1

The Script Kiddie Cookbook Abstract:

Computer Security for Everyday Users

Copyright 2005 by

Matthew J. Basham

2

The Script Kiddie Cookbook: Computer Security for Everyday Users Matthew J. Basham Copyright ©2005 Published by: Lulu Press (http://www.lulu.com) All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher or the author, except for the inclusion of brief quotations in a review. Any reproductions for learning purposes should be reported to authors for accounting purposes (Basham.Matt@spcollege.edu) Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 This manuscript was supplied camera-ready by the author.

3

Table of Contents of the Script Kiddie Cookbook available at http://www.lulu.com

Chapter 1 Introduction ……………………………………………… 5 Unit I: Legal Stuff ……………………………………………………… 10

Chapter 2: Legal system basics ……………………………………… 11 Chapter 3: Cases of Interest ……………………………………… 42 Chapter 4: Acceptable Use Policies ……………………………… 94

Unit 2: Hacking History and Foundational Stuff ……………………… 105

Chapter 5: History and Psychology of Hacking ……………………… 106 Chapter 6: Networking Frameworks ……………………………… 115 Chapter 7: Logic Problem Fundamentals/Cryptography Fundamentals 119 Chapter 8: The “Anatomy of a Hack” ……………………………… 132

Unit 3: Tools of the Trade ……………………………………………… 135

Chapter 9: Downloading stuff from the web ……………………… 137 Chapter 10: DOS ……………………………………………………… 147 Chapter 11: Password Protection ……………………………………… 202 Chapter 12: Protocol Inspectors ……………………………………… 215 Chapter 13: Port Scanners ……………………………………… 235 Chapter 14: Having fun on the Internet…or not ……………………… 252 Chapter 15: E-mail and SPAM ……………………………………… 264 Chapter 16: H4xor 5p34k ……………………………………………… 286 Chapter 17: How to stop those frigging pop-up ads ……………… 289 Chapter 18: Knoppix STD: an introduction ……………………… 296

Unit 4: Putting it all together ……………………………………………… 335

Chapter 19: Case Studies in Hacking ……………………………… 336 Chapter 20: Prologue ……………………………………………… 341

Cool email from “Phantom” ……………………………………………… 345

4

Chapter 9: Downloading stuff from the web

• Introduction • What about when I need to download things for work? • Geek Stuff: Virus basics • Summary • Exercises One of the biggest problems with letting people use the web is the apparent isolation of each user. Just because you are relatively alone while you are using the Internet does not mean you are not being watched. Many times people forget their computer is part of a bigger mesh of computers. At any given point monitoring can and usually is taking place. EVERYTHING in a school network passes through multiple monitoring devices. Are you using an instant messenger (AOL©, MSN©, Yahoo!©, ICQ©, et. al)? Everything can be recorded with monitoring devices. I know it all sounds Orwellian, but in today’s litigious society schools need to monitor everything very carefully. What most schools are not doing is following up on those huge logs and policing the activities of its users…at least not yet.

5

Several years ago there was a couple of websites that were being touted as being very funny. The first one is called the “frog in the blender” or the “fish bowl blender” of the same vein. In short you could push a button that blended the fish or frog into a frothy little puree. Why? Some people thought it was a lot of fun. The other site was called the “Hamster Dance” website.

All that site contained was a mesmerizing little flock of hamsters doing a simple little dance with this catchy little tune that you could not get out of your head for days upon end. This website, like the frog in the blender, also spawned bunches of other sites like the “cow dance,” “fish dance,” and others.1

You would not believe how many people have seen many of these sites. Why am I bringing them up here? I am bringing them up because the “frog in the blender” and “fish bowl blender” websites were made for purely malicious activities. The everyday user has no idea, which site is innocent and which is not innocent.

Depending upon which sites you may have visited one iteration of the “frog in the blender” was set up by hackers to become a Trojan horse. In everyday terms, by you merely pushing the button to make the frog or fish shake you had inadvertently turned your computer into a computer that the hacker could control at any time. Oh I know, your school has firewalls and other safety measures. But the problem is: SECURITY IS ONLY AS GOOD AS IT’S WEAKEST LINK. By you activating this blender you have created a hole, from the inside of the network to the outside of the network, for the hacker to use…they basically have by-passed all of your security. We call them Trojan’s in reference to the Trojan Horse in Greek History…“Beware Greeks bearing gifts.”

The other incarnation of these blenders (hackers are big-time copy-cats) starts the same way: you press the blend button. Only this time you have unknowingly downloaded a virus on to your computer. When you have this virus it will sit in hiding until May 28th and then become “active” and erase everything on your hard drive. How do you know it is there? You can search for these files: blender.exe or

1 Frog picture retrieved May 16, 2003 from http://allaboutfrogs.org/gallery/mystuff/doodles4.html

6

fish.exe.2 Even the cutest little sites can be dangerous to your files and the school network in general.

A good overall rule is to never download anything or “execute” or “play any games” with your work computer. If you want to download a game, or to visit a funny site then do it at home. It is not worth losing your job over something like this…it may seem trivial to you but when just visiting one cute little site you usually cannot help but send it to your friends. And then they “activate” it and send it to their friends. Next thing you know an epidemic is on hand. Who looked at it first? We can find out from our logs and pinpoint them. Again, do this stuff at home because it does not belong at work. What About When I do need to Download Things for Work?

There are times (just as I did with the frog picture) that you cannot avoid having to download things from the Internet on to your computer. The rule is simple: be knowledgeable enough to know where you can download things and where you cannot. In general sites that exist solely for the purposes of uploading and downloading like download.com or cnet.com should not be used at work. If you must download then I generally will “sort-of” trust other educational or not-for-profit sites. Notice how the frog picture was downloaded from a not-for-profit site. I still used my virus checker for that little extra bit of protection too. Even by doing that you still just never really can be certain but at least you have done everything you can possibly do.

What’s that? You don’t know how to use your virus scanner? Well then let’s just spend some time and show you how to do it with our frog picture. First open a browser window using Internet Explorer (or Netscape Navigator). Then put http://allaboutfrogs.org/gallery/mystuff/doodles4.html into your navigation/address bar and hit enter. You should see a window like in figure 1 on the next page. Next you will see that same frog that appeared on the last page. Now, in this step you may be tempted to just copy and paste the frog into your document. Sure it is the quickest and easiest thing to do but we really need to go the “extra” mile and scan it for viruses just in case. In figure 2 we can see what menu “pops up” when we use the right mouse button (a.k.a. “right-click”) on the picture. Then we can select the “Save Picture As” option and put the picture into a folder. I would suggest saving the picture in a folder in the “my pictures” folder so you can more easily find it when we start using the virus scanner. In addition, when you go to insert the file later most programs start at or very near the “my pictures” folder.

2 From http://vil.mcafee.com/dispVirus.asp?virus_k=10172

7

Figure 1—IE page for frog picture download.

Figure 2—Right click on the frog and select “Save Picture As.”

8

Figure 3—Saving the picture in a folder on my computer. I saved the picture in a folder called “downloads” in the “my pictures” folder as shown in figure 3 above. Next we need to start the virus scanner. St. Petersburg College has chosen Mcaffee’s Virus Scanner and the tool of choice. To start the process use the “start” button on your taskbar (usually the lower left-hand side of the screen), find the “Network Associates” link, then “Virus Scan” (see figure 4).

Figure 4—Finding the Mcaffee console.

9

Figure 5—Mcaffee Virus Scan “On demand” console. Once the pop-up “on-demand” window comes up then use the “browse” button to navigate to your folder with the frog picture in it. Usually you should be able to just select “my documents” then “my pictures” and you are there. I also added a “downloads” folder as shown in figure 6 below.

