Now, Every Keystroke Can Betray You

LA Times ^ | 9/18/05 | Joseph Menn

[Crackingham]

Bank customers know to shield their ATM passwords from prying eyes. But with the rise of online banking, computer users may not realize electronic snoops might be peeking over their shoulder every time they type. In a twist on online fraud, hackers and identity thieves are infecting computers with increasingly sophisticated programs that record bank passwords and other key financial data and send them to crooks over the Internet.

That's what happened to Tim Brown, who had account information swiped out of the PC at his Simi Valley store.

"It's scary they could see my keystrokes," said Brown, owner of Kingdom Sewing & Vacuum. "It freaks me out."

Brown learned of the scam only after security researchers stumbled onto a computer harvesting information from hundreds of PCs and felt compelled to alert some of the people who had the most data exposed. Realizing he was lucky to get the call last month, Brown changed his passwords and is hoping for the best.

"This even staggered us," said Alex Eckelberry, president of Sunbelt Software Inc., which found that the so-called keylogger program installed itself in a way most antivirus software could not block. "Online institutions now have to assume that the account holder may have been compromised."

SNIP

"We're seeing explosive growth in 'crimeware,' " said Peter Cassidy, the working group's secretary general. "It's really galloping."

Consumers are increasingly jittery: 42% say security concerns have caused them to change their electronic shopping habits, according to research firm Gartner Inc.

[Terpfen]

OS X updates pretty often, and/or as needed. Apple's released two revisions since 10.4's release back in June, and they're working on the third right now.

Sadly, due to the requirements of some of my classes, I'm not typing this from the PowerBook I SHOULD have. (Damn you, Sun!)

[metmom]

That's a good question. All the rest of this is just g(r)eek to me.

[Dr. Scarpetta]

install Eric L. Howe's free Agnis blocklist M

I never heard of it. How long have you had it, and where do you get it?

[Tarpon]

It does seem that most everybody's OS is getting strung out -- too many changes, coming way too fast. It's unsettling the speed with which RH ES is updating these days -- hardly a week goes by without major update. That's why I went to Solaris 10 GA.

The incessant deluge of attacks of all kinds, probably because we have broadband, is very very high these days.

The wife runs windowsXP, that or nothing says her [-( But at least I have her running Linux for games, so there is still some hope.

[Terpfen]

OS X updates are at least fairly transparent, so they aren't a major inconvenience.

Honestly, I like constant updates, at least if they're easily-applied. Microsoft's "patch Tuesdays" annoy me, because it means I have to wait a full month for a fix, all for the benefit of some IT guys who can't just have their users wait until the IT department distributes the patches.

(Yeah, I'm annoyed.)

[Prime Choice]

They could write incredibly secure code if they would simply

1. Write program code in Ada (rather than C and its derivatives),
2. Leave out all those unnecessary bells & whistles (Eudora and Internet Explorer do not need to have their tentacles in everything...that's how these damned things infect the systems in the first place), and
3. Abandon Mickeysoft and used a more securable, open-source OS like OpenBSD, and
4. Leave the kernel, OS executables and libraries on read-only media.

These simple steps alone would enhance security enough to elimintate 99% of the problems enumerated in this article.

[new cruelty]

Nothing a few hundred billion couldn't solve. ;)

[familyop]

"Hate to burst your bubble, but the reason Hackers target Windows and Explorer is because they are the dominant OS & browser. More bang for the buck for their effort don't ya know. If something else were on top, that would get targeted (and compromised) too. The more code, the more flaws to exploit."

Most Internet servers are open source UNIX systems. Open source UNIX OSs and packages are updated with security fixes much more quickly than is MS software--most often before crackers can get in. That's why UNIX systems are more secure.

Learn to use and secure a UNIX system, and you might learn a little more about security. Windows systems should not be directly accessing the Net without UNIX systems and good systems administrators between them and the Net, IMO.

[montag813]

How can these people get cash out of your account? I can see getting the credit card info, but I dont think many banking sites permit online wire transfers without prior written authorization.

[rlmorel]

Heere we go again.

[beef]

"They could write incredibly secure code if they would simply

1. Write program code in Ada (rather than C and its derivatives),
2. Leave out all those unnecessary bells & whistles (Eudora and Internet Explorer do not need to have their tentacles in everything...that's how these damned things infect the systems in the first place), and
3. Abandon Mickeysoft and used a more securable, open-source OS like OpenBSD, and
4. Leave the kernel, OS executables and libraries on read-only media.

