February 23, 2019

The Real Lessons of ILOVEYOU - page 2

Just Wait Until More Sophisticated Scripts Head our Way

  • May 9, 2000
  • By Dennis E. Powell

Look. The threats to the security of your system are all over the place. Have you ever gotten e-mail that's HTML-formatted? Of course you have. Sometimes it is because someone with nothing to say thinks you won't notice if he says his nothing in multiple colors, with a picture and maybe a box around it (in much the same way that a lot of people employ the PGP encryption program so as to make sure that the nothing they have to say is secure). Sometimes it is a newsletter that you have requested (though I for one unsubscribe the minute the move is made to HTML). Sometimes it is spam. And if you look at the source code of the HTML in spam, you'll often as not discover that it contains a one pixel by one pixel transparent .gif image--something that never shows up on your screen. The point isn't to show you a very tiny picture. That .gif file is called from a distant server, and your mail program has to go there to pick it up. Whereupon the spammer knows that your e-mail address is valid. Good for the spammer: Lists of guaranteed valid e-mail addresses sell for a lot more than lists of random e-mail addresses. But chances are that you've already saved them the trouble, if you've allowed your e-mail program to send receipts when requested--sadly, the default on many e-mail applications. As soon as you pick up your mail, the spammer knows that your e-mail address is good. And if you think that spam is merely annoying junk mail, you are destined to one day learn otherwise, if you don't exercise the simple safeguards that block the spammer's confirming that you exist.

Want a cookie? If you've configured your Web browser to inform you when a distant site wants to set a cookie on your machine, you'll be asked this a lot--often over and over and over until you finally give in and allow it. What could this cookie be doing that is so important? Well, you don't know and will never find out, because its contents are encrypted. All you know is that you are allowing someone you don't know to put something on your computer that will later tell that distant unknown someone something (they won't tell you what) about you. There has recently been a lawsuit brought in connection with a company that has matched up cookie information, e-mail addresses, and other data, and was marketing these data to others. This is the rough equivalent of someone selling copies of your telephone records--who you called, how long you talked--plus any business you transacted, the subject of the call. But chances are your browser is set to the default, which allows cookies to infect your machine and return their data without your ever even knowing about it.

Do you know who is trying to get into your machine? I absolutely guarantee you that someone is. No, multiple someones. The machine on which I am writing this is connected to the Internet via a dial-up connection, meaning that my IP address changes everytime I log in. I use a simple but apparently effective port monitoring program that keeps track of anytime someone targets this machine for mischief. It tells me that I'm port scanned at least twice a week; once every couple of weeks, someone makes an attempt to break in. While I've taken a few reasonable steps to secure the machine, I'm not at all illusioned that no one can succeed; indeed, I would not bet much that no one has (though I would bet that such a person was disappointed, because I don't keep much on the machine that would be of any interest to anyone else). But people on permanent or semi-permanent IP locations, with a constant Internet presence on the Web via T-1 or even DSL or cable modem, are a much easier target, because they sit still for concerted attacks. And such an address is more likely to contain something useful, because it is more likely to be a business, whose computer might contain credit-card numbers, bank-account numbers and balances, or important business information.

Not long ago I visited a close friend, a Visual Basic programmer by trade, who keeps several machines on in his home office. He told me of the damndest event that had taken place the day before. He was sitting at his desk, programming merrily along, when a modem on one of his other machines, a few feet away, dialed out. It then sent--something, he never found out what, but it was a sustained transfer for more than a few seconds--and then ended the connection. He was never able to determine what it was all about, but it wasn't anything that he had initiated. He wasn't very concerned, because there was nothing of value on that machine. But it's frightening.

So the primary lesson of the ILOVEYOU incident isn't so much that a crudely written Microsoft macro can cause so much trouble. It is instead that computers are vulnerable, some more than others, some operating systems more than others, and that the threats we do know are nothing compared to the ones we don't. The successful computer criminal is the one who hasn't been caught, and the best way for him to avoid capture is for his victims never to know about him and instead just wonder how some bit of information, pardon the pun, was found out.

It's a lesson that the media, mainstream and computer-related, have fallen short in delivering. And it is a lesson that we will all learn--the only question being how much it will cost us to learn it.

Dennis E. Powell's current book is Practical KDE, from Que.

Most Popular LinuxPlanet Stories