Figure 6—Navigate to the folder where you put the file. Next look at figure 6 on the options on the lower left-hand side of this window. You can select “default files,” “all files,” or “user specified files.” Since I am only putting things in here that I download (and is thus a very small number) then I will switch it to “all files” as shown in figure 7 on the next page. Then you just need to click on the “scan now” button on the upper right hand corner and Mcaffee will scan everything in that folder. When Mcaffee is finished you will see a window like in figure 8 on the next page.

10

Figure 7—Switching the scan to “all files.”

Figure 8—Results of scanning the folder where the frog picture was placed. Ok. So you are out of the woods. There appears to be no problem with viruses, at this time, for the frog picture. In figure 9 I am showing you a screen shot of what happens when you have viruses of some sort on your computer. Should I be worried? Only if I did not know what I was doing. Being a computer guy I know those “infected” files are actually programs for testing network security and that they show up as “Trojans” because that is the very nature of the program.

11

Figure 9—Output from scanner showing “infected” files. Furthermore, during the scan if you have an infected file the scanning will stop and ask you if you wish to delete the file. In most cases I would say “most definitely” to delete the file. Being an inquisitive computer guy I usually save the file off on diskette first, then re-scan a couple of times to make certain the file is gone. I have a couple of diskette storage bins full of viruses that I use in classes where I teach students how to remove them. There are even sites that sell CD-roms with thousands of viruses on them.3 Usually teenagers are out there buying these things and bringing them in to school on floppy disks or CD’s and they will sometimes have viruses right on the same one they turn their assignments into you with. To keep it simple I would always ask for paper copies of assignments.

As our classrooms move to being more technologically savvy we will have to ever more vigilant about our use of virus scanners. At some schools, like the University of Florida, students come into the classroom, hook their laptop into an Ethernet jack in the seat, download their homework assignments and then upload their next assignments right onto their laptop. There has been considerable debate about implementing this style of classroom in community college settings. On one hand, having students purchase laptops would save considerable resources for other projects. Since budgets are being hacked and slashed at an alarming rate this would seem like a good idea. On the other hand, by putting the burden of purchasing computers on the students in a community college setting we may be inadvertently segregating our educational facilities into the people who can afford laptops and those

3 See, for example, http://www.ameaglepubs.com/store/index.html

12

who cannot. Those who cannot would not be able to attend. Alas the debate will rage on for quite some time I am sure. Viruses in a Nutshell

Computer viruses were started back in the mid-1960s as an attempt at creating artificial intelligence. The early writers wanted to create a computer program that could learn from its mistakes and become better. Biological viruses work in the same fashion, they replicate and usually become stronger with every iteration. We have yet to create a program capable of “thinking” for itself but with every new generation of super-computer we are coming closer to the day this will happen. There are many good anti-virus packages out there like Norton, F-Prot, PC-Cillin, Dr. Solomon, and others but I happen to like Norton for home use and Mcaffee on a corporate-style network. Basically all virus scanners work the same way: they use a “test” pattern4 to compare against files. There is a rumor that virus companies are responsible for creating and releasing many viruses onto the network. How else can they have “fixes” (also known as patches) for them within hours after the new strain of virus is first discovered?

While you may be shopping for virus protection packages you may encounter claims of “will detect 97%” of all viruses or “will detect 98% of all viruses.” If, like me, you are a mathematically minded person you will probably be tempted to buy several hoping to raise that detection up to almost 100%. I can urge you now to only use ONE anti-virus package. The test pattern in one virus checker will cause a “false positive” reading when another virus checker is running. In short, you will be chasing many “ghost” viruses that do not exist and may even end up causing damage to your system. Summary In this chapter you learned downloading things from the Internet onto your work computer can cause you to inadvertently put viruses on your computer if not done properly. It can even cause you to lose your job in some circumstances. The bottom line is to only download things on the Internet for work-related purposes only and to virus scan them thoroughly using the latest version of scanning software. You cannot avoid viruses but you can severely reduce the chances of being infected by one. Since most user policies are written to put the burden on the user you need to know this stuff (it’s a technical term). Exercise 1

1. Go out to the web and find some pictures or icons to use in creating a powerpoint presentation for your class.

2. Save the pictures to a folder on your hard drive. 3. Virus scan the folder and all of its contents.

Exercise 2 1. Ok, now let’s have you try to run a virus scan on a diskette. Your instructor

should be giving you a diskette for you to use. 4 Commonly called the “EICAR” test pattern.

13

2. If your diskette has a virus on it then what procedures would you take to remove the virus?

Exercise 3 1. From time to time you should check on the version of virus scanner your

computer is using. More importantly you should check that the latest virus update files have been applied. Remember its your computer and your responsibility to check this…you will need to notify the help desk for any updates if needed.

2. What are your procedures for putting in a work order for your computer?

14

Chapter 14 Having fun on the Internet…or not

• Introduction • History files • Favorites • Daemons • Geek stuff: Cookies basics • Summary There are times when you might be out on the Internet looking for something for work and you might start to stray. Maybe it is a pop-up ad that gets your attention or maybe you accidentally went to the wrong site…in either case there are several things that happen on your computer and the network that “record” where you have been. In this chapter we will look at how this information is recorded on your computer and how it is removed. How it is recorded and removed on the network is out of your control so, again, the best thing to do is keep your surfing habits to work-related sites only (even if you are on a break). History files Just like Hansel and Grettle did in the Hans Christian Anderson story when you go out on the Internet you leave a little trail behind you of everyplace you go. To the lay person you can easily clear out your “trail” by clearing your history files. The history file was created to actually save you time when traveling over the Internet. Have you ever wanted to return to a website by starting to type it in only to have your computer finish the address for you? This happens because the computer matched what you typing to the addresses stored in your history file. By clearing out your history file you can already see plusses and minuses. A plus: no one can usually come behind you and see what sites you have visited. A minus: you will have to re-type every website again. Let’s go see what dirty little sites that I have been to on my computer. Since I have been using Internet Explorer (IE) lately, as most people seem to do we’ll use IE. First let’s open up IE and then click on the little down arrow to “see” some of the past sites visited (see figure 15-1). So it’s a bit nice to see all of those sites sometimes, especially if you visit them often (for work, of course). But that is why we have a “favorites” folder to hold that information. Let’s actually clear out your history file. At the toolbars in IE click on the “Tools” pull down menu and select “Internet Options.” You should see a pop-up window similar to figure 15-2.

15

Figure 15-1—Looking at your history file.

Figure 15-2—The “Internet Options” pop up window. Next, look down near the lower right-hand corner in the “History” box. Y will see a button named “Clear history.” Another pop-up window will ask you if you really want to clear your history files (which you do) so click “yes.” Next click on the “ok” button on the Internet Options window to make it close out. Now let’s look at our “history” again (see figure 15-3).

16

Figure 15-3—Cleared history file. It does not take very long to do but you also have to remember the next time you visit a site you are generating more entries in your history file. How do you think you could set your computer to never keep anything in your history file? This way you will not have to keep clearing all those sites every now and then? You just pulled up that Internet Options window a second ago and cleared the history file (figure 15-2). If you look to the left of that clear history button you will see an option for keeping those files in your history file. By default it is set to keep them for 20 days. If you set that to keep them for 0 days you will not see anything ever appear in there. Favorites You may be diligent in removing those history files or have even set it to not contain any at all but there are other ways to find information on your computer. One easy tell-tale place is within your “favorites” list. Here you may have “bookmarked” an Internet site for easy return. This one is really easy to see. In IE just click on the “favorites” pull down menu (see figure 15-4). As we have said all through this manual it is easy when you know how.

