Slashdot Mirror
PC Invader Costs a Kentucky County $415,000
plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky. "The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."
Don't forget to include this in your Windows TCO calculations.
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
They set up a system that required multiple credentials to transfer money, but one of those credentials could be used to reset the other? Give me a break! This was a system deliberately setup to look more secure than it actually was. The Controller was relying on that extra protection the bank was offering. It seems the county was scammed twice!
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Identity Theft
Sometimes, life itself is sarcasm...
Convenient how governments and businesses continue to spend other people's money on insecure systems which allow even more money to vanish.
Microsoft Windows --because plausible deniability can come in mighty handy!
Caveat Utilitor
All that work, and they netted less than a half million?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Malware has been installing proxies and/or phoning home for years. (backdoors to direct-connect to/through your machine, instant messaging keystrokes).
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
From the site:
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html?hpid=sec-tech
one reader wrote in:
"I guess we don't know how the attackers somehow got the Zeus Trojan on the county treasurer's PC (presumably the county doesn't want to say and the FBI told them not to discuss details of the case anyway), but I'm curious whether that PC had security software installed, whether it was up to date, which security software can deal with the Zbot (ZeuS bot) Trojan, etc.
---------
Well, i have an idea, and it's TFO (Totally Frackin' Obvious)... and might be how it happened. A poor old cleanup crew member may have been elicited to put a USB device on a bank manager machine that might not have been watched by a camera. Might have trained the cleaner to surveil the PCs, determine their visibility to cameras, then trained the dupe into deftly/swiftly attaching a USB attack device while feigning scraping something sticky from the floor, or emptying waste bins that were tough to get the bag from....
Just my eye-dea... and the FBI may not want THAT to get out lest other banks suffering poor camera placement succumb to the same thing...
Or, a native of the Ukraine/U-area working at the bank might have been subjected to manipulation of some sort, but trained to be deft and not come under suspicion. Just my inflation-deprived-$0.02-cents...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
They tried to steal $415,000 from a county with only 73,000 people? Didn't they think anyone would notice?
Next time they should try Los Angeles county (9.8 million people).
'course they would have gotten away with it if it weren't for those meddling kids!
The sun is the same in a relative way, but you are shorter of breath and one day closer to death
I could not help but think of the uploaded FSB lobsters from Accelerando when I read the horribly malformed missives the thieves sent to be edited.
I have a much more likely scenario. They simply spread their malware everywhere, and waited to see what sensitive systems they'd netted! They needed to dupe people into sending money overseas to them. I doubt they have any non-electronic influence in the states. The story indicates that the fake company name has been repeatedly tarnished... meaning it's very likely that they've done this before and will do this again. It probably got on by worm or trojan. Once there, it sat dormant while the hackers figured out which computers were of value to attack.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Yes, I am a pedantic Grammar Nazi, and I anticipate a great modding down of this comment, but my need to say this is worse than any addict's craving for his next fix. There are few things I hate more than redundant words. "Co-conspirator" is about as redundant as it gets. A conspiracy is a group of people. People conspire to do something like this, and you call those people conspirators. What happens in a hundred years when we forget that "co-conspirator" was being used this way? Do we start saying "co-co-conspirator"?
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
That would be kombucha.
But I've yet to meet the man that can outsmart Bullitt.
The sub-$10,000 transfers was a good way to help avoid attention... but imagine if the decimal place was off, and what should have been "fractions of a penny that get dropped off" and add up over many years becomes a couple hundred thousands or millions over the weekend!
I find it hilarious that basic TCP/IP networking stuff gets labeled as "interesting". Any idiot can initiate a connection to a host on the internet.
What's "interesting" is that the victim's machine was not firewalled to prevent this sort of thing from happening in the first place. Properly controlling outgoing traffic is of crucial importance, particularly when dealing with such sensitive information. A locked down network should be able to contain unknown connections from within, just as well as those from the great wide internet.
In my opinion, it's not the invader that cost Kentucky $415,000. The fault rests entirely on their network administrator(s).
-Billco, Fnarg.com
is this included in M$'s total cost of ownership?
Microsoft Cost a Kentucky County $415,000 :(
When will they learn.
This is my Unix. There are many like it, but this one is mine. My Unix is my best friend.
