Slashdot Mirror

← Back to Stories (view on slashdot.org)

City Almost Loses 450K to Keylogger

Posted by CowboyNeal on from the never-too-safe dept.

SierraPete writes "The city of Carson, California (a suburb of Los Angeles) was the target of a 6-digit theft of cash. The LA Times reports that information taken from a keylogger was used to attempt to steal $450K from the city's treasury. Quick work by the city froze most of the funds, but it drives home the importance of keeping good anti-spyware and anti-virus software updated on both corporate systems as well as systems being used from home."

15 of 158 comments (clear)

  1. Damned politicians by nurb432 · · Score: 5, Insightful

    "The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy. "

    Theft is already illegal, why do we need yet another law? Just enforce the ones we have now!

    --
    ---- Booth was a patriot ----
    1. Re:Damned politicians by dreamchaser · · Score: 4, Insightful

      Because if they run out of redundant laws to pass they will be out of work.

  2. Re:6 digit theft? by treeves · · Score: 4, Funny

    Well, you've heard of a "five finger discount", right? Maybe this guy had a birth defect.

    --
    ...the future crusty old bastards are already drinking the Kool-Aid.
  3. Fscking dumb by kosmosik · · Score: 5, Insightful

    > but it drives home the importance of keeping good anti-spyware and anti-virus software updated
    > on both corporate systems as well as systems being used from home.

    No. It drives the importance on controlling the flow of public money. If one person be it a president of California or what you call him, can make significant money transfers that are not audited and open that is something wrong with your system. Yes you fscking can make that bank *calls* you to approve any transfer above some ammount. Yes you can make that public transfers are open and visible.

    So it is nothing to blame about the software since it is obvious that Windows in hands of non-technical people is insecure. The person making transfers should use different laptop perhaps? The one that IT department cares of not the one that he browses pron from?

    It is just an example how retarded and uneucated people who have power to spend public money are.

  4. Ob: Princess Bride. by weeboo0104 · · Score: 5, Funny

    "You have six fingers on your right hand. Someone is looking for you."

    --
    It is easier to build strong children than to repair broken men. -Frederick Douglass
  5. Well, well... by GFree · · Score: 4, Insightful

    If only the treasury had been using Vista, at least someone would have been to blame for clicking "Accept". In this case no-one could admit ignorance by saying the keylogger just slipped through the net; SOMEONE would have had to click that damn button.

    God I'm going to hell for writing that, and I'm a Linux user.

  6. Re:Physical Keylogger by ajanp · · Score: 5, Insightful
    There's no mention of the method used to install the keylogger onto the treasurer's computer. They mention it was a laptop, but its a pretty far leap to assume that the hacker used a physical keylogger when the entire thing is just as likely, if not more so, to have been done remotely.

    It's also probably worth mentioning that the keylogger was likely active for atleast a minimum of a day or two, likely much longer, considering it's mentioned that the keylogger tracked the treasurer's keystrokes until the hacker discovered the appropriate passwords AND the hacker stole the money over a couple days. With this longer exposure, especially if the keystrokes were being monitored remotely, there's a good chance that an anti-virus program with heuristics scanning running in the background (or atleast a decent software firewall) could have flagged the suspicious behavior and perhaps identified the keylogger program being used.

    At the least, I think the poster is trying to convey that proper computer security could have helped to secure the computer and identify the problem earlier (the larger amount of 358,000 was stolen on the second day) or helped stop it outright.

    --
    File Deletion is Murder.
  7. I would have gotten away with it... by Tatarize · · Score: 3, Funny

    if it wasn't for you meddling kids.

    --

    It is no longer uncommon to be uncommon.
  8. Of course we need more legislation - that'll work. by Boricle · · Score: 3, Insightful
    From the article:

    The treasurer said she is now determined to try to write legislation that could prevent this kind of computer piracy.

    * sigh *

    Because people who would try and steal some $450,000 are going to be stopped by legislation making it even more illegal.

    Maybe something like two factor authentication would be better? That way different numbers are needed every time. And better security on the laptop perhaps? Non administrator priviliges. Not allowing people to install software? All quite doable.

    Sure, blame the criminals, but maybe the doors should be bolted too?

  9. I've found keylogger cache files by spywhere · · Score: 4, Interesting

    Before I 'retired' to fix home PCs, I was the alpha geek on a Help Desk.
    A guy called, infested with spyware... I started poking around, and found a text file. Before I continued, I called the Help Desk manager over, and put the client on speaker:

    "Um, sir, do you bank at Bank of America?"
    "Yeah, why?"
    "Is your password 'Snoopy67'?"

    Since then, I've found a few dozen files with clear-text keylogger yields... and thousands of log files filled with coded stuff that could be anything.

    1. Re:I've found keylogger cache files by Anonymous Coward · · Score: 3, Funny

      Key points in this post:

      Before I 'retired'....

      and

      "Um, sir, do you bank at Bank of America?" ..