17

Figure 15-4—Looking at the “favorites” pull down menu. So another good tip is: if you do not want anyone to see where you have been on the computer do not keep history and do not book mark a site. Of course you still have to remember if you computer is on a network at school your websites visited are also recorded at possible several high power computers.

Daemons Privacy tab in Internet Options settings (accept or deny cookies).

Geek Stuff: Cookies Lab

The Internet is a wonderful place. There are millions of different sites for you to visit and even more new ones being added everyday. The websites you visit usually do not have any real way of keeping track of all of the specifics of each visitor to their site and what they did while they were there. This would require an enormous amount of resources for every single website. Instead website programmers use something called a “cookie” to keep track of your access. Instead of putting it on their website, they keep it on your workstation. When you visit the site again the website accesses that cookie from your computer and can even use that information to “greet you by name” upon the second visit to their website.

The term “cookie,” as it relates to computer technology, is not that new. In fact the term “cookie” is a descendent of the UNIX operating system (written in 1969) function called “magic cookie.” Magic cookies, in UNIX, are used for transferring small “tokens” of information between two computers. In fact, Macintosh computers do not use the name “cookies” but sticks with the UNIX name “MagicCookies.” It performs very much the same function as Windows-based cookies.

Like we said, a cookie is a text file full of information about you, the pages you visited, any usernames and passwords (usually encrypted), and information about

18

anything you have downloaded from their site. As with everything else we have rules that apply to cookies to which website programmers try to adhere:

1. Usually there is one cookie (or more) “set” per website that you visit. 2. Cookies are to be no more than 4 kilobytes in size. 3. No more than 20 cookies per website, server, or domain, SHOULD be set

on your workstation. 4. No more than 300 cookies should exist on your computer at any time. If

this limit is exceeded then the newer cookies should be written over the oldest cookies.

Hmm…sounds like a good simple transparent virus-type code…change the cookies setting with programming so that no cookies are ever deleted and eventually the hard drive fills up, the workstation begins running slow and crashes. Best of all, it could take weeks or months before it happens and you will probably not be able to trace it back to where you got it from…pure evil.

So why do you think this may be important for us in a security class? Think outside the rules. How can this be perverted into someone else’s advantage? That’s right. They could upload all of the cookies instead of just their cookie. Now they can get a profile of you, your web habits, and, possibly, your shopping habits. We know those passwords are encrypted but those are easy to reverse engineer too. Someone could be out there using your username and password right now. Think about someone planting a Trojan deamon that periodically sends your cookies, IP address, username, etc. back to a central source. Talk about damage incorporated.

Luckily for us cookies can be viewed, edited, and even turned off on our computers. In this lab you will learn how to find cookies, view source code in cookies, use a protocol inspector to see hexadecimal code for cookies, and learn how to turn off the cookies feature in both Netscape Navigator and Internet Explorer.

Finding and Viewing Cookies on Your Computer Let’s start off with one of the more popular browsers: Internet Explorer. To find

the cookies in Windows 2000:

1. Open Windows Explorer. 2. Then navigate to “documents and settings”, your user name (if it

is attached to a network), and you should find a folder, easily enough, called “cookies.”

3. Open it up and you will see all of your current cookies. 4. In that folder you will find a file called “index.dat.” Even if you

delete your cookies this file will still contain an entry about your cookies. Ahh…the smoking gun.

Let’s open one up! What? Don’t have any? Let’s make some! Open Internet Explorer and go to www.disney.com. You should see a cookie appear with the Disney name in there somewhere (in your cookie folder) along with several other cookies (we’ll get to those in a moment). Then open it up. You should see a line like this:

19

CPnull*disney.go.com/01726192353620305785659078873856214783567367 An interesting thing is to copy that line from word pad (it will open in word pad by default) and then copy it to Windows 2000…that one line of text breaks into several lines CP null* disney.go.com/ 0 017261923536 20305785 6590788738 56214783 567367 * with line breaks (a.k.a “carriage returns”). Hmmm…looks like another opportunity for reverse engineering with a decompiler. (Before you try it on my data I changed it…nice try). Sometimes the cookies will even include usernames, passwords, machine ID numbers, IP addresses, ISP from which the request originated, etc. In short, they are some mighty powerful little things. Let’s try this again for Netscape Navigator on a Windows 95/98/2000 machine:

1. Open up Windows Explorer. 2. Navigate to “C:\” drive. 3. Then “Program Files.” 4. Then “Netscape.” 5. Then open the “users” folder. 6. If you do not have one for your id then open the “default” folder 7. You should find a file called “cookie.txt.” Here all cookie information

is kept in one file. Ok…now how about Windows 95/98 (with IE):

1. Open up Windows Explorer 2. Navigate to C:\” drive 3. Then to the “windows” folder. 4. Then open the “cookies” folder.

What’s that? You see cookies from sites in there like doubleclick.com, hitbox.com,

focallink.com, Globaltrack.com, ADSmart.com, and other websites even though you know you have never been there? That is one of the growing legal issues surrounding the use of cookies. It generally falls under the “privacy” category in law because most of this is taking place without your knowledge. Basically your information stored in your cookies is being “harvested” and sent to central database clearinghouses and then resold to direct marketing companies when you visit some websites. These things are

20

“transparent” to you, as the user, whether you like it or not. Wait until we get to the lab on SPAM! Ever wonder how that junk mail shows up in your email box even though your company has a (seemingly) strict anti-spam policy? Yup…these transparent cookies are the culprits.

Viewing Source Code for Cookies The syntax of a cookie is fairly simple. Most of them are written in http as a CGI

script. Here is the syntax to cookies during transmission…you can see this when you capture packets with a protocol inspector. I am quoting the Netscape site on the syntax of cookies for your information (emphasis added):

Syntax of the Set-Cookie HTTP Response Header This is the format a CGI script would use to add to the HTTP headers a new piece of data which is to be stored by the client for later retrieval. Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure NAME=VALUE

This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required.

This is the only required attribute on the Set-Cookie header. expires=DATE

The expires attribute specifies a date string that defines the valid life time of that cookie. Once the expiration date has been reached, the cookie will no longer be stored or given out.

The date string is formatted as: Wdy, DD-Mon-YYYY HH:MM:SS GMT

This is based on RFC 822, RFC 850, RFC 1036, and RFC 1123, with the variations that the only legal time zone is GMT and the separators between the elements of the date must be dashes.

expires is an optional attribute. If not specified, the cookie

will expire when the user's session ends.

Note: There is a bug in Netscape Navigator version 1.1 and

earlier. Only cookies whose path attribute is set explicitly to

"/" will be properly saved between sessions if they have an

expires attribute. domain=DOMAIN_NAME

When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".

Only hosts within the specified domain can set a cookie for a

domain and domains must have at least two (2) or three (3) periods

21

in them to prevent domains of the form: ".com", ".edu", and

"va.us". Any domain that fails within one of the seven special top

level domains listed below only require two periods. Any other

domain requires at least three. The seven special top level

domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which

generated the cookie response. path=PATH

The path attribute is used to specify the subset of URLs in a domain for which the cookie is valid. If a cookie has already passed domain matching, then the pathname component of the URL is compared with the path attribute, and if there is a match, the cookie is considered valid and is sent along with the URL request. The path "/foo" would match "/foobar" and "/foo/bar.html". The path "/" is the most general path.

If the path is not specified, it as assumed to be the same path as

the document being described by the header which contains the

cookie. secure

If a cookie is marked secure, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers.

If secure is not specified, a cookie is considered safe to be sent

in the clear over unsecured channels. Syntax of the Cookie HTTP Request Header When requesting a URL from an HTTP server, the browser will match the URL against all cookies and if any of them match, a line containing the name/value pairs of all matching cookies will be included in the HTTP request. Here is the format of that line: Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...

