Hardware keyloggers have been discovered in public libraries in Greater Manchester. Two USB devices, attached to keyboard sockets on the back of computers in Wilmslow and Handforth libraries, would have enabled baddies to record every keystroke made on compromised PCs. It's unclear who placed the snooping devices on the machines …
It's unclear who placed the snooping devices
Here's an idea, and I doubt I'll be the only one to point this out, but wait and see who comes to collect them.
But the odds of success have probably gone out the window since the news articles.. :-)
The police presumably don't have the wit / manpower (delete as appropriate, or not!).
One has to question..
The use of bank account details of someone unable to afford a home computer and internet connection..
Why would such a person have online banking?
They probably have to walk past the bank to get to the library.
"Why would such a person have online banking?"
Just listen to yourself being superior !
Out on business, holiday ( unlikely in Handforth I admit )
Why do people use internet cafes ?
The question really is why would anyone use public computers for sensitive matters
Scum will be scum!
If it means just a few more quid in their pockets, sadly some scum have no problems with ripping off even those with sweet FA to their name.
When Pipex (Tiscali) "Upgraded" my internet connection two years ago, and i was internetless for over a month, i used the library internet quite a bit. Not a huge stretch for me as i do use the library quite a bit anyway.
@ Just Thinking
In Handforth you would only walk past your bank on the way to the library if it was RBS as thats the only bank we have here, And then only if you lived in the northern half of the village!
Wilmslow is similar in that a great deal of the town you would have to walk past the library to get to the banks (coming from the south this time)
Not in Greater Manc
For the record, neither Wilmslow nor Handforth are actually in Greater Manchester - despite being essentially up-market suburbs, they're both in Cheshire (and always have been).
That's a relief
I found the terms "up-market" and "Manchester" in the same sentence rather difficult to reconcile.
I've not seen the figures recently but as far as I remember the crescent in north Cheshire that includes Knutsford Wilmslow, Alderley Edge, Prestbury, Poynton and others had the greatest disposable income in the country outside of certain parts of London
Apparently that is so, but...
...a curse on all Wayne Rooney's houses would surely bring that to an end though?
Public computer use Vs unprotected sex
There is very little difference.*
* although I know which one is more enjoyable!
Dunno why you were. Here's an upvote for you, good one :P
Handforth and Wilmslow are in North East Cheshire not Manchester, and it surprises me that they even found the devices with the slowness of the usually old and decrepit nature of the workers usually manning these facilities.
..terrarizt scares in that area, maybe ??
So, the library staff are either...
"A third detected device was discovered but disappeared before it was turned over to local police"
So, the library staff are either...
1. Stupid and just left it plugged in for the crook to come collect before they could give it to the police.
2. Monumentally disorganised and lost the device before they could hand it over.
3. Engaged in online fraud/identity theft themselves.
Library staff probably not thieves or idots.
Or the IT staff only came out to look at the machine when one of them stopped working properly. Finding the device was probably told of other machines having had similar devices on before, hence the missing key logger.
It is unlikely that the library staff would subject themselves to the typical abuse IT staff hand out by removing any devices.
What moron would use a public PC to log into anything private ?
Wow there really is a sucker born every minute.
not everyone works in IT Security
Re who would use a public pc etc, I bet if you took a sample of library users >50% would trust the PCs in their library to be secure. So that is a fairly large user base.
then you'll have school children / students who might think that logging onto facebook is not the same as using a pc for something private, regadless of the fact they use the same password for everything
Then you have people who have no internet at home who want to check their email.
so my answer is, unfortunately, quite a lot.
I don't think it unreasonable to differentiate between doing online banking in a dodgy cyber cafe / unsecured wireless and doing it somewhere where you are constantly being educated and encouraged to get online by the government.
What would YOU do if you had no PC at home, would you just dissapear offline and never check your email again?
What moron doesn't know how to fix their own boiler?
What moron doesn't know how to service their own car?
What moron can't perform open heart surgery?
What moron <insert something you have personal knowledge of because you work in the industry which obviously means anyone who doesn't have the exact same interests and knowledge is a moron>
Tedious. Get over yourself.
re: What would YOU do if you had no PC at home
Well obviously I'd get a PC and an Internet connection.
you go to the public toilet to do something private right?
You support my case
Lots of strange things go on in public toilets, holes drilled through walls etc.
You only use a public toilet is you are really desperate, even then you hover the seat.
"You only use a public toilet is you are really desperate,"
A third detected device was discovered...
"... but disappeared before it was turned over to local police"
Keyloggers from the 4th dimension? A case for the X-files?
Why online banking?
More use to go for paypal, ebay or amazon credentials...
WHATWG showed they don't have a clue with this living standard HTML tripe.
"keyboards are plugged into the more visible front ports"
I'm not sure how that would help.
If the keyboards are now to be plugged into the front ports, then keyloggers can be plugged into the rear ports ... where they are even *less* likely to be noticed than a keylogger plugged into the front.
OK, so the staff are perhaps more likely to notice somebody delving round the back, but that presumes its a member of the public that's planting the keyloggers but it could equally well be a member of staff who is planting them.
Err, I think you are missing the point. The idea is that the keyboard signals have to go THROUGH the device to get hardware logged. Not much good just stuffing it into an empty socket.
The keyloggers are attached in line with the keyboard, i.e. between the keyboard & the box. Using the usb ports on the front of the machine makes the keylogger instantly visible.