It is my life. I must master it as I master my life. My Unix, without me, is useless.
Without my Unix, I am useless. I must run my Unix true.
I must admin smarter than any hacker who is trying to own me. I must block them before they hack me. I will....
My Unix and myself know that what counts on this net is not the scripts we code, the size of our pipe, nor the data we send.
We know that it is the uptime that counts.
We will stay up...
My Unix is human, even as I, because it is my only life.
Thus, I will learn it as a brother.
I will report its bugs, share its strengths, upgrade parts, buy its accessories, open its ports and lobby for more bandwidth.
I will keep my Unix clean and ready, even as I am clean and ready.
We will become part of each other. We will...
Before Darl McBride I swear this creed. My Unix and myself are the defenders of the company I work for.
We are the masters of your script kids.
We are the saviors of your profit.
So be it, until victory is America's and there is no competition, but Profit.
Domestic spying is now "Benign Information Gathering"
Why? Because this is an example of what happens when they're not.
If I'm not mistaken, most keylogging programs can be kept out fairly easily with decent firewall rules and a good anti-spyware/anti-malware agent. The article does not report that this county's IT department (which I'll guess and say is non-existent or illusory) took preventative measures against these attacks.
Basically, they had it coming.
Everyone who is claiming that linux should be used and its those stupid MS users that cause this are missing the point and have never spent one second working in a corporate IT enviroment. The fact is that every single security measure that is put in place is met with overwhelming opposition by the user base as well as the executives. A spam filter is looked at as the unholy antichrist because it blocks .00001% of legitimate emails. I have worked corporated IT for years and have constantly had to fight for just the basic's in security. IT is not given the authority to do its job. I am sure there is some IT guy that worked for the county that is now unemployed because he didnt stop it, even though he has been banging his head againest the wall to get security measures put in place.
I for one am tired of hearing that the answer is Linux. Sh*& I cant even upgrade to Office 2007 without getting hundreds of phone calls from users that cant find the print button. You want me to switch them to linux? That is just comical. Rather than constantly blaming the victim we need to get tough on the criminals. If somone is mugged you dont tell them that they should not have walked down the street. You go after the guys that mugged them. You dont tell the convienence store owner that he was robbed because he was open and should not let people enter the store. This stops when we get tough on the criminals and the governments that allow them operate free from risk. How long do you think it would take these countries to stop this if we cut off all trade and aid to them? The fact is that cybercrime is not looked at as real crime. Until we start caring more about it and electing people who understand the risks it wont matter what system is in place, it will be exploited.
What happens if Autorun and file preview is disabled?
"I can't imagine a commercial bank NOT using a secure crypto system with an air gap."
Dood, remember, this is Kentucky we're talking about here. The same place where an anonymous caller's commands to disrobe and be spanked (and perform other various sexual acts) was enough for a young adult Kentucky female to obey (recall that McDonald's episode?).
Also, isn't that the same state that moron senator McConnell is from?
That malware is not interesting at all. I remember playing with SubSeven when I was in 7th grade (long long time ago) and it had ICQ notification and reverse bind options.
Man in the middle attacks still work, they can just let you use your token to authorize their transfer rather than the one you are seeing on your screen. The calculators which give a response to a challenge suffer from the same problem, unless they use the recipients bank account as part of the challenge (mine doesn't, for large amounts it uses the amount as a challenge but a trojan could still route it to a different account).
Ideally banks would just give out a USB device which shows the bank account and amount with a big green authorization button ... alas, they don't.
Idiots live everywhere (and keep in mind the plural of 'anecdote' isn't 'data'.) It might be that Kentucky has less money than other states, but I wouldn't say they're correspondingly "dumber" than other states.
Also, isn't that the same state that moron senator X is from?
That pretty much describes all 50 states.
John
When will online bank understand that the only 100% foolproof method is to mandate the presence of a hardware device on the user's side and to make the bank account number of the recipient you want to transfer the money to part of a cryptographic challenge?
That is 100% foolproof. You ain't wiring money to an account whose number hasn't been entered on the hardware device (say some www.vasco.com device). Full stop.
