Myths and Magic

Myths and Magic: Stealth Attacks on the Internet

Some things you do on the Internet are clear and obvious: you see text and graphics, you watch movies and you listen to music. Sometimes to excess. Some of the things we all do on the Internet seem almost magical. (Didn’t someone say that any sufficiently advanced technology is indistinguishable from magic?)

There is another class of things that can happen on the Internet – things that happen to us. We are always reading about the latest threat or attack on our personal or corporate privacy. This column is guilty of the same thing. This month, I want to talk about things I call Stealth Attacks. Those are things that (purportedly) happen to you behind your back. Last month, I wrote about cookies and the unauthorized data collection they facilitate. Those are real attacks. In this column I want to set the record straight about some of the highly publicized attacks on the net, some of which are magical in the power and some of which are merely myths that don’t really happen.

Myth: Reading Your Hard Drive

There is a site that had a peculiar link. The description invites the net surfer to click on that link in order to see the power of the Internet to steal data. Clicking on the link would bring you to a page that waxes prolific about how the web site can read your private data off your own hard disk.

The site offers to demonstrate this to you, explaining that they wouldn’t really look at your data, but they would display it on your screen just to prove to you that they could have looked at it. Click on the magic button and you see your own AUTOEXEC.BAT and CONFIG.SYS files displayed in your browser window. Wow! This is proof that they gained access to your files and then sent them back to you through your browser window.

Not exactly. What they really did was put a link to your local hard disk, using a file they were fairly certain would be there. Try this test. Open your browser (you need not even connect to the Internet), and in the address field type any one of these addresses: c:/setuplog.txt, c:/bootlog.txt, c:/autoexec.bat, or c:/config.sys. Like magic, the files appear in your browser window using your default font type and size.

A site says they will show you the details of your Windows95 setup, then displays your setuplog.txt file. To many users, this would be sufficient to scare them. This is the start of rumor and myth. By linking to your own hard disk, they had your browser go to your hard disk and display the file locally for you to see. There was no transmission of the file anywhere else – the site never did and never could see your data.

Magic: Running a Program on Your Computer

A real exploit was discovered a few months ago. If you are using Windows95 and you install programs using the customary, default parameters, then you have on your system a variety of shortcuts. These shortcuts are icons put in convenient places to enable you to quickly run programs. The shortcut is not the program, but merely a pointer to the program. It is called a shortcut because you click on the pointer and the program runs. If you use default installation parameters and configurations, then your shortcuts are placed in well-known locations. For example, the Quicken shortcut may be in your Start Menu in a folder called Quicken, and so on.

The exploit uses this knowledge to link to your shortcut, which, in turn, executes the program on your hard disk. With some programs, this is merely a nuisance. With others, however, there is the danger that the site can use command line parameters and other techniques to make your program do something you do not want it to do.

Myth: Catching a Virus by Reading Email Messages

With annoying regularity, I get messages from people warning me about a new virus contained in an email message. These good Samaritans warn me to delete certain mail without reading it to avoid the dire consequences of virus infections. There are many well-known examples of this hoax, including the Good Times email message that makes the rounds on AOL with regularity.

You cannot infect your system by reading an email message. Please note that I am referring to messages only, not to email attachments. Email messages are ASCII text (the letters and other characters of your keyboard) only. There is no way to execute an ASCII email message. This is like writing down $500 on a scrap of paper and trying to deposit it in your bank. You will likely be unsuccessful. (To my way of thinking, checks are not scraps of paper.)

However, if the email message contains an attachment such as a Word document, an Excel spreadsheet, or a program, then you are in danger of a virus infection. To counter that threat, run a good anti-virus program and keep the signature files updated monthly.

Magic: Transferring Money Away from You

This last example is the most serious of all, and it is real. In recent months, a group found a way to remotely enter financial transactions into a pending transaction list. The idea is a simple one. Users of Quicken online banking follow a security protocol. In this sequence of events, the offline user enters electronic transactions into a list of pending transactions. Once these transactions are placed, the user executes a command to go online, and enters the appropriate PIN. Like magic, the system goes online, executes the pending transactions, downloads status information, and goes off line.

The exploit places transactions into the pending file. The next time the user executes the command to go online, and enters the correct PIN, the bogus transaction is sent along with the real ones Your best defense is to carefully monitor the pending transactions list before you go online – make certain you recognize all of the transactions.

Safety and Enjoyment