Hardware Keyloggers work by reading the signals as they go between the keyboard and the computer. They dont need drivers because there transparent as far as the computer is concerned. (They simply pass the signal through)
If you plug the key logger into a socket which *doesnt* have the keyboard plugged in. its not passing the signals through, therefore cant record them.
Software keyloggers require you to install software, indeed probably Low level drivers. They dont need things plugged in, although its possible they may have so you can install the software from it or as a target for the logging.
It sounds as if these computers were locked down enough that you couldnt install a software keylogger, so they had to use a hardware one, Which TBH, it substantially better security than i have experienced in general from government, local or otherwise, so Qudos there.
Wasn't that a really archaic DOS-based careers advice program that I came across in high school in the 90s?
Anyone else remember that?!
Why not just lock the base unit inside a cupboard - as is quite a common practice ?
Come to West Lothian
Hackers should go to any library in West Lothian.
Not only is the AV software on them over a year out of date. But if you stand outside and use a wireless laptop, you get free access to the Internet (and the public pcs) without any security checks.
Who needs a physical device... :)
How about I coin an appropriate maxim?
Your system is keylogged until proven* otherwise.
*Obviously the degree this is taken to will vary from individual to individual, also on their level of know-how. I simply will not do internet banking on a machine on my family windows box. Nor any windows box for that matter.
Not to mention another maxim, "The lock you buy for your gate can only ever be as good as your gate." - big thing in local news here at any rate, apparently Lush got hacked and credit card details have been compromised. Sure, things may not screw up at your end, but once past... up further up the pipe... God knows.
Which is again what this article actually illustrates. I seen those before. They are pretty much undetectable if you don't inspect your kit. visually.
Nothing like a healthy dose of paranoia now and then, folks! Drink up. It's not too bitter and it'll be good for you.
Prove your system doesn't have a keylogger.
When you're done with that. prove Nessie doesn't exist.
Proving Nessie doesn't exist
10x 200 megaton bombs should do the trick...
Still not certain how that's going to take care of keyboard logging, though.
Don't be obtuse.
The point of what I said was to be as certain as you can that your system is not compromised. Read it again.
This sort of situation is unlikely to be a problem in the future - there won't be the libraries.
However, if 'BigSociety' is to work then places like libraries (if there are any left) will need unpaid support workers like 'I.T. experts'.
The great unwashed will also need to go to the 'libraries' (local community support venues) to be able to do everything online as there will be no council or governement workers left.
Solution - get USB keyboard similar to library ones and swap them over - install small devices and pick up all the info you need via proximity transfer as you sit there wit your phone next to the keyboard.
Hardware key loggers? thing of the past.
hardware keyloggers come with integarted wireless now
No need for hardware keyloggers to be collected anymore to extract data since they can be purchased with integrated wireless transmitters.. so risk only exists for the fraudster on the initial connection of the keylogger. Of course, these keyloggers are more pricey but the cost/benefit is irrelevant if you get access to a few dozen credit card numbers or bank login details.
A number of banks (RBS, Halifax) will only let "such a person" open very restricted bank accounts. Restrictions include...
*) No credit facilities.
*) No credit cards
*) This is the relevant one - No Branch Counter Service, all transactions must be done online.
I don't really understand the reason for the last restriction, but yeah, they can't go into the branch, except to use the "drop-box" to deposit money, or the ATM to withdraw money. All other transactions have to be done online (or via an automated telephone system).
Also these are the people who are most vulnerable to asshats stealing their funds with stunts like this, as they have little or no safety net.
re: the reason for the last restriction
The cynical might suggest it's a personal hygiene issue, but it's really just a matter of keeping costs down and not impinging on the service provided for paying customers. I think it's great that people now have what amounts to the right to hold a bank account, even if it was only introduced as a cost cutting measure by the DWP or whatever they're called this week.
My dear Allan, not that I want to start a relationship or anything but you've got be careful as many seem to take things too literally in here.
>Also these are the people who are most vulnerable
Don't you understand, we are for more tech savvy, probably more financially secure and definitely more full of ourselves than these sort of people so we don't give a toss. We just sneer and look down at them and make enlightened comments as to their sorry state.
Please, get with the program
Interesting question for the tax payers of GMC, if accounts are broken into as a result of secuirty breaches at these libraries, who is picking up the liability bill?
The hacker who is never traced,
or the council?
Question is, did the council take "reasonable" measures to ensure the security of the machines, and/or post warnings that these are public machines, and hence would advise against use for personal or financial transactions?
They'll be bloody USB to PS/2 adapters that some paranoid dick spotted.
is the only thing I would use for sensitive data on a Public PC. And that's a very rare occasion.
I would be more worried when they have a mouse logger :)
Even then I don't know..
I'll have to look this up but I'm not convinced a virtual keyboard is completely safe...
I have however, seen some online games where you have an option of using a virtual keyboard built into the game client itself, to log in, where the layout of the keyboard is completely randomly regenerated for _every_ keystroke, just presumably to foil mouse loggers, so these guys must have presumably been worried enough.
Why were the USB ports even accessible?
Surely a locked cage of some sort with one hole for wires (and some air vents!) should be all that's visible to the public? Even a non-techy librarian can understand that type of security.
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Review Bigger on the inside: WD’s Tardis-like Black² Dual Drive laptop disk
- Inside Steve Ballmer’s fondleslab rear-guard action