Source: http://wp.netscape.com/newsref/std/cookie_spec.html 14 June 2002 Remember: this is the code for transmission…not source code of cookies. Don’t get them confused. We’ll look at the transmission code in the next section. Before we move on to protocol inspectors let’s look at HTML source code a bit.

Ok. You can even compare it with the source programming code if you want. The easiest way is to view the source code of a website that places cookies on your computer. Then copy and paste the source code into a blank Front Page document. Now you can “reverse engineer” html code live (without any legal repercussions). Be sure to copy the source code, then disconnect from the web before editing the code. Never try to “upload” your source code to anything connected to the Internet. Talk about being in deep-kimchee. Front Page even changes the colors of some of the words to show which ones are tags, attributes, comments and scripts, etc. Ok. So now let’s look at a sample script for placing cookies onto your computer. Here is one I found on the AOL website (emphasis added):

22

<html><head> <SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript" SRC="http://www.aol.com/popups/script/postvisit_e.js"></SCRIPT><script language = "javascript"> this.name="parentWindow"; function rdc(rUrl) { location.href='http://dynamic.aol.com/cgi/redir-complex?url=' + rUrl; } function popWin(url){ var popWin= open(url,"windowName",'nostatus,resizable=no,width=360,height=240,top=250,left=250'); } function doSubmit() { document.cookie = "cookietest=yes; path=/; domain=.aol.com"; var testCookie = document.cookie; if (testCookie.indexOf("cookietest=yes") == -1) { alert('Please turn your cookies on.'); } else { var sn = document.loginform.screenname.value; var isEmail = sn.indexOf('@'); if (isEmail > -1) { makeSN= sn.substring(0,isEmail); document.loginform.screenname.value=makeSN; } document.forms.loginform.submit(); }

} Source: http://www.aol.com 14 June 2002. I got that code by opening up the AOL web page and then looking at the source code (view> source). Then I copied it into Front Page, disconnected from the web, and pasted it into a new Front Page web (use the HTML tab). This is one easy way to determine if a website is placing cookies on your computer. The only problem is, though, once you open up the page the cookies are already downloaded to your computer (unless you disable them). From this example we can see AOL is placing cookies on our computer. Heck they even have a test to see if we have cookies enabled, then they ask us to turn them on!

Want to learn more about the programming side of cookies? Here is a great link on how to do that! (If it doesn’t work or changes then start with www.cookiecentral.com): http://www.cookiecentral.com/content.phtml?area=2&id=7 Assignment #1:

1. What programming language is being used for the AOL code? Be as specific as possible.

2. Can you reverse engineer the code above to determine exactly what is being done line-by-line? Use Front Page to test your hypotheses.

3. Find 5 websites not mentioned within this lab and reverse engineer their code to determine the programming syntax for placing cookies.

Disabling Cookies on Your Computer The best way to protect your privacy on the Internet is to not get on the Internet. But if you want to access the Internet then you should disable your cookies. If you are using a program that requires cookies like certain software sites (hotmail, quicktime, et

23

al.), certain E-commerce sites (U.S. Plastic, cajonshoppe.com, et. al.), and educational sites (space.edu, certain links at the University of Michigan, iteslj.org, et. al.) then you can still disable them and install a program like the “anonymizer” (http://www.anonymizer.com). Before we start disabling our cookies let’s go out and delete our cookies/cookie entries. Once we are finished then double-check they are still enabled by going to Disney.com. If you received cookies, then great! Delete the entries/the cookies and follow these instructions to disable cookies from being received on your computer: Disabling cookies in Internet Explorer:

1. Open the browser window. 2. Select Tools>Internet Options. 3. Select the “security” tab. 4. Click on the button near the bottom of the window called “custom level.” 5. Scroll down to the cookies section (about half way down). 6. Select the “disable” radio button. It should look like this when you are finished:

24

Disabling the cookies in Netscape Navigator: 1. Open the browser. 2. Select edit>preferences. 3. Then click on the “advanced” button. 4. Click on the “disabled” radio button. It should look like this:

Now let’s verify they are not working by going out to Disney.com again. Check your cookies file/folder and there should be no entries/new cookies there. Bingo! That’s what we wanted. So What Have I Learned Here? In this lab you learned about the basics of cookies on your computer. Using this information will not cover your tracks on the Internet, but it will, however, keep your cookie-based information from being retrieved when you visit websites. There are other things you will have to do to “erase” your tracks like using history files, proxy servers, recycling bins, etc. But those are other labs too. You received some good entry-level security tips here but should have also realized how much of an important role programming plays in computer security administration. Don’t worry, it will keep becoming more prominent as we move along.

25

Chapter 17: How to stop those frigging pop-up ads

Ok so in this chapter let me take some time to talk about something that can really tick some people off: pop-up ads. Just when people were learning about filtering and stopping access to some sites someone smarter came up with a way to get their ads for enlarging your penis or maximizing your profits through in such a way that had people baffled for a while. The bottom line to any event is that it involves some aspect of programming. We saw it back in the chapter on passwords and how things are stored in the user.dat file; we saw it in the port scanning chapter; we saw it in the section on cookies. Geeze, does it ever end? Apparently not. What a pop-up ad does is just what it sounds like: it pops-up when you open an Internet window. The real annoyance is that it usually doesn’t open just one window, you usually get many windows opening usually when you try to close your other windows. Some people used their knowledge of DOS to run a list of active network connections to identify from “where” the IP addresses of these ads were coming. No good, because the addresses were spoofed (fake). Still others tried to “up” the security levels of their Internet Explorer window and all this did was make it difficult to do anything on the Internet. By now, if you have gone through this book a bit at a time, you will have realized things on the Internet are not what it seems and there are usually work arounds for anything. The “Ultimate” way to stop Pop-up ads Obviously by not going on the Internet you will not have any pop up ads, but that probably will not be so. What we need to do instead is first start off with how pop up ads work…from a hacker’s perspective. Actually pop-up ads are not really pop-up ads they are actually “mini” programs that are activated from settings in your registry. How the instructions get into your registry varies upon where you were first “infected” by the “pop-up” program(s). The addresses that appear are fake and are actually randomly generated within your own computer and that is why “filtering” the address (which is fake) does no good. Sure, they look real, they seem real, and if you click on any of their links they will take you to actual websites, but they are just programs running on your own computer designed to take you to a place where you can buy something. Before I get into the actual registry settings let’s go over a few other things. First, if you have been “infected” by a pop-up ad you can go and “restore” your computer which just cleans up your registry. Without creating a restoration point can really suck. First of all it means you will go all the way back to having your computer restored to the day it was bought, meaning everything will have to be re-customized and re-installed. That can really suck, especially if you have software that was registered on line with a company that is now legally shut down (like DVD Xcopy).

26

So, lets show you how to make a system restore point. First using your start button pull up the help menu:

Then, you can see under the “Pick a task” section the third selection “undo changes to your computer with system restore.”

27

Then on the next screen you can give your “new” restoration point a name:

Then, later you can select your restore point later. I would recommend loading all of your stuff on your new computer, creating a restore point and then going and playing on the Internet. Basically what you are doing is creating a new copy of your registry that has all of your modifications on it. If you start running into pop-up ads then all you have to do is restore your registry and the pop-up ads will disappear. That, is the easiest way to stop pop-up ads. Let’s take a second and talk about the “alternatives.” Many people like to recommend using Adaware, Spybot, or some other program for removing pop-up ads. All those programs are nothing more than utilities that modify your registry. If you know a bit about computers then you know that any time you modify your registry you run the risk of things not working. I was playing around with them for this chapter and Adaware actually stopped the pop-up ads but also removed all of my drivers for my CD-rom and DVD burners. So, I had to restore my registry again to get my drivers back. Once again, this seems to be the easiest way to fix the problem. Ok, now let’s dig a bit into those registry settings to see exactly which ones are changed. Unless you know what you are doing you should never get into the registry, even to look. Murphy’s Law really applies to the registry: what can go wrong usually will.