These simple steps alone would enhance security enough to elimintate 99% of the problems enumerated in this article."


I agree with you, mostly. I don't know that much about Ada except that it's object oriented. I'm surprised that these guys don't have some kind of class or wrapper around their buffers to ensure that you can't overrun them. I consider things like documents to be static, but MS and that crowd just loves to build macro languages into everything. They will do everything they can to automatically run code and then when you get infected with something they tell you it's all your fault for not going in and drilling down through every menu there is looking for the one obscure box you uncheck to shut it off. Then the automatic updater comes in to load up the latest batch of untested garbage and in the process turns it back on. I think, though, that any of these OS's can be made secure, it's just a matter of them spending time doing that instead of adding more features that nobody uses. Read-only media is good, too. I'd like to see them keep an indelible provenance for every process, detailing how it got spawned right back to the bootloader.

I am personally more worried about a digital 9/11. If I was OBL, I would do everything I could to get a bunch of my boys working at MS in the group that runs the Windows Update service.

[RaceBannon]

I had a talk with someone today...

We spoke of how Bush Knew 9/11 was coming

And, how the Mossad knew 9/11 was coming...

All I could ask was...

Bush is Jewish??

Who'd a thunk it!

[Theo]

Hate to burst your bubble, but the reason Hackers target Windows and Explorer is because they are the dominant OS & browser

No bubble burst. You use what you want to use, and risk getting viruses and worse. I (and others) will use MacOS, and have the virus-free competitive advantage over you.

[Prime Choice]

I am personally more worried about a digital 9/11. If I was OBL, I would do everything I could to get a bunch of my boys working at MS in the group that runs the Windows Update service.

Information warfare is better suited to espionage than terrorism. In the final analysis, network and utility outages don't evoke a sense of terror; they evoke a sense of annoyance. See also The Myth of Cyber-Terrorism.

[Prime Choice]

Hate to burst your bubble, but the reason Hackers target Windows and Explorer is because they are the dominant OS & browser.

Untrue. They are most-exploited because they are the most insecure. Any third-rate hack with Visual Basic can (and often has) written trojans and worms that can easily nail Outlook, Outlook Express and a host of other MS malware. That doesn't speak to product popularity; that speaks exclusively to product insecurity.

[upchuck]

The keylogger software captures the letters, numbers, etc. that you type. Eventually the keylogger transmits the captured info to the bad guy.

Seems to me this is where a "two-way" firewall like Zone Alarm comes in. ZA will pop up a screen asking if you want the program to have access to the Internet. If you say no, the bad guy never gets the info.

Do I understand this correctly? Are there keyloggers that can get around ZA?

[Leroy S. Mort]

Last week, UC Berkeley researchers reported that a $10 microphone near a keyboard could, with sophisticated analysis of the sounds made by different keys, reveal most of what was being typed — enough that the researchers could guess 90% of five-character passwords within 20 tries.

We're all doomed.....

[Nita Nupress]

Can anyone tell me why my Dell laptop keeps getting the mouse cursor hi-jacked to the corner of the screen? At least 3 or 4 times/minute, the cursor jumps to a corner and I have to struggle to get the blasted thing back under control. It does it while I'm surfing the web, while I'm typing in Word & Frontpage & Notepad, while i'm typing here, and probably even when I take a bathroom break, for all I know.

I've done everything I know to do and can't get rid of it. I've tried Ad-aware, Spybot Search & Destroy, AVG antivirus, stopping all the unecessary start-up garbage that Dell adds & runs in the background, checking for Comet Cursor crapware, etc, etc.

It's so irritating because this same computer has done this before and I managed to stop it, but it's been so long ago I can't remember what i did.

I'm going to bed now, but maybe someone will come along and take pity on me and offer a suggestion. It's getting so bad, I halfway expect my coffee cup to start moving every time I go to pick it up!

[Nita Nupress]

I also would looooove to have an answer to this one:

Does this mean if you don't type your password it can't see it? How about if you copy and paste?

[ChefKeith]

They will still be able to get it. They are looking at the blank that is filled in not the actual keystrokes, if they did that there would be extra info for them to search through.

Just because the screen shows "******" to the user the programs still see the PW.

The only way to be sure of security is to not use the online banking.