PC Invader Costs Ky. County $415,000

If you are online, you will be hacked. I guess Bullitt County knows that now. The real story to understand here is:
1. That US IT remains a good decade behind hackers in the UKR & RU still using DOS level computers as technology tools.
2. MSFT OS is inherently insecure.
3. Smaller is better, not bigger.
4. Even outsiders loath US state governments.

I guess we don't know how the attackers somehow got the Zeus Trojan on the county treasurer's PC (presumably the county doesn't want to say and the FBI told them not to discuss details of the case anyway), but I'm curious whether that PC had security software installed, whether it was up to date, which security software can deal with the Zbot (ZeuS bot) Trojan, etc.

Another excellent article Brian. Thanks for the info. One of my thoughts after reading this is that one of the best ways to protect oneself (to a very great extent- although no method could be considered 100% foolproof) is to NEVER do online banking on a Microsoft Windows computer. Given that is is generally quite easy to set up a Windows computer to dual boot to linux (using Ubuntu for example, which automates the dual boot and linux install process), this seems like a relatively easy fix that would prevent ALMOST all such scam/attacks (at least at the present time and the foreseeable near term future). I, and I presume many others, would be grateful if you commented in detail on this approach (and any other which you consider effective) to preventing such problems. Certainly sounds like this approach would have prevented this case given that this scam was dependent on placing rogue software on a Windows computer, and it would not work on any other type of computer (and that typically this type of rogue software is ONLY written to run on Windows computers and ALMOST NEVER to run on a linux computers). I am looking for a highly detailed critique of the pros and cons of this approach (as well as its statistical efficaciousness), not for an opening to revisit the very excessively well worn debate about whether Microsoft is or is not (and when and/or where) a positive or negative actor/influence in the software industry.

The article neglected to mention (maybe it went without saying)- the 'Zeus' keystroke-logging Trojan-horse is a WINDOWS virus. The Bullitt County Treasurer's decision to use a Windows machine was the essential mistake that got the whole ball rolling. Sick of viruses? Try Linux, a better operating system that is actually FREE. Check it out at http://www.ubuntu.com/ .

@hairguy -- have you read the article? 5th paragraph of the story -- the one that talks about zeus -- clearly states this is a windows virus.

According to my source, who asked not to be identified because he's still investigating different sides of this case, the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.

More terrific reporting from Brian.

Great article!

Another point - all users should be reminded not to leave their computers running overnight. Many users depend on their screen saver to protect their systems while gone for the night - even leaving their favorite programs running. This allows attackers "alone time" on the system.

I would like to see MS add a feature that allows the user to see which programs are utilizing the Internet connection - and how much traffic - similar to the way "Task Manager" shows CPU usage. I often notice Task Manager network traffic and wonder which program is using...

@Sadler

SysInternals (now a part of Microsoft) has a utility, TcpView, downloadable for free that does show, to some extent, what processes/programs have TCP connections.
You can use the utility to close the connection if you don't think the process is legitimate.

Thx 2cents.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

A good start - now need the % of bandwidth used added...

The future of "secure" computing will be the read-only operating system. Linux boot CDs are one example of how this can be done, but flash memory would be a whole lot quicker.
Computers will have an incorruptible core operating system, like a BIOS but much larger. Applications and personal settings will be loaded from USB flash drives or other removeable media; the applications will also be read-only. Files created by users will be stored online, or on the media holding their personal settings.

Microsoft needs to get on the stick and build this, or they will never catch up. Windows PE, which already operates on the Vista/Win7 core, would be a great starting point.

Krebs is the only part of the Washington Post that never disappoints me!

Awesome work Brian!

I am now more motivated to set up that dual-boot system (as "dfolk1" discusses).

in June 11, 2009
I got spam with information:
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Work at home Money Manager Assistant
(part-time vacancy; 2000 usd / month):

We value your response back regarding the open vacancy Insurance Company is offering. We're currently seeking motivated and responsible individuals to attend the post of a 'Work at home Money Transfer Assitant'. This remote position itself covers a broad range of directions an individual would have to perform. It's a part time position, which let's you perform your duties directly from your home location. In the nearest future, we're planning to achieve the expansion of our company throughout the United States of America and United Kingdom, providing local offices and departments in the vast areas, where logistic and insurance services are definitely in demand. Until then, we're trying to fill in our personnel with new individuals, which will increase the efficiency of the services we're catering. If you wish to apply or have any questions regarding the position, feel free to contact me back either via e-mail. Hope to hear from you soon.