28

If you have never gone into the registry the easiest way is to use the start button on the taskbar and select run the “regedit.”

Then your registry will open up in its own little window:

What we have here in the left panel is sort of the “folder” that the “setting” is contained within (the right panel). ON the right side you can add a value, its type, and set the data. Please keep in mind that each pop-up ad program is unique and may be in one or several places. What I am about to give you is an example of on style of pop-up ads when someone uses Internet Explorer AND this pop up ad program tailors the ads towards the URL’s used in IE to increase the likelihood of purchase through communication with an off-site server. This program is called “Apropos/media5” which can be installed by a program called “wildmedia.” This one, unlike others, can be seen in the add/remove 5 From http://www.doxdesk.com/parasite/AproposMedia.html

29

programs window. It will be called something like “AM Server,” “SysAL,” or “CtxPls.” That should take care of removing it but I want to give you the registry stuff. First, after opening the registry navigate to the following folder: HKEY_CLASSES_ROOT/CLSID Under there will be several folders that need to be deleted:

{655FD3BC-C314-4F7A-9D2E-64D62AOFDD78} {65C8C1F5-230E-4DC9-9AOD-F3159A5E7778} {823A3E7-AB95-4C23-8313-OBE9842CC7OE} {976C4E11-B9C5-4B2B-97EF-F7DO6BA4242F} {B3BE5046-8197-48FB-B89F-7C767316D03C}

Then open this folder: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Add delete these folders: AutoUpdater POP Finally you have to delete some folders: HKEY_CLASSES_ROOT\POP.Server[.1] HKEY_CLASSES_ROOT\PopAd.Server[.1] HKEY_LOCAL_MACHINE\Software\POP HKEY_CURRENT_USER\Software\POP There also are some variants for this particular pop up ad generator but you can go to the website to find out more instructions. These pop up ads are nothing more than programs that are installed on your computer. It’s just up to you to make sure they are cleaned off properly. I prefer the system restore option for best results. One last point about the registry: I tried to make my registry read-only and it creates many problems. I thought if no one could write into my registry then it would be an easy way to stop pop-up ads for everyone. The only problem is the registry is a work-place for the operating system and it really needs to be accessible. Oh, and before you try it I also tried changing the directory to a “hidden” directory and it didn’t work either.

30

Mozilla Let’s think this thing through a bit…hackers hate Microsoft. Microsoft is used on the majority of computers. Hackers write programs to take advantage of exploits in Microsoft. The answer is seemingly simple: ditch using Microsoft. Ok, so most people will not want to do that, so what you can do instead is ditch Microsoft Internet Explorer. Most pop-up ads are written to be used and enabled through Microsoft Internet Explorer. Instead we can download and use another browser. I would say use Netscape Navigator but that is too popular too. Same problems, different channel. Instead I like to use the Mozilla FoxFire browser on the computer for my wife. It is very similar in appearance and usage to IE. Heck, she really doesn’t know the difference. Interestingly enough when I picked up the paper this morning it contained an article about one of the primary developers of Mozilla. You just got to try it. See? It even looks like IE but without any of the problems. Plus, it is open source so that is good too.

If you select tools>options you will see some of the options available to you in Mozilla:

31

32

Chapter 15: E-mail and SPAM

• Introduction • E-mail etiquette • Acceptable use of e-mail at work • What to do with SPAM once you receive it • What about using my home e-mail account on the school network? • Geek stuff: SPAM basics • Summary

I would bet you would be very hard pressed to find someone in a school, who deals directly with students, that does not use e-mail in some fashion. Oh sure some of the facilities people may not, but we are still dealing with a very small number. Even still proper use of e-mail has never really been taught. Just like you may have been instructed on how to answer the phone, how to transfer phone calls, or how to use voice mail you need to learn how to use e-mail. The case I am trying to make is that most people have never been instructed on e-mail etiquette and proper use in the work place. In this chapter we will be discussing e-mail etiquette, using e-mail at home and work, and finish with some geek stuff on e-mail (Spam).

E-mail etiquette As a youngster you were taught many etiquette basics like closing your mouth when you chew, not to slurp your soup, and keeping your elbows off the table. Similarly we will now look at some e-mail etiquette. Your typically etiquette basics apply when you are writing e-mail. The one I find most people not following is TO NEVER USE ALL CAPITAL LETTERS WHEN WRITING E-MAILS BECAUSE IT SEEMS LIKE YOU ARE SHOUTING AT THE RECIPIENT. Ok, so there may be some times when you need to use capitalization but that is ok when it used sparingly. When writing an e-mail you should try to keep everything in a business like fashion. Try not to abbreviate or be too informal. Just remember at some point someone may be printing any e-mail you write out for a file someplace. As always when you are writing an e-mail to your boss or higher up remember to keep your e-mails short, professional, and to the point.

Let’s look at a couple of examples: Bad email HEY! LET”S GO OUT AFTER WORK AND GET SOME BEERTH! THIS FRIGGIN CASE IS JUST CHAPPING MY BUTT BIG TIME. SNOOGINS

33

Good email (rewritten) Your presence is requested for a case overview meeting after work tonight. Please R.S.V.P. Mr. Lovelace

When to use BCC As a general rule you want to almost never use the BCC feature except in very select cases. By using it frequently you will build layers of mistrust between you and your fellow co-workers, so you should only use it in very select circumstances. For example, when my boss has told me to communicate something in private to a faculty member I will use BCC to my boss just to let them know the task was completed. Of the several thousand e-mails I have sent in the past two years I probably only used the BCC feature about 10 to 20 times.

Hippa In the health industry they have adopted some legislation regarding privacy of medical records, including proper use of e-mail. I think all educators and not just the ones in the medical fields should follow some of these policies. For example, one of the provisions in Hippa (the Health Insurance Privacy Portability Act) tells us that we are not to send out e-mails to a bulk list. This is because any one of the recipients could then have a “target” mailing list ready to go. Therefore they have to send out e-mail’s one at a time. There are software companies who are making programs that will still let you send out e-mail in bulk while still concealing the entire mailing list that we will probably see really soon. Computer hackers commonly use network tools that allow them to capture e-mail packets as they travel across the Internet. With a massive carbon copy list (CC:) attached they can get a large amount of information in a short time. Hippa helps make this more difficult. Once the hackers have this information they usually re-sell the information to companies who, in turn, send you unsolicited e-mail or SPAM. We will look at SPAM in our geek stuff section later in this chapter.

Acceptable use of e-mail at work It’s almost a common theme throughout this manual: keep “play time” stuff at home and work stuff at work. I know it is all to easy to get a chuckle out of some funny joke that someone has forwarded to you but you need to break that chain. Tell people to not send you those jokes to your work e-mail account. If they must send them, then have them send them to your home e-mail account. I know it sounds harmless but think of what we just talked about…hackers using software to gather e-mails to generate target mailing lists. Have you ever looked at the list of people those jokes have come from? Talk about an easy mailing list. When you forward an e-mail you have just added your name to a list of good e-mail addresses that can be used for unsolicited e-mail or SPAM. Let’s look at one now.

