylogger that communicates reliably with the outside world:

Each time Treasurer Karen Avilla logged into her laptop computer in the morning, someone was looking--virtually--over her shoulder, watching every keystroke.

That sort of implies it's being done in realtime. Of course, they could always mean it was a physical keylogger, which the "hacker" then collected and dumped...

Then again, it's a laptop. If you have physical access to a laptop for long enough and with enough tools to install a physical keylogger, it's probably easier to carry the thing off and hope there's something valuable on the hard drive.

Re:Physical Keylogger

[jimicus]

You know what I reckon?

Keylogger was probably installed through some kind of widespread trojan - be it email or compromised website. My favourite is website, because that requires slightly more sophisticated monitoring to do the job properly than an email system, particularly if you give people laptops and let them take the laptop home and connect to their employer through a VPN.

One of two things is possible from this point:

1. Hacker was specifically targeting the treasurer's department. Regardless of the methodology you can use, there's only so much you can do against a really determined hacker, and they'll probably never catch the perpetrator unless they made a really basic error.
2. Keylogger is/was very widespread, and phones home with details of what it's logged on a regular basis. Tie that up with a bit of judicious grepping back home, and you've got a very effective mechanism for finding all sorts of interesting information. The person/team behind this keylogger saw details coming in from a computer owned by a city in California and thought all their Christmases had come at once - access to a public purse which they didn't expect to be very well protected.

My money's on 2.

Re:Physical Keylogger

[sesshomaru]

Actually, a physical keylogger is a device that plugs in between the keyboard and the PC. Or else it could be build into a keyboard. Here's an example KeyGhost. Of course, since it's a dongle that doesn't transmit anything, you need regular physical access to the device to retrieve memory.

I think it's main use is to find out if your wife/husband or live in girlfriend/boyfriend is cheating on you, stuff like that. I owuldn't trust it for a sensitive operation like the one described in the article, too easy to discover with routine maintenance.

One that was built into an identical keyboard would be better in that case.

Re:Physical Keylogger

[gilgongo]

how exactly would having anti-virus or anti-spyware stop things

Well said! The notion that desktop computing in the Internet age would be problem-free if only everyone installed anti-malware software is completely bogus and doesn't even stand up to the slightest scrutiny. Everyone and is dog runs anti-malware (you can't buy a new PC without the stupid stuff literally flying out of the screen at you the minute you boot it up), and everyone and his dog is hideously infested with malware. Talk about brain-dead commentary!

Damned politicians

[nurb432]

"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

Re:Damned politicians

[dreamchaser]

Because if they run out of redundant laws to pass they will be out of work.

Re:Damned politicians

[C0R1D4N]

That would be a good law/policy/ordinance, no?

Yes it is, which is exactly why it'll never happen

Re:Damned politicians

[asninn]

And also because she wants to get reelected, and for that, she needs to show the Joe Sixpacks who're infuriated now that OMGhackers stole their hard-earned tax dollars that she's doing something.

Think of it as political security theatre and/or CYA security - it doesn't actually do anything, but it mollifies the mob, and it allows her to point at the newly-passed laws and say "but I did something, you can't blame me!" when the same thing happens again later on.

Re:6 digit theft?

[treeves]

Well, you've heard of a "five finger discount", right? Maybe this guy had a birth defect.

Fscking dumb

[kosmosik]

> but it drives home the importance of keeping good anti-spyware and anti-virus software updated
> on both corporate systems as well as systems being used from home.

No. It drives the importance on controlling the flow of public money. If one person be it a president of California or what you call him, can make significant money transfers that are not audited and open that is something wrong with your system. Yes you fscking can make that bank *calls* you to approve any transfer above some ammount. Yes you can make that public transfers are open and visible.

So it is nothing to blame about the software since it is obvious that Windows in hands of non-technical people is insecure. The person making transfers should use different laptop perhaps? The one that IT department cares of not the one that he browses pron from?