In order to reduce the corporate overhead, we've implemented the thrift solution of disseminating bases of control over certain regions of the United States of America. It provides a great opportunity for beginners to participate in the standard operations of the future subsidiary departments. Besides the expansion project, the upcoming regional accountants are expected to learn a great deal about different realms of the insurance market mainly through digesting the experience gained from the large scale practical assignments.

1) This is part time work at home position and can easily combine this vacancy with any other work.

2) The fixed salary is 2000 USD a month + 5% instantly from each payment processed by you.

3) You will receive payments (Direct Bank Deposits and wire transfers) from client within United States and send it by instant payment sistem such as Western Union. You will receive 5% of processed amount.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
To tell the truth I've almost swallowed the bait. But they didn't accept me - because my location was not USA. Remember
You cannot get something for nothing

Typical and rather amusing how these articles elicit responses in solely placing blame on the operating system and/or its vendor/creator, and that the solution is to simply switch the operating system.

This is just disingenuous and completely fails to address the role of the operator behind the keyboard!

The real story is how US banks are a decade behind the times when it comes to security.

European banks routinely use two-factor authentication using hardware tokens, which would have defeated this and any other keylogging attack. Instead, here in America, banks have made the conscious decision to go with weak security measures, presumably because the cost of implementing strong measures outweighs their current losses.

Meanwhile, bank customers, like Bullitt County, pay the price for the banks' negligence.

At the end of the day, the big question is how did the Zeus trojan get onto the county PC.

A typical user in a work environment is only given a limited user account. You need administrator rights to install nearly all of these threats. In addition to regular patching, the sysadmin's next most important security task is to limit who can run as an administrator for daily use (answer: no one, unless you are installing or configuring software that you need for work).

And there's usually a big-name corporate anti-virus utility running in the background. Zeus is likely well-known enough that the usual Mcafee or Symantec AV should have detected it.

Finally, in a work environment, there's usually a filter,e.g. various products from Websense, to keep out known sites that are booby trapped with Zeus and other malicious software.

Did this county have no security in place at all?
Were they still running Internet Explorer 5.5 on Windows 98 SE?

Or as I suspect, the county treasurer and judge, by virtue of their high positions, were granted administrator rights to install all sorts of non-standard software. And like all curious humans, these two folks eventually clicked on something they should not have.

Ignore hairguy, people like that don't bother to read the story, they just want to spread their cult.

Any OS that has huge amounts of businesses and network users will get hacked. It's not as much about insecurity as it is about the available booty from going after it. The minute everyone goes over to a non-MS OS, it'll suddenly become riddled with holes. But that won't happen.

Let's all switch to Linux.
That way... they'll start writing viruses for Linux.

Even if you set up a limited user account and run as that user, can't the hackers simply get in your machine and hack the administrator account and then use it?

You can't buy enough "piece of mind." This is another reason to have another piece of authentication device in place, such as an encryption keyfob or card that recycles a new passcode number every two minutes.

The issue I see here are desperate people, living in desperate times, looking to make a fast buck and someone out in Russia or wherever, is using this as using this weakness to leverage to take advantage of the banking systems that are in place.

I don't think that the people responding to the advertisements are genuinely bad people, just plain, "stuck on stupid" when it comes to information security and the use of computer systems.

@DupontJay,

It's not clear that two-factor authentication (2FA) would even have protected against this. If the hackers had a remote connection into the user's computer, they could have piggybacked on the user's legitimate connection (authenticated with a keyfob) to do their nefarious deeds. The user authenticates themselves, and they slip in the open door right after them.

------------------------------

@All the windows-haters:
It's true that Windows has lots of holes, but hackers can write viruses for Linux just as easily. If a super-user runs an attacker's program, that computer is compromised, no matter what OS is running. The problem (and security vulnerability) is the idiot behind the keyboard.

Two questions come to mind:

1) How did the bad guys get the judge's bank account credential?
2) How could the bad guys change the judge's email address without triggering an email sent to the judge's old email address letting the judge know his email on file with the bank has been changed to the new one at 'xxxxxxxx@xxxx.xxx" which should have raised suspicion?

