From: "Paul M. Cardon" <pmarc@fnbc.com>
Date: Tue, 30 Jan 1996 21:08:44 +0800
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601300015.AA15891@sulphur.osf.org>
Message-ID: <199601301239.GAA00246@abernathy.fnbc.com>
MIME-Version: 1.0
Content-Type: text/plain


My mailer insists that Nathaniel Borenstein wrote:
> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich
> Salz@osf.org (255)
>
> > >There are many ways to spread it besides a virus. Zillions of
> > >'em. And
>
> > There are zillions (what, more than one thousand?) ways to get
> > someone to run a random piece of software that will capture their
> > keystrokes?
>
> Yes, zillions, although I'm not using that as a technical term.
>
> > I don't believe you. Name six.
>
> Sure thing, always glad to clarify my claims.
>
> 1. (my current favorite) post it to MSN. There, Microsoft has made
> getting infected with a Trojan Horse as easy as clicking on an icon
> embedded in a mail or news message. (You want to try convincing the
> average consumer that it isn't safe, if Microsoft makes it that
> easy?)
>
> 2. Get the sources to a public domain image viewer. Change them
> slightly. Claim that you've improved it by 13.7%. Post your
> improved (and infected) image viewer to the net.
>
> 3. Ditto for an audio viewer, a mail reader, a news reader,....
> (zillions right there alone)

I count numbers 1, 2 and 3 as one way (Trojan Horse).

> 4. Imitate the IBM Christmas exec. Break into someone's site and
> steal their mail aliases file. Now send mail to everyone on their
> alias list, pretending to be them, offering them a cute animation
> program they can install. The animation will happen, but it will
> also send mail to all THEIR aliases (like the Christmas exec) and
> (unlike that) install our malicious snooping software.

If you can break in that far, I can think of much more imaginative  
things to do with the access.

> 5. Write a genuinely useful program (or a game) of your own, but
> embed your attack in it.

Again, 4 and 5 are the same as 1,2 and 3.  (I thought I smelled  
horse biscuits.)

> (Caution: Being the real author will
> increase your traceability.)

Insultingly obvious.

> 6. Write a pornographic screen saver. Not only will zillions of
> people download it, but they will EXPECT the code to watch
> keystrokes.

YATH (Yet Another Trojan Horse)

> 7. [*maybe*] Spread it by Java applet. This is a maybe because the
> level of Java security seems to be browser-discretionary. Even a
> relatively conservative let-the-user-choose approach like
> Netscape's, however, can be defeated with a little social
> engineering, as in "this is a really cool Java applet to do XYZ,
> but you'll have to set Netscape's Java security level to minimum to
> run it....."

Yes.  Trojan Horse.  Whinny. Neigh.

> 8. Internet-based breakin/installations, e.g. to NT or anything
> else that runs incoming services.

Ahh, finally something other than a Trojan Horse attack, but it  
only affects sites with poor security.  In that case, this attack is  
the least of their problems.

> 9. Traditional virus techniques.
>
> Oh, you only asked for 6, sorry..... Feel free to ignore a few.

Wow, a whole three different attacks and most of them much more  
useful for things other than gathering credit card numbers.

It's sad to think that a lot of people may actually believe this  
crap.  Let's just hope that enough technical users provide rebuttals  
in the other fora where this stuff appears.

---
Paul M. Cardon -- I speak for myself.  'nuff said.

MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e