It is just an example how retarded and uneucated people who have power to spend public money are.

Re:Fscking dumb

[Original+Replica]

I would rather it drives home the importance of controlling any flow of money. Say someone gets ahold of my online banking password. They should only have the ablitlity to transfer money from checking to savings or perhaps pay my cable bill. They should not be able to transfer it to an account that isn't one of my accounts with the same bank. They shouldn't be able to set themselves up as a payee able to recieve electronic payments from my account. They should be able to transfer funds to a different bank. Sure it might be slightly less convienent for me to have to go to the bank in person with ID in order to add a new payee, or to make a transfer to a different bank, but it seems a small price to pay for that security. I should be more worried about a keylogger screwing up my e-mail than emptying my bank account. This shouldn't be that tough folks.

Re:Fscking dumb

[_Sharp'r_]

In the nonprofit school that I'm on the board of, our policy is that anything over a certain amount must be approved and signed by multiple officers, up to all four main officers for really large amounts.

What kind of idiot sets up a financial system for a city (that deals with a lot more money that we ever will) in which one user can on their own authority transfer over a quarter of a million dollars to a random bank account? Whoever the controller for the city is should probably be fired at this point.

Even if you have an electronic system, it's WAY more secure to require multiple approvals. For a really large amount, why not pay someone a wage for the five minutes it takes to verify it with authorized individuals?

Think about it. If the guy who installed the keylogger can do this, what would stop the treasurer themselves from doing it at any time, since they apparently have the ability to transfer all the money they want to whomever they want? Or an IT person with even easier access to their computer?

Re:Fscking dumb

[narf]

That describes my bank (a credit union) pretty darn well!

Ob: Princess Bride.

[weeboo0104]

"You have six fingers on your right hand. Someone is looking for you."

Re:6 digit theft?

[Drooling+Iguana]

He should really stay away from Spaniards with scars on their faces, then.

Because laws sure do _prevent_ things...

[Darlantan]

The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

Yeah, because laws sure do stop those criminals from, you know, breaking the law.

When are politicians going to wise up and realize that laws don't stop criminals from doing anything, they just offer a means of punishing them _if_ they get caught after the fact? Completely different methods are required to prevent these kind of things -- like proper security procedures, in this case.

RTFA

Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords

Antivirus/antispyware might not stop a physical keylogger, but that wasn't the problem here.

Well, well...

[GFree]

If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.

God I'm going to hell for writing that, and I'm a Linux user.

I would have gotten away with it...

[Tatarize]

if it wasn't for you meddling kids.

Of course we need more legislation - that'll work.

[Boricle]

From the article:

The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

* sigh *

Because people who would try and steal some $450,000 are going to be stopped by legislation making it even more illegal.

Maybe something like two factor authentication would be better? That way different numbers are needed every time. And better security on the laptop perhaps? Non administrator priviliges. Not allowing people to install software? All quite doable.

Sure, blame the criminals, but maybe the doors should be bolted too?

I've found keylogger cache files

[spywhere]

Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:

"Um, sir, do you bank at Bank of America?"
"Yeah, why?"
"Is your password 'Snoopy67'?"

Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.

Re:I've found keylogger cache files

Key points in this post:

Before I 'retired'....

and

"Um, sir, do you bank at Bank of America?" ..

Re:I've found keylogger cache files

[frostband]

"Um, sir, do you bank at Bank of America?"
"Yeah, why?"
"Is your password 'Snoopy67'?"
"No. It's the same as my luggage: 1, 2, 3, 4, 5."

Thats it?

[denttford]

Just 450K? Meh, post it when they steal at least a couple hundred megabytes.

Re:Hardware Loggers

[Dragonslicer]

They also exist for PS/2 and USB too, so the OS doesn't have to even know about it.

Just use a wireless keyboard and you're completely immune to physical keyloggers.

lol

[pestilence669]

"The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy."

Yeah... more "rules" against this kind of behavior will fix it. It's not illegal enough... that's the reason it happens. Criminals care about consequences. Dumb ass.