  10. Thats it? by denttford · · Score: 3, Funny

    Just 450K? Meh, post it when they steal at least a couple hundred megabytes.

    --

    Leben Sie jetzt die Fragen.
  11. Re:Physical Keylogger by SanityInAnarchy · · Score: 3, Informative

    There's no mention of the method used to install the keylogger onto the treasurer's computer.

    Yes there is.

    Armed with a spyware program, the thieves tracked Avilla's moves on her laptop and obtained bank passwords.

    That is, unless they don't know what the word "spyware" means. Being reporters, they might just assume that spyware means what it sounds like -- any software used to spy on you, including something picking up keystrokes from a physical keylogger.


    But then, it also seems like it would be difficult to make a physical keylogger that communicates reliably with the outside world:

    Each time Treasurer Karen Avilla logged into her laptop computer in the morning, someone was looking--virtually--over her shoulder, watching every keystroke.

    That sort of implies it's being done in realtime. Of course, they could always mean it was a physical keylogger, which the "hacker" then collected and dumped...


    Then again, it's a laptop. If you have physical access to a laptop for long enough and with enough tools to install a physical keylogger, it's probably easier to carry the thing off and hope there's something valuable on the hard drive.

    --
    Don't thank God, thank a doctor!
  12. Re:450K ? by joe+155 · · Score: 4, Funny

    450K should be enough for anyone!

    --
    *''I can't believe it's not a hyperlink.''
  13. My god, the simplest things... by SanityInAnarchy · · Score: 3, Interesting

    As Los Angeles County sheriff's deputies and Secret Service investigators try to track down the crooks, Carson has fielded calls from officials worried about the security of municipal coffers. "They want to know how they can prevent this," Avilla said.

    I know it's not going to fix anything, but there are a few simple, simple steps:

    1. Linux. If you can't make that work, get a Mac, but really, do give Linux some serious consideration. Especially if you can standardize on things in the normal repositories, you basically kill any equivalent of the most common and easiest Windows attack vectors.
    2. Never let it out of your sight. If it's a desktop, it stays in a room that only you and trusted people have access to, like your office. When you're not there, lock the door. If it's a laptop, either keep it locked in a similar room, or carry it with you. If you MUST let it out of your sight, get one of those stupid-looking laptop locks and lock it to something solid. When you get back, check for tampering.
    3. Don't let anyone have unlimited access to it. If someone MUST use your computer, every time they touch it, it should be under some limited account, not yours. When they're done, nuke the account. And again, be in the room, paying enough attention that you'll notice if they try to open the case or unplug anything.
    4. Lock it down. Linux/Mac is part of the above, but even if you MUST use Windows, turn on the firewall, download some good, free antivirus and antispyware (and pay for some if you can't get it free, due to many of the "free" ones being free only for home use), and turn off AutoRun, even if you never plan to play music CDs. You could go farther, too -- on Mac/Windows, BitLocker/FileVault. On Linux, you could encrypt the entire disk except your boot partition, and you could put that on a removable flash thumbdrive. You could also use SELinux, which, on a distro that supports it, is complete overkill even for this -- every process has a set of rules defining what it can and cannot do.
    5. Use a secure browser, which basically means anything except IE. If you're on Vista, maybe IE 7, but I still prefer open source. And even then, disable crap you don't need, run Flash on a per-page click-to-play basis, and pay very close attention to the URLs you visit when accessing your bank.
    6. Use at least two-factor authentication. A thumbprint reader, a smartcard reader, or even a simple thumb-drive with a keyfile on it.
    7. Don't be stupid with passwords. Don't give them out for chocolate (has happened before). It is not enough to name it after your dog and add a year, your Fido1993 will be cracked in two minutes with a dictionary cracker, if you even bothered to capitalize the F. Make it hard enough that you have to write it down, and then make sure where you write it is sufficiently protected -- for example, on something in your pocket, or have the browser remember on that encrypted hard drive. (The encrypted drive, of course, will always have the same password, and that should be a hard one that you bite the bullet and memorize anyway. Or a very-obfuscated one that you can remember, for example, 2b||!2b could read "To be or not to be" (to a programmer), but beware that being predictable (such as pulling it out of my Slashdot comment) can make hard obfuscation easy.)

    This is common sense stuff. Some of it is a bit tinfoil-hat (SELinux, secure hardware), but really, most of the above can be done very cheaply, and in the long run, won't take any significant amount of time or brainpower to maintain.

    And though I've never been a cracker, it still pisses me off when, instead of responding by paying attention to common-sense security (as I've just described), they'll attempt to buy a magic bullet -- they'll buy ONE product, probably something standard like Windows Defender, and then get lazy again. Or sometimes they'll try litigation, or both:

    The treasurer said she is now determined to try to write legi

    --
    Don't thank God, thank a doctor!