34

If, by chance you do happen to get some advertisements or SPAM then you should NEVER click on the link “remove your name from the list.” Many times these bulk mailers are used to send out e-mails and by clicking to remove your name from the list only validates that a live address exists. This will only bring you more advertising and SPAM. In fact, some companies have written software to probe websites and gather e-mail addresses. Think about our website…we have a directory of all employees and their e-mail addresses. It wouldn’t take much to get all that information and start sending bunches of advertisements or SPAM. What is SPAM? Ok, so there exist many different pseudo-definitions of spam. Yet, in my opinion no one really has the balls to come right out and define spam succinctly. They all seem to be worried about how their definition may interfere with their business or future business dealings. So, with out further ado, let’s take a bit of time to look at spam a bit. Networking geek types have thought about spam-like problems since before they even became problematic. In fact, RFC1234 discussed the problems of mass solicitations using electronic communications and how they may be able to prevent them from becoming problems. Later, as the Internet started to become more prevalent and commercialized an attempt was made to “regulate” (if you will) electronic mail. First, the government thought about perhaps placing a tax on electronic transmissions, much like a stamp is required for a letter. The reason was simple: the government thought they were going to lose a bunch of money from people not sending letters anymore and, thus, the post office system would be shut down. However, quite the opposite occurred. In fact, the business of the post office grew from the amounts of people buying stuff on the Internet and shipping it through the post office. The next big “push” was to create second level domain names (SLD’s). The primary domain names were the *.com (for commercial enterprises), *.net (for networking companies), *.org (for not-for-profits), *.gov (for governments), *.mil (for military), and *.edu (for schools). We quickly saw us running out of room in the primary domain names and wanted to give the world more flexibility. Therefore, some second level domain names like *.biz (for businesses), *.adv (for advertisers), *.porn (for adult-oriented pornography), *.rec (for recreational sites), *.mus (for museums, *.arts (for arts) and others. The logic was simple: to re-organize the naming system to make it more easy to find things and to make it more efficient for network administrators to manage. One such problem they hoped to solve was to give network administrators manageable tools for filtering, especially emails on the border of the network. For example, early “spam” could be controlled by placing a simple filter to stop all electronic communications with *.adv or *.porn. A couple of easy steps and the problem is solved, right? Wrong. You see the advertisers and pornographers argued that they are businesses too and, thus, eligible for *.com status. Whammo, great idea…poor execution. Somebody needed the nuts to make a naming system that was mutually exclusive and exhaustive and I think it is too late to do it now. With this background in mind spam has become a major headache for users and network administrators with no logical conclusion in sight. Oh sure, we have seen states enact anti-spam laws and even the government coming out with a “canned-spam” act that

35

will probably accomplish very little. Where I think the problem lies is with forming a concrete definition of spam and forming legislation and partnerships between industry, citizens, and the government. No one has defined spam and electronic communications, they just loosely talk about it and then build legislation and arguments on shaky foundations. In my opinion I think electronic communications should be separated into two categories:

(1) Non commercial electronic communications—this would include emails from person to person not of a commercial nature

(2) Commercial electronic communications—this would include emails with respect to a commercial enterprise, offering, or solicitation for business

(a) “Legitimate” commercial electronic communications—this would be the commercial enterprises who, following a set of standards, would make it easier for network administrators to control at the border by filtering. By following a set of standards they would be immune from prosecution for spamming. Including “ADV” or “PORN” in the subject line may be two such examples of standards.

(b) “Illegitimate” commercial electronic communications—this would be those enterprises, commercial or otherwise, that use falsified information in electronic communications in anticipation of receiving responses or business. This is what I believe is “spam” not the other categories.

I really think this is THE definition we have been needing. During the course of this chapter you will learn more about spam and what I mean by falsified information. I will talk more about this definition in the conclusion of this chapter. What to do with SPAM once you get it At home? Just delete it. At work? Just forward it to the network administrator of your company. They, in turn, can possibly filter it out on the border and send it on to the FTC if necessary. If you are at home, then the Federal Trade Commission also would like to have unsolicited advertisements (SPAM or otherwise) sent to them (uce@ftc.gov). There are also anti-SPAM websites. Try searching for some of these. There has been some legal discussions about how much spam is costing businesses. Some have been saying it is chewing up as much as 25% of someone’s workday deleting spam. I think they are way off base. I only delete about 10-15 spam’s everyday and I am kind of “out there” in the public eye. I do get my share of virus-ladden emails and trojan’s shipped over to me, but I just shoot them off to a CD. I know, you were expecting me to say I delete them, but I like to keep the little buggers and pull them apart to see how they work. Unless of course you are a prosecutor for the government working on DMCA cases…then I just delete them.

What about using my home e-mail account on the school network?

There exists a gray area in the legal realm about using a private e-mail account on a school (or businesses) network. This issue becomes even murkier when you toss in using the private account during your non-working hours like over lunch or on your

36

designated “break” time. I would highly suggest, given the proclivities and innuendos in variations of the laws, that you do not use your private email account at any time while at work.

In some instances the courts have ruled in favor of the employer being able to read your email, since it travels over the employer-owned network. In other cases the courts have ruled in favor of the employee, for invasion of privacy reasons, when an instance occurs. Most of these rulings hinge upon the acceptable use policy, the training mechanisms, and the interpretations of the laws in place. Since you are in a training course about acceptable use of network resources I would say reasonable effort has been made towards letting you know not to use your private email account on the employer network. If you do use the private email account over the employer network then you are accepting the fact the employer has the right to monitor all transmissions on their network. Does this make you mad? Well there is one simple thing you can do to prevent it: Don’t use your private email account at work!

Geek Stuff: SPAM Lab What is SPAM? SPAM has many different definitions depending upon which source you are using. If you are using Hormel Foods as your source, then SPAM is a pork-related food product. If you are in the theatre then SPAM is the theme of a broad way play. If you are a television aficionado then you know about SPAM from the Monty Python skit. As network administrators, however, SPAM can more accurately defined, in my opinion, as the reception or transmission of an unwanted or unsolicited electronic message or messages that use falsified information that prevent filtering or replies. Usually the return address in a SPAM message is spoofed (faked) or undeliverable which is what helped create the negative attitude towards SPAM. Like so many other computer-related innovations SPAM had good intentions that were perverted by malicious users. The exact origination of SPAM has been the subject of many debates over the years. Generally most will agree that SPAM, or a closely-related version of SPAM, really “hit the scene” in on April 12, 1994 when two lawyers hired a programmer to write a program that would advertise their services on every news group on the Internet. Leave it to lawyers, huh? From this incidence people quickly started calling unwanted emails or postings “SPAM.” The lawyers, in turn, were flooded with nasty phone calls, fax’s, and emails denouncing their soiling of their particular news group. Oh, did I mention they went through disbarment proceedings too? Notice again how the “roots” of computer security involve programmers. One of the reasons SPAM has gotten a bad wrap is that SPAM is predominantly used in con-artist scams. The SPAMmers go to great extents to make their SPAMs look legitimate, even using legitimate-sounding return e-mail addresses (which are actually spoofed (faked)). Oh sure, you have seen them: “Make money fast,” “Get rich quick,” “Lose 20 pounds in 20 days,” “Earn $3,000 a week by working at home,” and the ever-popular chain letter “send this to 10 people within 10 minutes or else blah, blah, blah.” SPAM really does not hurt the average user too much. It does, however, affect the ISP’s. We can quickly delete two or three SPAM messages from our in-box. But think about an ISP like AOL with its millions of users. Multiply each user by 2 or 3

37

SPAMmed messages and you can see that the SPAM can quickly sap the resources of an ISP. Let’s take a few minutes to look at the legal side of SPAM. “Is sending SPAM illegal?” This question is really churning up the discussion groups in legal circles because of the shear number of topics to which SPAM is applicable: trespass to chattels (a legal term related to denial of service), privacy, freedom of speech, jurisdiction, censorship, and intellectual property. Most defense attorneys use comparisons to other forms of advertising when attempting to defend what their client did. They talk about television and broadcast advertising, acceptable use policy loopholes, or even use the phrase “target marketing” or “telemarketing. For some lawyers it is not about right or wrong but about winning the case at all costs and they will search for any loophole or angle that may give them that chance of winning. In general most advertisers agree that using SPAM is unethical and immoral. But some advertisers still use it. Cyberpromotions, Inc. seems to be keeping the lawyers busy to no end at Internet Service Providers like AOL, Compuserve, Prodigy, Earthlink and others. I counted over a couple dozen lawsuits with different ISP’s against Cyberpromotions Inc. alone. Now, armed with a bit of background knowledge about SPAM, let’s start up some labs to more fully understand about SPAM and what we can do about it as network administrators. How can I get some SPAM to play with? Unfortunately this is very easy to do. In fact, just about everyone with Internet access can just wait a couple of days and they will probably find you eventually. But we can be impatient folks so let’s find out how to force SPAM to come to us and, in the process, we will learn what not to do when roaming around the Internet.