Re:450K ?

[joe+155]

450K should be enough for anyone!

My god, the simplest things...

[SanityInAnarchy]

As Los Angeles County sheriff's deputies and Secret Service investigators try to track down the crooks, Carson has fielded calls from officials worried about the security of municipal coffers. "They want to know how they can prevent this," Avilla said.

I know it's not going to fix anything, but there are a few simple, simple steps:

1. Linux. If you can't make that work, get a Mac, but really, do give Linux some serious consideration. Especially if you can standardize on things in the normal repositories, you basically kill any equivalent of the most common and easiest Windows attack vectors.
2. Never let it out of your sight. If it's a desktop, it stays in a room that only you and trusted people have access to, like your office. When you're not there, lock the door. If it's a laptop, either keep it locked in a similar room, or carry it with you. If you MUST let it out of your sight, get one of those stupid-looking laptop locks and lock it to something solid. When you get back, check for tampering.
3. Don't let anyone have unlimited access to it. If someone MUST use your computer, every time they touch it, it should be under some limited account, not yours. When they're done, nuke the account. And again, be in the room, paying enough attention that you'll notice if they try to open the case or unplug anything.
4. Lock it down. Linux/Mac is part of the above, but even if you MUST use Windows, turn on the firewall, download some good, free antivirus and antispyware (and pay for some if you can't get it free, due to many of the "free" ones being free only for home use), and turn off AutoRun, even if you never plan to play music CDs. You could go farther, too -- on Mac/Windows, BitLocker/FileVault. On Linux, you could encrypt the entire disk except your boot partition, and you could put that on a removable flash thumbdrive. You could also use SELinux, which, on a distro that supports it, is complete overkill even for this -- every process has a set of rules defining what it can and cannot do.
5. Use a secure browser, which basically means anything except IE. If you're on Vista, maybe IE 7, but I still prefer open source. And even then, disable crap you don't need, run Flash on a per-page click-to-play basis, and pay very close attention to the URLs you visit when accessing your bank.
6. Use at least two-factor authentication. A thumbprint reader, a smartcard reader, or even a simple thumb-drive with a keyfile on it.
7. Don't be stupid with passwords. Don't give them out for chocolate (has happened before). It is not enough to name it after your dog and add a year, your Fido1993 will be cracked in two minutes with a dictionary cracker, if you even bothered to capitalize the F. Make it hard enough that you have to write it down, and then make sure where you write it is sufficiently protected -- for example, on something in your pocket, or have the browser remember on that encrypted hard drive. (The encrypted drive, of course, will always have the same password, and that should be a hard one that you bite the bullet and memorize anyway. Or a very-obfuscated one that you can remember, for example, 2b||!2b could read "To be or not to be" (to a programmer), but beware that being predictable (such as pulling it out of my Slashdot comment) can make hard obfuscation easy.)

This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.

And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:

The treasurer said she is now determined to try to write legi

Re:My god, the simplest things...

[unick]

You forgot: 8. Do not re-use passwords. Of the gazzilion profiles I needed to create on the web there are not 2 with the same password. Use a "system" that will help remember the password, e.g.: fixed password + website acronym + another fixed password. I.e. 'foohmbar' as a password for hotmail, 'foogmbar' for gmail, etc. Or any other system that suits you.

Social Engineering

[jasonwea]

... it drives home the importance of keeping good anti-spyware and anti-virus software updated ...

Anti-malware software can only do so much. The real solution is to educate users so they are not vulnerable to social engineering attacks such as "OMG SMILIES FOR YOUR EMAIL", "I need to verify your username and password" and various other ways users are conned into having their boxes rooted and/or their passwords exposed.

Of course locking down corporate workstations is a very good idea. No admin access and a splash of group policies here and there does wonders at keeping the users away from things they can shoot their feet with.

YAY WINDOWS!

[toby]

Mircosfot make great benefit to nation America!