Slashdot Mirror

← Back to Stories (view on slashdot.org)

PC Invader Costs a Kentucky County $415,000

Posted by kdawson on from the don't-be-stupid-out-there dept.

plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky. "The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."

9 of 192 comments (clear)

  1. Windows TCO by harmonise · · Score: 5, Insightful

    Don't forget to include this in your Windows TCO calculations.

    --
    Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
    1. Re:Windows TCO by Evil+Shabazz · · Score: 5, Insightful

      Your conclusion is debatable, particularly resting on the tenuous footing of your supplied argument. However, that doesn't matter at all. You see, it doesn't really matter whether Unix or Windows is easier to compromise. What matters is that the easiest people to compromise use Windows.

      --
      Down with the career politician! SUPPORT TERM LIMITS
    2. Re:Windows TCO by erroneus · · Score: 5, Insightful

      I love the thought behind the comment, but I think we are arriving at a kind of plateau where it is not so much the OS as the users being stupid and uneducated while management policy is too lax when it comes to computer use.

      With text-based computer usage, that was rarely if ever a problem simply because the fun things to do were rather limited and certainly didn't involve a live connection to a public internet. But the more connected we became, the more fun things there were for people to do. Suddenly with Windows + Internet access, the door flew wide open with everything from BonziBuddy to Weatherbug to all sorts of other gadgets, games and gizmos. This escalation of extra-curricular activity has never been treated as a threat or as a problem by many and has continued unabated.

      What is needed, whether running Windows, Linux or MacOSX on the desktop, is a means to EFFECTIVELY prevent the installation of unauthorized software and data. That is a complicated trick for a variety of reasons not the least of which is the face that the file system doesn't care if a file is data or executable code no matter where it is located in the file system. (This is a problem that should be fixed in ALL OSes) There are effective tools to prevent a lot of such things, but all of them require what should have been done to begin with -- careful system software planning and implementation. There are limits to which the OS itself can be blamed and that's what I am really trying to get at.

      On one hand, there is the threat of running as the superuser on any OS which is unquestionably a problem. On the other, there is running as the user. Running programs as a user, from a user's writeable data space is often enough to give malicious software operators what they are looking for anyway. Many of them seek personal information, so if they can get code running on a remote user's system that will give them access to that user's data, that's enough of a threat. Getting "superuser access" merely gives them a way to infiltrate the system at a much lower level and make removal much more difficult. So merely patching or preventing superuser access from being taken, assumed or otherwise utilized is only a part of the problem and one that is increasingly realized as irrelevant to malware authors.

      In the end, the TCO of Windows, in this respect, is still lower if for no other reason than the likelihood that someone has a quick and easy way to reload the system clean is pretty high up there. There are fewer quick solutions to fixing or cleaning up a compromised system under Linux or MacOSX... with good reason -- they aren't your typical targets.

      But I believe we are close to reaching a plateau at which there is only so much that can be done to secure an OS without proper planning and implementation taking the lead concern as it should have always been.

  2. Bank hold some responsibility by gd2shoe · · Score: 5, Insightful

    They set up a system that required multiple credentials to transfer money, but one of those credentials could be used to reset the other? Give me a break! This was a system deliberately setup to look more secure than it actually was. The Controller was relying on that extra protection the bank was offering. It seems the county was scammed twice!

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    1. Re:Bank hold some responsibility by gd2shoe · · Score: 5, Insightful

      No, I am being fair.

      Direct connection or not, that login shouldn't have been able to reset the other one. There are several reasons why two people needed to approve transfers from that account. Being able to unilaterally reset the Judges credentials is a big fat security hole in its own right.

      Sometimes an attack must rely on more than one vulnerability. This is one of those. Thus, I didn't say that the bank is 100% responsible, only that they hold some responsibility.

      --
      I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    2. Re:Bank hold some responsibility by plover · · Score: 5, Interesting

      My wife has long had to transfer money between various commercial accounts at her jobs. As far back as I can remember, the banks issued her RSA tokens which were required to authorize the transfers.

      I can't imagine a commercial bank NOT using a secure crypto system with an air gap. If the county is concerned about two authorizations, so much the better: issue the judge his own token.

      Even that could be compromised by a hacker who owned the treasurer's computer, but it would have been almost impossible to run the scam 500 times in a few days like this guy did.

      --
      John
  3. Re:enh, the criminals we get these days... by CorporateSuit · · Score: 5, Funny

    No kidding, if they were real hackers, they would have gotten away with $1.337 Million.

    --
    I am the richest astronaut ever to win the superbowl.
  4. Re:your tax money at work by cgenman · · Score: 5, Insightful

    If you go with the normal route, and the normal route gets hacked, you won't be blamed.

    If you setup a server on a system that your boss hasn't heard of, and you get hacked, you're fired.

    The chances of the former are much greater in a lot of ways. But the risk to your job is basically zero. Whereas in the second way, you're fired because you decided to use that silly deamon thing instead of proper, professional, Enterprise-Ready (tm) Windows 7.

    --
    The ______ Agenda
  5. Linux is not the holly grail by shemp42 · · Score: 5, Insightful

    Everyone who is claiming that linux should be used and its those stupid MS users that cause this are missing the point and have never spent one second working in a corporate IT enviroment. The fact is that every single security measure that is put in place is met with overwhelming opposition by the user base as well as the executives. A spam filter is looked at as the unholy antichrist because it blocks .00001% of legitimate emails. I have worked corporated IT for years and have constantly had to fight for just the basic's in security. IT is not given the authority to do its job. I am sure there is some IT guy that worked for the county that is now unemployed because he didnt stop it, even though he has been banging his head againest the wall to get security measures put in place. I for one am tired of hearing that the answer is Linux. Sh*& I cant even upgrade to Office 2007 without getting hundreds of phone calls from users that cant find the print button. You want me to switch them to linux? That is just comical. Rather than constantly blaming the victim we need to get tough on the criminals. If somone is mugged you dont tell them that they should not have walked down the street. You go after the guys that mugged them. You dont tell the convienence store owner that he was robbed because he was open and should not let people enter the store. This stops when we get tough on the criminals and the governments that allow them operate free from risk. How long do you think it would take these countries to stop this if we cut off all trade and aid to them? The fact is that cybercrime is not looked at as real crime. Until we start caring more about it and electing people who understand the risks it wont matter what system is in place, it will be exploited.