SPAMmers do have some definite playgrounds upon which they hunt for their prey. USEnet groups, message boards, and websites where people enter information about themselves (including credit card numbers) are the favorites. This brings us to:

SPAM Rule: Never use a real e-mail address or real names in USEnet groups, message boards or on websites.

If you will be chatting in these rooms then you should consider setting up a “dummy” account to use. This way the SPAM will come to that account not to your real account. I am not saying you should lie on the Internet, but that you have things you can do to minimize your chances of being exploited on the Internet. Usually ISP’s give you more than one account or you can create one with the free email services like hotmail, Yahoo, or Netzero. In earlier labs I taught you to never believe anything until you see it…so let’s test out our rule by making a dummy account and seeing just how fast our in-box fills up with SPAM.

38

Assignment #1: 1. Open an IE or NN browser window. 2. (optional) Go out to a search engine and search for “free email accounts.”

These sites change everyday so you may have to be creative. 3. Navigate to www.hotmail.com and set up a “dummy account” for yourself.

Make it something catchy if you would like. Now is a good time to think of a nifty little alias or nickname to use. Imagine being zerocool@hotmail.com.

4. Now we probably could wait a few days and we would start seeing some SPAM come in…but let’s force it a bit. a. The best way to start the SPAM rolling in is to buy something on-line but

we don’t want to have to go to that extreme. Let’s go out to a message board…

b. Ok…if you are over 18 you can go to a porn site and then you will receive more SPAM than you want in your account. Just remember that because you created a dummy account doesn’t mean you have cookies and settings in your computer that give your true identity away.

c. Or you can try going to a website and registering for some free stuff…let’s get something for free and useful while we are at it.

5. In a couple of days (if not sooner) the SPAM should start rolling in. Click on remove me from the list. Examining the SPAM…what’s all that stuff?

Ok, so this is the part of the chapter where I am going to show off some of my collection of spam and interesting emails. The first thing to do with a message that appears to be SPAM is examine the headers. There are many different ways to do it. With AOL click on the “details” button under the “to” window. Subj: Internet Millionaire Guarantees Your Success! Date: Tue, 18 Jun 2002 1:51:52 PM Eastern Daylight Time From: Shawn Casey<TuesdayFun@yourbigvote.com> To: *******@aol.COM Sent from the Internet (Details) Next you should see a window appear with all of the details. I copied and pasted the text into a word document for reverse engineering from a slightly different email:

Return-Path: <ThursdayFun@yourbigvote.com> Received: from rly-xc03.mx.aol.com (rly-xc03.mail.aol.com [172.20.105.136]) by air-xc02.mail.aol.com (v86_r1.13) with ESMTP id MAILINXC24-0620122229; Thu, 20 Jun 2002 12:22:29 -0400

Received: from MAILER119.yourbigvote.com (mailer119.yourbigvote.com [216.162.101.119]) by rly-xc03.mx.aol.com (v86_r1.13) with ESMTP id MAILRELAYINXC310-0620122218; Thu, 20 Jun 2002 12:22:18 -0400

39

Received: by MAILER119.yourbigvote.com (PowerMTA(TM) v1.5); Thu, 20 Jun 2002 09:19:15 -0700 (envelope-from <ThursdayFun@yourbigvote.com>) Subject: You Can Buy This Life Insurance - As Low As $10 a Month! From: Insurance For Less<ThursdayFun@yourbigvote.com> To: *********@aol.com MIME-Version: 1.0 Content-Type: text/plain Date: Thu, 20 Jun 2002 09:19:15 -0700 Message-ID: 200206201222.10MnNQRa14720@rly-xc03.mx.aol.com

This message, while it may be SPAM, appears to be a legitimate ad. Many times when you go out to the web and sign up for things you neglect to de-select those little boxes “send me information” or “keep me informed…” According to the headers above I would not hesitate to send an email back to this vendor to be removed from their email list.

Why? Well…just like a detective…we have clues that tip us off about the message. One of the dead give-aways about an email that comes from “questionable” sources is the time zone listed in the headers. We are looking for matches with time zones as they relate to Greenwich Mean Time (GMT). For example, Eastern Standard Time (EST) is 5 hours less than GMT (denoted as –0500). During daylight savings time EST becomes EDT (-0400). Fake addresses in SPAM’s are usually slightly different.

You may see something like EST (-0600) or EDT (-0500). Obviously this is wrong. Let’s look at a good one first (that is a good tip when trying to figure out when something goes bad….compare the probable bad one with a known good one…):

Return-Path: <ThursdayFun@yourbigvote.com> Received: from rly-xc03.mx.aol.com (rly-xc03.mail.aol.com [172.20.105.136]) by air-xc02.mail.aol.com (v86_r1.13) with ESMTP id MAILINXC24-0620122229; Thu, 20 Jun 2002 12:22:29 -0400

Notice how it does not necessarily include time zone information. Same one that I changed to look like a bad time zone:

Return-Path: <ThursdayFun@yourbigvote.com> Received: from rly-xc03.mx.aol.com (rly-xc03.mail.aol.com [172.20.105.136]) by air-xc02.mail.aol.com (v86_r1.13) with ESMTP id MAILINXC24-0620122229; Thu, 20 Jun 2002 12:22:29 EST (-0600)

The “Received: from” field lists who the email comes from, what firewall device you may have that may have re-directed it to you, and the program used to send the email to you (from the destination). In the example above this email came from someone who has an AOL account, through the AOL mail server to my AOL account. The stuff about the time? That’s next.

Also be sure to check for corroboration with the SMTP time stamp. Any SMTP program had a message id number that starts with a letter. If your email was sent between midnight and 12:59 am then the first letter should be an “A.” If it is not then it is a good bet the email has been spoofed (faked). Here are the rest:

12-12:59 am A 12-12:59 pm M 1-1:59 B 1-1:59 N

40

2-2:59 C 2-2:59 O 3-3:59 D 3-3:59 P 4-4:59 E 4-4:59 Q 5-5:59 F 5-5:59 R 6-6:59 G 6-6:59 S 7-7:59 H 7-7:59 T 8-8:59 I 8-8:59 U 9-9:59 J 9-9:59 V 10-10:59 K 10-10:59 W 11-11:59 am L 11-11:59 pm X

Another good tip off this is a “good” SPAM is the return address. Many times they are “spoofed” (faked). You may see just numbers or a name instead of an actual return address. If you are feeling particularly gutsy you can click on reply, then send, and see if it is sent or returned as undeliverable. You can also check the return address for validity. Make sure it looks like a good address. Fake ones tend to use bizarre combinations. Look at this one and you can see a really bizarre address. It does not come from Farmgirl31272@port.net but has that addition of <MAILER-DAEMON28812. Good tip off. We can also see the X-Set address is weird: edvkdppCvsmf1hgx@5536.

