[ISN] Computer hackers steal Carson funds

From: InfoSec News (alerts@private)
Date: Fri Jun 01 2007 - 00:39:32 PDT


http://www.latimes.com/news/local/la-me-hackers1jun01,0,2083352.story?coll=la-home-local

By Hector Becerra
Times Staff Writer
June 1, 2007

If Carson Treasurer Karen Avilla had had a nagging feeling she was being 
watched whenever she got on her laptop computer, she would have been 
right.

Cyber-thieves were able to shift nearly $450,000 from the city's general 
fund last week by using a program that was able to mimic the computer 
strokes made by Carson's financial officer. Each time Avilla logged on 
to her city-provided laptop in the morning, someone was — virtually — 
looking over her shoulder, recording every single keystroke.

Armed with the spyware program, the hackers obtained bank passwords. 
They wired $90,000 to a "Diego Smith" in North Carolina. One day later, 
on May 24, the thieves got bolder and wired $358,000 from the city's 
bank account to a bank in Kalamazoo, Mich.

Avilla and her deputy discovered the theft just in time to have all but 
$45,000 of the funds frozen. But the experience left city leaders 
rattled.

"As I sat there with the detectives and the forensic folks from the 
bank, I thought, 'I don't even want to touch a computer,' " Avilla said 
Thursday. "I felt violated. It made me think, 'Who's out there?' "

The crime raised concerns about the security of municipal coffers, 
especially when wireless networks are used. Although such city hacking 
cases have been isolated, some experts said many municipalities lack the 
large information technology staffs and large budgets for computer 
security.

"If you go after a local municipality, they're more likely to have fewer 
people dedicated to computer security," said Eric Schultze, chief 
security architect for Shavlik Technologies in Minnesota and a widely 
cited expert in anti-hacking circles.

Avilla said she still doesn't know how her computer was targeted. She 
said she doubts it had the latest security software patch protections — 
something sheriff's detectives and bank investigators told her is 
essential in safeguarding her computer.

She said that as soon as word got out, Carson fielded calls from 
officials in other cities, asking how they could protect themselves.

South Gate City Manager Gary Milliman said he has seen all sorts of 
fraud perpetrated against cities in 32 years, but nothing like this. "I 
think it's a concern," Milliman said. "It's something we're going to 
check into to make sure there isn't a vulnerability in our system."

Earlier this year, the finance director of the Northern California city 
of Willows discovered that a hacker had taken $4,000 from a city fund. 
Avilla said cities may not always notice smaller thefts.

"One thousand dollars. You think a bank is going to bat an eye?" Avilla 
said. "It's not an inexpensive enterprise to have a full team that goes 
around checking every laptop ever used. I think we can use more IT 
folks, but when a lot of these departments were created, a few people 
had computers. Now everyone does. On top of that, almost everyone has a 
laptop."

Experts said that without up-to-date security software, such a computer 
could be especially vulnerable if people who use it visit websites that 
contain spyware.

But hackers also send mass e-mails which, if opened on vulnerable 
computers, can allow installation of "keystroke loggers."

"It automatically sends all keystrokes logged to a hacker, via e-mail or 
another form of communication," Schultze said. "So a hacker sitting 
halfway around the world can log into your bank account, enter your user 
name and do what they want to do."

Kevin Overcash, vice president of product management for Breach Security 
in Carlsbad, Calif., said that when organizations started installing a 
lot of wireless networks, hackers devised ways to breach them through 
what is called "drive-by hacking."

In trying to provide a service to their residents — by allowing them to 
check their water bills via the Web, for example — municipalities 
sometimes make themselves vulnerable, he said.

"That kind of access opens you up to hackers. It opens the door for 
people to have access to data if you do not have good security," 
Overcash said.

Avilla said she noticed a problem when she found she was unable to log 
on to the city's bank account. She thought she must have been typing the 
password incorrectly.

On May 22, the bank gave her a new password. But unbeknownst to her, the 
cyber thieves got that password as soon as she tapped it into her 
computer.

On May 24, Avilla and her deputy checked bank balances and discovered 
the previous day's $90,000 wire transfer to someone in Wilson, N.C. 
Avilla checked with the bank and discovered the $358,000 transfer that 
day through National City Bank in Kalamazoo.

"I thought, 'We got a problem,' " Avilla said.

She called the bank and filed a police report, leading to the freezing 
of the city's funds. No one has been arrested, authorities said.

L.A. County Sheriff's Capt. Todd Rogers said the department's high-tech 
crimes unit is on the case. The Secret Service is also helping in the 
investigation, he said.

Avilla said the experience has made her angry and determined to seek 
legislation that would address the problem. "There's got to be more than 
one way to fight this," she said. "They get us in so many ways. There's 
got to be a way for us to get them."



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 01 2007 - 00:59:11 PDT