A couple of comments:

First, thanks for an important, thorough, and rather scary article.

Second, here's question that may not fall under your jurisdiction, but is nonetheless related and important. In the "good old days" one would open a checking account at a bank, deposit money, write a check, sign the check with a pen, give the check to a third party, an lo, the check would ultimately be debited from ones account, and credited to the third party. The paper check, signature and all, would physically be transferred from the third party's bank to the user's bank, and the cancelled check, bearing the user's written signature, returned to the user/check writer.

No more.

Even if one actually writes a paper check, the paper is typically discarded and the debit performed entirely electronically. There is, as far as I can tell, no verifciation of the signature even possible. Cancelled checks are not returned to the check writer. Sometimes images of the check are available to the user, but often one only sees a cryptic one line debit entry on a bank statement, containing very little useful information.

How hard, I wonder and fear, is it for these electronic transactions to be fraudulently abused, without any action on the part of the account holder?

1)Can anyone else verify @Jay Dupont's assertion that this particular scam couldn't have been run against European banks?

2) Hello!!! Seven days fr/ the beginning of the scam until someone @ the bank and/or County noticed $10,000 increments going out the door, unauthorized??? Someone(s) was asleep @ the switch!!

This is not an OS issue, or a dumb user issue. This is an IT issue. Whomever admins the Bullitt County computers and networks dropped the ball on this one. If best practices had been followed regarding pc and network security then this probably wouldn't have happened. I doubt that the IP tunnel was using port 80, so that would imply improper configuration of ACL's on the gateway router.

Was no-one at Bullitt County IT monitoring network traffic logs? Does the county, or a bank in Kentucky, need to provide access to IP domains in the Ukraine? Considering how much malware is coming out of Ukraine, I would be tempted to block the whole country's domains at the firewall. Not to mention a few other countries that look the other way regarding Internet based criminal activities.

Linux is not immune to hacks and server hacks are the most worrisome. A quick web search shows several instances. Fedora and Red Hat servers were compromised on Aug. 22, 2008. SquirrelMail's server was hacked on June 16, 2009. Check out the advisories on LinuxSecurity dot com or the National Vulnerability Database at web.nvd.nist.gov. Take a look at Cyber Security Bulletin SB09-180 at US-CERT. How about CVE-2009-1886 for Samba? There are also some serious php issues.

No OS or network is completely secure. When there's a financial incentive, people will find a way. In the end, it's usually the consumer that ends up assuming all the liability and foots the bill.

WOW BRIAN

This was quite a write up with a number of very interesting comments for sure.

Once again, for whatever it is worth, letters like the one copied verbatim offering 'on line' employment SHOULD BR FORWARDED to
------------------
washington.field@ic.fbi.gov
-------------------

Unlike the original IC referrals of some years ago, one is not automatically transferred to a lengthy fill in form.

NOTHING more is involved that the actual forwarding itself.

Nice Article.

I think a lot of folks started slamming the OS as the culprit to this problem. I don't disagree but small county governments... well are small and going to implement Windows one way or another. When I read this the real flaw or where a lot of this could have stopped was at the banks end. I mean what kind of retard approach to security allowing them to change the password and email at the same time and all that junk about fingerprinting systems and making sure its from the same geographic IP that's just lazy stupid security. I'm not saying it couldn't help but it is not a second or third factor of authentication.

No matter what OS your running there's going to be hacks and if you got a keylogger on there you up a creek without a paddle. The only thing that might save your bacon is a 2nd factor such as a security token.

Paypal got one for 5 bucks... There system isn't very well implemented but hey its an attempt. (Has a 6 digit number that changes every 30 seconds)

Bank of America has a card you can buy for like 20 bucks.

I mean governments or anybody having nearly a half million dollars in an account is an idiot for not implementing multiple layers of authentication.

I agree completely with the above commentary by dward__ ...

The plain fact is that the large amount of money being held, contrasted with the actual security measures in place, were woefully out of balance. It is like carrying a small amount of auto insurance on a very expensive automobile that is known to be of great interest to auto thieves ... there is so much more that could have been done to provide additional security.

