ScottLog

August 15, 2008

Keeping You Safe From Internet Sodomy

Filed under: Uncategorized — numist @ 5:28 pm

I have a lot of family who send me virus warnings and the like to see if they are valid, and spend enough time on the internet to get into trouble, but not enough time to be able to really be resistant to the kind’s of psychological attacks that script kiddies use these days.

This is intended as a reference for them. A first place to look if you get a message that isn’t obviously a message from a friend.

The best scams will appear to come from a person you know. Maybe even a friend. This is usually because they got trojaned successfully themselves, and the payload gained access to their address book, friends list, or what have you and sent itself to all of them. If it comes from someone you know (especially someone you haven’t spoken with recently), that doesn’t make it safer.

The next test for “how suspicious should you be” is the quality of the language used in the message. If the spelling and grammar are different than messages you’ve received from that person in the past, be suspicious. If the message contains egregious crimes against the English language, you probably already have your answer.

Now that you’ve been slightly primed, an example. Do yourself a favour and do not click or browse to anything you see in this message:

hi Scott, wow.. you could be tht naughty i didnt knw :D

have a luk urself…
http://www.google.com.id.lsldoosh.0nv3v7.56982a17.cn/gallery.php?id=vvlrvczf5&auth=9984053&cyua=wh32fimg8h
(click open or run when prompted)

First, note how this person doesn’t know me. I’m naughty? That’s news to me too. Most of these types of message try to lure you in with the idea of free pornography, which this message cleverly alludes to — the person is reciprocating a link after finding out how naughty I am. Sometimes this backfires: I got this message from a guy I barely know on Facebook; I’ve got no intention on seeing his homemade porn, thanks.

BUT LOOK AT THE LANGUAGE! I would drive over and slap someone I knew who wrote me a message like this, assuming I would slow down enough to get out instead of running them over.

The message also tells you to “click open or run when prompted”. Now remember: you’re already suspicious, and if you clicked on the link you’ve already done enough to get hacked. Don’t change your browsing styles because some suspicious message told you to. NEVER CLICK RUN.

Lastly, the link is the final straw (it usually is), but you have to know the structure of a link to really know if it’s dangerous or not. It starts with http://www.google.com, so it has to be good, right? Wrong. That’s not how links work, and I’ll show you why.

Links have multiple parts, and the most important is the domain, which translates directly to the address of the Other Guy. This is the portion between the http:// and the next /. The whole thing, not part of it. Let’s remove everything but the domain for the message I just got:

http://www.google.com.id.lsldoosh.0nv3v7.56982a17.cn

Domains are like a family tree, but they read from right to left, with each part separated by a period. maps.google.com is a site under google, under com. The domain from the hacky link I was sent today was a site under google, under com, under id, under …, under 23652a17, under cn. That’s not the same google.com that you know… it’s an imposter! If you don’t recognize all of it, or it doesn’t make sense when read right to left, don’t click it.

Links are great, but sometimes they can be hidden from you. If you see a link in an email that says “http://happyfunplace.com”, it might not point where you think it does. Right-click on it, and copy the link. Paste it in a document (NOT YOUR BROWSER) and have a second look. It’s probably not what you thought it was. Does it look like snot? Trash it.

Lastly: Unless you know exactly where it points (you recognize every single letter in the link), do not click a link in your email. If you get a message from your bank saying that you have to fix some issues with your account, call them (more effective if there is actually a problem) or (if you use online banking) log in the same way you usually do. Do not follow the link.

I know that’s quite a bit to absorb, but really, this is all you need to know to keep yourself from getting infected as you frolic around the wonderful internets. Go have a good time now, and never click “Run”.

Advertisements

4 Comments »

  1. If they’re not technologically savvy enough to avoid getting nailed by malware, they’re not going to understand jargon like “trojaned” and “payload”. Depending on how comprehensive you’re shooting for, you may want to provide a primer (or a link to a primer somewhere else) on ways their computers might come under attack.

    Comment by Dan — August 15, 2008 @ 6:20 pm | Reply

  2. The article only assumes that the reader recognizes that “trojaned” and “payload” are Bad Things. It seems like a pretty safe assumption. It serves to keep my pedant friends off my back about misleading people.

    Also, “payload” is not really a technical term any more than “sabot” is a technical term. Before computing, it referred to the explosives in a warhead, which makes it a great analogy.

    In any case, I’ve linked the words “trojaned” and “payload” to appropriate locations on Wikipedia so people can have the reference.

    Comment by numist — August 15, 2008 @ 6:43 pm | Reply

  3. […] Bottom line for anyone who has better things to worry about: It’s fine, leave the checkbox on, and if it ever warns you that you may be visiting a malicious website, stop and listen to it. You are probably not where you intend to be. Scott can explain. […]

    Pingback by Joe Auricchio » Blog Archive » Safari 3.2’s Anti-Phishing — November 29, 2008 @ 3:18 am | Reply

  4. Oh, it’s also interesting to note that with IDN enabled even if you recognize every single letter of the domain it may still not be pointing to where you think it is because there’s nothing to guarantee that the ‘a’ you see on the screen is an ASCII ‘a’ and not something from a completely different unicode codepoint which will get mapped to an entirely different domain.

    Isn’t phishing fun?

    Comment by D.J. Capelis — December 1, 2008 @ 2:48 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: