From: InfoSec News (alertsinfosecnews.org)
Date: Fri Jun 01 2007 - 02:39:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.latimes.com/news/local/la-me-hackers1jun01,0,2083352.story?coll=la-home-local

By Hector Becerra
Times Staff Writer
June 1, 2007

If Carson Treasurer Karen Avilla had had a nagging feeling she was being
watched whenever she got on her laptop computer, she would have been
right.

Cyber-thieves were able to shift nearly $450,000 from the city's general
fund last week by using a program that was able to mimic the computer
strokes made by Carson's financial officer. Each time Avilla logged on
to her city-provided laptop in the morning, someone was — virtually —
looking over her shoulder, recording every single keystroke.

Armed with the spyware program, the hackers obtained bank passwords.
They wired $90,000 to a "Diego Smith" in North Carolina. One day later,
on May 24, the thieves got bolder and wired $358,000 from the city's
bank account to a bank in Kalamazoo, Mich.

Avilla and her deputy discovered the theft just in time to have all but
$45,000 of the funds frozen. But the experience left city leaders
rattled.

"As I sat there with the detectives and the forensic folks from the
bank, I thought, 'I don't even want to touch a computer,' " Avilla said
Thursday. "I felt violated. It made me think, 'Who's out there?' "

The crime raised concerns about the security of municipal coffers,
especially when wireless networks are used. Although such city hacking
cases have been isolated, some experts said many municipalities lack the
large information technology staffs and large budgets for computer
security.

"If you go after a local municipality, they're more likely to have fewer
people dedicated to computer security," said Eric Schultze, chief
security architect for Shavlik Technologies in Minnesota and a widely
cited expert in anti-hacking circles.

Avilla said she still doesn't know how her computer was targeted. She
said she doubts it had the latest security software patch protections —
something sheriff's detectives and bank investigators told her is
essential in safeguarding her computer.

She said that as soon as word got out, Carson fielded calls from
officials in other cities, asking how they could protect themselves.

South Gate City Manager Gary Milliman said he has seen all sorts of
fraud perpetrated against cities in 32 years, but nothing like this. "I
think it's a concern," Milliman said. "It's something we're going to
check into to make sure there isn't a vulnerability in our system."

Earlier this year, the finance director of the Northern California city
of Willows discovered that a hacker had taken $4,000 from a city fund.
Avilla said cities may not always notice smaller thefts.

"One thousand dollars. You think a bank is going to bat an eye?" Avilla
said. "It's not an inexpensive enterprise to have a full team that goes
around checking every laptop ever used. I think we can use more IT
folks, but when a lot of these departments were created, a few people
had computers. Now everyone does. On top of that, almost everyone has a
laptop."

Experts said that without up-to-date security software, such a computer
could be especially vulnerable if people who use it visit websites that
contain spyware.

But hackers also send mass e-mails which, if opened on vulnerable
computers, can allow installation of "keystroke loggers."

"It automatically sends all keystrokes logged to a hacker, via e-mail or
another form of communication," Schultze said. "So a hacker sitting
halfway around the world can log into your bank account, enter your user
name and do what they want to do."

Kevin Overcash, vice president of product management for Breach Security
in Carlsbad, Calif., said that when organizations started installing a
lot of wireless networks, hackers devised ways to breach them through
what is called "drive-by hacking."

In trying to provide a service to their residents — by allowing them to
check their water bills via the Web, for example — municipalities
sometimes make themselves vulnerable, he said.

"That kind of access opens you up to hackers. It opens the door for
people to have access to data if you do not have good security,"
Overcash said.

Avilla said she noticed a problem when she found she was unable to log
on to the city's bank account. She thought she must have been typing the
password incorrectly.

On May 22, the bank gave her a new password. But unbeknownst to her, the
cyber thieves got that password as soon as she tapped it into her
computer.

On May 24, Avilla and her deputy checked bank balances and discovered
the previous day's $90,000 wire transfer to someone in Wilson, N.C.
Avilla checked with the bank and discovered the $358,000 transfer that
day through National City Bank in Kalamazoo.

"I thought, 'We got a problem,' " Avilla said.

She called the bank and filed a police report, leading to the freezing
of the city's funds. No one has been arrested, authorities said.

L.A. County Sheriff's Capt. Todd Rogers said the department's high-tech
crimes unit is on the case. The Secret Service is also helping in the
investigation, he said.

Avilla said the experience has made her angry and determined to seek
legislation that would address the problem. "There's got to be more than
one way to fight this," she said. "They get us in so many ways. There's
got to be a way for us to get them."

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]