Sorry, techies ... much as you wish it were, the reality is that it is NOT a matter of this OS versus that OS ... this fixit-patch versus that fixit-patch ... etc., etc.

IT ALL BOILED DOWN TO A LACK OF COMMON SENSE ... on the part of the people responsible for safeguarding the money ... as well, of course, as the "mules" so easily conned into helping steal it.

It is ignorant to suggest that online banking shouldn't be done on a Windows OS PC. Millions of people do online banking with Windows based machines - Windows based machines are even used within financial institutions and 3rd party payment processors. There are firewall and anti-virus services to prevent issues like this. Unless this was some zero-day exploit using a new variation of zbot that isn't detected by standard anti-virus applications, standard preventive measures should have sufficed. As others have pointed out, no OS is immune and proper administration of the network and PCs by trained IT personnel should have been sufficient to prevent this (assuming that these are not notebook PCs that were infected while on foreign networks). It would be interesting to know if the computers were notebook PCs that were used out of the office, what version of the OS, what anti-virus, etc. My experience with municipalities is antiquated technology managed by poorly trained personnel and significantly underfunded IT budgets, which is a recipe for disaster.

I was curious as to what level of social engineering took place here, since the two key people needed to authorize the transfers had infected machines from the same hackers. Seems like that was more than just dumb luck for the hackers.

I'm going to make a guess here but it seems too much had to fall in place. I think that there were SOPs on the server that described the procedure for bank transfers. The crooks used a directory to locate the target individuals. They could then send e-mails from person to person saying check this link out or plant the software on the server.

"Typical and rather amusing how these articles elicit responses in solely placing blame on the operating system and/or its vendor/creator, and that the solution is to simply switch the operating system."

If one bothered to actually read closely, the attack vector is Windows. This break-in would not have been possible without the security holes in Windows that the thieves took advantage of.

Learn more about OS security. In particular check out the SELinux security system built in to Linux which closes off the possibility of hacks like this.

An argument is made that Windows is the primary target due to its market share. Let's destroy this argument:

On the server, Linux market share is 50%. As the servers get bigger and bigger, Linux is more and more prevalent. At the very high end, it's almost all Linux.

These machines hold sensitive information for hundreds of thousands, or even millions of users. It's all up for grabs if the system is compromised. The temptation is ENORMOUS: you can break into one Windows machine and steal one person's data, or you can break into one Linux server and steal 100,000 users.

So why do hackers bother with the nickel-and-dime stuff when they could be really making the big score? There is only one answer. It's because the hackers can get into the Windows systems, and they can't get into the Linux ones.

I can't believe the people making the decisions to go with Microsoft can't be held criminally liable. Microsoft's software is well known badware. It restricts the rights of users, forwards information about its users to Microsoft (spyware), and is negligent in providing security updates and remotely acceptable default security settings. Not to mention Microsoft has a monoply that should be frowned upon by government and has repeatedly been determined illegal by multiple governments. While a monoply is not illegal in and of itself Microsoft's actions are.

Ohh- and I almost forgot. I'd second the county switch to Ubuntu or another GNU/Linux distribution. GNU/Linux works- and even if it costs them money to switch it is a solid short to medium term investment that pays off relatively quickly. Most of the people I know using it seemed to switch without any issues - at least not in comparison to those I know who've moved to Vista.

The IT security was one problem.
The Bank security is another problem.
The people behind the screens were the one big problem.

But you know what could have made this so much easier to deal better would be?

Make the bank accounts revocable transfers only, and only to be transferred to other banks. That way any transfer could be revoked at any time necessary and quickly. And this would not have been s a big problem as it was.

Oh yeah another thing OS is not the thing here. It is mainly the people in charge. Even a Linux system could be compromised if a It inept person was to install some malware as the System Administrator. Ubuntu makes the one user basically a system admin right off the bat. So this distro is just as bad as windows when put to social engineering cracking attempts.

You Linux cultists need to chill out. First, clearly the individual PC's were not properly secured. Not a fault of the OS itself but those managing it. Second, and more alarming, there is something horribly wrong with their entire network security. The article stated that the hackers not only had complete control of the individual PC's but also had admin rights and direct control into the email system (changing the Judge's SMTP address and creating 25 new addresses). Possibly the user directory depending on what email system they use (Exchange and AD for example). There has to be more to this story than what is being told.