Some lowlife hacks my Windows (I'm not using for my online bank's website works fine under Linux) and intercepts in realtime my opened connection to my bank's website? OK, it's bad, the lowlife can see how much I have on my account. But making a transfer? How's the low-life going to generate the token validating another low-life's bank account without the hardware device... Good luck with that low-life.
There are already several banks in Europe where it works like that... It only takes a few more low-lifes to succeed stealing petty amounts like in TFA and banks shall start implement this everywhere.
Then it's "GG low-lifes"
I live very close to Bullitt Co., KY and I have been in the IT world for about 15 years now. In my 15 years in this area I have witnessed MANY possible security holes in different areas such as medical, accounting, educational...etc. I often wonder, is the general area to blame? Do the people of Kentucky just feel so safe in their ranch homes and open fields that no crook would ever possibly compromise the integrity of semi-southern living? I hope this is a wake up call to the business around here that it could and someday probably will happen to them.
Loading...
"Everyone who is claiming that linux should be used and its those stupid MS users that cause this"
Where does it say that 'everyone' is claiming and it isn't the 'stupid MS users' it's the click and get infected OS known as Microsoft Windows that's the root cause of the malware infestation.
the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers
"Find out if the bank manger smokes .. Get a few of those USB thumb drives from trade shows"
- The attackers somehow got the Zeus Trojan on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access e-mail and the county's bank account.
- The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection.
- Once logged in, the criminals changed the judge's password, as well as e-mail address tied to the judge's account, so that any future notifications about one-time passphrases would be sent to an e-mail address the attackers controlled.
- They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved.
- The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an e-mail with the challenge passphrase to an e-mail address the attackers controlled.
- The attackers then retrieved the passphrase from the e-mail, and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.
> Every year I've read about it, the order from first to last compromised has been Windows, Mac, and Linux.
Which year? And which pwn2own contest are you talking about?
In 2006, there was no pwn to own cansecwest contest. ;).
In 2007, it was mac first, but only macs were prizes
In 2008, it was mac first again (out of OSX, Ubuntu and Vista) on day 2 (nobody managed to pwn anything under the day one rules), and vista only on day 3 (due to adobe flash exploit).
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture?info=EXLINK
Day 1 rules = remote exploit - no user interaction
Day 2 rules = default client apps
Day 3 rules = popular 3rd party apps.
In 2009, it was safari on OSX first again, on day 1, followed by IE8 on Win7, followed by safari on OSX again, followed by firefox on Win7 (however multiple platforms were actually vulnerable to nils' attack[1]). All in day 1.
http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
http://blogs.zdnet.com/security/?p=2917
http://blogs.zdnet.com/security/?p=2934
[1] http://www.securityfocus.com/bid/34235
Rules: .net, quicktime. User goes to link. ... User goes to link
Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java,
Day 3: popular apps such as acrobat reader
And Charlie Miller one of the pwners says OSX is easier:
http://blogs.zdnet.com/security/?p=2941
"It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."
"For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac."
"What is needed .. is a means to EFFECTIVELY prevent the installation of unauthorized software and data"
:)
Run the software off a readonly USB device and you are safe from the desktop OS.
--
mode me up insightful please
... I didn't think they had the internets in Bullit County!!!
Rather than constantly blaming the victim we need to get tough on the criminals. If someone is mugged you dont tell them that they should not have walked down the street. You go after the guys that mugged them.
I take it you leave your keys in your car, and you never lock your doors at night?
Give me a break.
When your boss won't let you implement real network security, and then your up-to-date Windows Vista Premium server gets cracked with a 0-day exploit, throw it back in his face. Or else, find a factory job somewhere and get some sleep at night. Let the boss take the heat and clean up the mess himself.
That is probably the most insightful comment I have seen on this site in years!
Throw more corporations on *nix boxes, or have more *nix boxes running on top of bank/stock/credit card company dBs, and you would see a huge amount of *nix exploits.
It's kinda like wondering why you can't find any mechanics who specialize on the Chevy Nova, no one drives em, so no one fixes em.......and they esplode
"This is the value of a summer spent and a winter earned"
I'm just so happy to have a story about hundreds of thousands of dollars stolen in which it *wasn't* completely inadequate security and general incompetence that enabled it.
The security precautions seem to have been sanely thought out, at least on the banks side. The judge and the treasurer otoh might decide they want a secure system.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media