Wednesday, July 23, 2003

Kinko's spy case highlights risks of public Internet Terminals

By Anick Jesdanun / AP Internet Writer

NEW YORK -- For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords.

Jiang had secretly installed, in at least 14 Kinko's stores, software that logs individual keystrokes. He captured more than 450 user names and passwords, using them to access and even open bank accounts online.

The case, which led to a guilty plea earlier this month after Jiang was caught, highlights the risks and dangers of using public Internet terminals at cybercafes, libraries, airports and other establishments.

Use common sense when using any public terminal, warned Neel Mehta, research engineer at Internet Security Systems Inc. For most day-to-day stuff like surfing the Web, you're probably all right, but for anything sensitive you should think twice.

Jiang was caught when, according to court records, he used one of the stolen passwords to access a computer with GoToMyPC software, which lets individuals remotely access their own computers from elsewhere.



The GoToMyPC subscriber was home at the time and suddenly saw the cursor on his computer move around the screen and files open as if by themselves. He then saw an account being opened in his name at an online payment transfer service.

Jiang, who is awaiting sentencing, admitted installing Invisible KeyLogger Stealth software at Kinko's as early as Feb. 14, 2001.

The software is one of several keystroke loggers available for businesses and parents to monitor their employees and children. The government even installed one such program to capture a password that the son of jailed mob boss Nicodemo Little Nicky Scarfo used to access files on his computer.

Earlier this year, a former Boston College student pleaded guilty to using similar software on more than 100 computers around campus to collect passwords and other data to create a campus ID card for making purchases and entering buildings illegally, authorities say.

Mehta said that while millions of individuals use public terminals without trouble, they should be cautious.

When you sit down at an Internet cafe, ask the owner or operator about the security measures in place, he said. If they don't know or don't have anything in place, you could consider going somewhere else.

Encrypting e-mail and Web sessions does nothing to combat keystroke loggers, which capture data before the scrambling occurs. But encryption can guard against network sniffers -- software that can monitor e-mail messages, passwords and other traffic while it is in transit.

Data cookies also contribute to the risk of identity theft. Cookies are files that help Web sites remember who you are so you won't have to keep logging on to a site. But unless you remember to log out, these files could let the next person using the public terminal to surf the Web as you.

Furthermore, browsers typically record recent Web sites visited so users won't have to retype addresses. But such addresses often have usernames and other sensitive information embedded.

Secure public terminals should by default have provisions for automatically flushing cookies and Web addresses when a customer leaves, Internet security experts say.

Kinko's spokeswoman Maggie Thill said the company takes security seriously and believes it has succeeded in making a similar attack extremely difficult in the future. She would not provide details, saying that to do so could make systems less secure.

Nonetheless, Thill said customers have a responsibility to protect their information as they would a credit card slip. She said the company is trying to educate them through signs and other warnings.

At one Kinko's that authorities said Jiang targeted, a sign attached to individual $18-per-hour stations warns: BE SAFE. PROTECT YOUR PERSONAL INFORMATION.

Richard M. Smith, a security consultant in Cambridge, Mass., said customers could also use certain techniques to foil keystroke loggers. When typing in sensitive information, for instance, he suggests cutting and pasting individual characters from elsewhere to form the password.

No keys depressed, no characters logged.

-- -- --

On the Net:

http://www.cybercrime.gov/jiangPlea.htm




http://www.cybercrime.gov/jiangPlea.htm

Press Release
For Immediate Release
July 11, 2003 U.S. Department of Justice
United States Attorney
Southern District of New York

Marvin Smilon
Herbert Hadad
Michael Kulstad

Public Information Office
(212) 637-2600
(718) 422-1870

Joseph DeMarco
(212) 637-2203


--------------------------------------------------------------------------------

Queens Man Pleads Guilty to Federal Charges of Computer Damage, Access Device Fraud and Software Piracy

JAMES B. COMEY, the United States Attorney for the Southern District of New York, announced that JUJU JIANG, 24, of Flushing, New York, pled guilty in federal Court in Manhattan yesterday to a five-count Information relating to computer fraud and software piracy.

In pleading guilty to computer damage, JIANG admitted that, between February 14, 2001, and December 20, 2002, without the permission of Kinko's Inc. (Kinko's), he installed special keylogging software on computer terminals located at Kinko's stores throughout Manhattan to surreptitiously record keystroking activity on those computers, and collect computer usernames and passwords of Kinko's customers.

JIANG also admitted that he then used the confidential information he obtained to access, or attempt to access, bank accounts belonging to other persons, and fraudulently open on-line bank accounts.

JIANG also pled guilty to similar fraudulent conduct that he continued to commit while on bail after his arrest on December 20, 2002.

At his plea yesterday before United States Magistrate Judge THEODORE H. KATZ, JIANG admitted that his installation of the keylogging software could damage the Kinko's computers on which they were installed.

JIANG faces a maximum sentence of 5 years in prison and a $250,000 fine on each of these two counts.

In addition to the computer damage charges set forth in Counts One and Two of the Information, JIANG also pled guilty to computer access-device fraud, as charged in Count Three of the Information. JIANG admitted that, between February 14, 2001, and December 20, 2002, he fraudulently possessed more than 15 computer usernames and passwords belonging to other persons, also to access their bank and financial services accounts, open on-line bank accounts in their names, and transfer the funds to the unauthorized accounts.

Count Three carries a maximum sentence of 5 years in prison and a $250,000 fine.

Finally, JIANG also pled guilty to two counts of software piracy for his on-line sale in 2000 of copies of Microsoft Office 2000 Professional Edition, in violation of Microsoft's copyrights in its software.

Counts Four and Five of the Information each carry a maximum term of imprisonment of one year in prison and a $100,000 fine.

Mr. COMEY praised the investigative efforts of the United States Secret Service's Electronic Crimes Task Force and thanked Kinko's for its assistance and support throughout the investigation.

Assistant United States Attorney JOSEPH V. De MARCO is in charge of the prosecution.

03-173





###


More information on: Defendant's Arrest

More information on: Computer Crime
More information on: Computer Crime Cases
More information on: Protecting Intellectual Property Rights
More information on: Intellectual Property Crime Cases


Want to receive news of updates to the cybercrime.gov website?
Send a blank message to: [email protected] and we will add you to our email newsletter list.
(Mailing list privacy information)


Go to . . . CCIPS Home Page || Justice Department Home Page


--------------------------------------------------------------------------------

Last updated July 17, 2003
usdoj-crm/mis/krr

--------------------------------------------------------------------------------