Return-Path: <MAILER-DAEMON15427@port.net> Received: from acfw2 ([192.168.255.4]) by voyager.spjc.edu (Netscape Messaging Server 4.15) with SMTP id GXWM7T00.0T4 for <bashamm@spjc.edu>; Tue, 18 Jun 2002 09:45:29 -0400 Received: from aslan.spjc.edu ([198.76.188.39]) by acfw2; Tue, 18 Jun 2002 09:27:29 -0400 (EDT) Received: from port.net (unknown [212.68.208.66]) by aslan.spjc.edu (Postfix) with SMTP id 0697D26494 for <******@spjc.edu>; Tue, 18 Jun 2002 09:44:59 -0400 (EDT) From: "Farmgirl31272" <MAILER-DAEMON28812@port.net> To: <bashamm@spjc.edu> Subject: Real ZOO web site, welcome! ID<edvkdppCvsmf1hgx> X-Priority: 3 X-Mailer: The Bat! (v1.53d) Date: Tue, 18 Jun 2002 17:48:15 +0400 Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-2" Status: R X-Status: N X-Set: edvkdppCvsmf1hgx@5536 Message-Id: 20020618134459.0697D26494@aslan.spjc.edu

Addressing can even be taken to another step…in fact those malicious hackers even laugh about how “ignorant” we can be about addressing. Look for IP numbers that are

41

not “useable” IP addresses: network numbers, subnet numbers, reserved numbers, numbers greater than 254. Here is an example:

Return-Path: <TuesdayFun@yourbigvote.com> Received: from rly-xf03.mx.aol.com (rly-xf03.mail.aol.com [172.20.105.0) by air-xf02.mail.aol.com (v86_r1.13) with ESMTP id MAILINXF23-0618135152; Tue, 18 Jun 2002 13:51:52 -0400 Received: from MAILER121.yourbigvote.com (mailer121.yourbigvote.com [216.162.101.121])

by rly-xf03.mx.aol.com (v86_r1.13) with ESMTP id MAILRELAYINXF34-0618135138; Tue, 18 Jun 2002 13:51:38 2000

Received: by MAILER121.yourbigvote.com (PowerMTA(TM) v1.5); Tue, 18 Jun 2002 11:53:44 -0700 (envelope-from <TuesdayFun@yourbigvote.com>)

Subject: Internet Millionaire Guarantees Your Success! From: Shawn Casey<TuesdayFun@yourbigvote.com> To: amaffew@aol.com MIME-Version: 1.0 Content-Type: text/plain Date: Tue, 18 Jun 2002 11:53:44 -0700 Message-ID: 200206181351.04NoPUEa29212@rly-xf03.mx.aol.com

Sometimes addressing information is contained within parenthesis. You can find reverse-DNS information here that can be looked up to determine if the stated originator is really the originator. Just use that IP address and do a WHOIS lookup. If the address and the results of the WHOIS seem to match then rest easy because you are getting legitimate ads sent to you (better than scams). Assignment #2: 1. What would you determine about this email based upon what you see here? Subj: Check this out! 4763y Date: Tue, 4 Jun 2002 8:43:50 PM Eastern Daylight Time From: Eveirv Bcc: Amaffew

Message text: Hello, It's me Kira, I finally got my pictures online, come check it out.<BR>You should see me i am so hot in these clothes.<BR>No Credit Card required. Come Try it.<BR>It's worth a try! Click <a href="http://kirasite.da.ru/">Here</a> To see me in action! <BR><BR> <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>To be removed from all future mailings and be unsubscribed from our list, click <a href="http://unsubscribenow.da.ru">here</a>. <P> <P> <P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P> <P> <P><P><P><P><P><P>< P>9491h

2. Ok. I did not respond and got this one a bit later:

42

Subj: Hey 4827n Date: Sat, 15 Jun 2002 8:52:13 PM Eastern Daylight Time From: Ferinos Bcc: Amaffew

Hello, This is Kira from the chat room.<BR>Guess what! I got my camera up finally.<BR>I want you to see it, all you need to do is <a href="http://adults.to/kirashot">download</a> this software.<BR>It's free, come try it.<a href= "http://adults.to/kirashot" >I get a little naughty at times :) tehe. /a><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P> <P><P><P><P><P><P><P><P><P><P><P>5793s

This is not a SPAM e-mail: SANS is proud to announce two new discount programs for our Teaching Kits and Awareness Training, available only to educational institutions. The Intro to Information Security Teaching Kit helps an entry level person get up to speed and meet the training requirements for the GIAC Security Fundamentals certification (GISF) and CompTIA's Security+. Intro to Information Security is available for purchase as part of our new series of licensed course materials called GIAC Prep. A starter kit costs $999 (discounted from $3600) and includes six sets of books, practice exams, rights to use the GIAC Prep Course logo, and a set of instructor slides. You can purchase additional kits and practice tests for $250 per student (discounted from $550), making it easy to benefit from time proven training materials with our simple licensing program - pay per student/per course. For more information on the teaching kits for GIAC Prep's Intro to Information Security, please register at https://store.sans.org/store_item.php?item=106 SANS Security Awareness Training is new on-line training program to inform your general user population about the risks that they face and the simple countermeasures that they can take, regardless of their technical skills and abilities. Real-life stories illustrate the do's and don'ts of basic security awareness, and quiz questions are integrated to reinforce key concepts. A special discount has been put together just for educational institutions of 500 or more students and faculty. This discount is being offered to provide an opportunity for students to learn SANS Security Awareness Training before entering the job market, and for the faculty who will be teaching our future leaders of the world. SANS is offering a special rate of $1 per user, a significant savings from the regular price of $10-$50 per user. To purchase Awareness Training at the special discounted rate, please write to securityawareness@sans.org with the number of users you are looking to train in this program. Please note that this discount is non-transferable and all of the users must be from an .edu address. Any abuse of this discount will be cause for termination of this special offer and non-refundable automatic termination of the accounts. Brian Correia Director, Business Development & Venue Planning

43

SANS Institute www.sans.org / brian@sans.org 703-968-0103 (Phone/EST) 703-830-0520 (Fax) Some more examples from my file O’ Spam (yeah, I collect them…I keep them with my viruses…tee-hee-hee) Dear friend,

I am contacting you to front as a co-owner and beneficiary of funds (US$25,000,000.00) due for an executed contract here in South africa. I am currently a high ranking government official in the ruling cabinet of President Thabo Mbeki (South Africa).

This funds are a result of over-invoiced proceeds of a contract I helped a South African based company secure and is yet to be paid out by the Reserve Bank of South Africa.

This funds emanated as a result of an over-invoiced contract which Sentech (Pty)Ltd., a communications company executed with the Government of South Africa. I am afraid that the government of South Africa might start to investigate on contracts awarded from 2000 to date. If they discover this money yet unclaimed with my name linked to it, the government will confiscate the money and this will definitely affect my political career in Government.

I want your assistance to front as a co-owner of this company (SENTECH [PTY] LTD) to facilitate the release of the funds. I will introduce a very good attorney to assist us with the transfer process without any hitch but he will not be told my interest in the transaction as I play a very sensitive role in my government. As the contract was executed in my present government department, be rest assured that I will use my position to approve the immediate release of the entitlement. As soon as the funds is release to your name, you are expected to move it immediately into your personal bank account in your country. As soon as you have confirmed receipt of the funds into your account, I will arrange to meet with you.

If you agree to my proposal, please endeavour to send me an urgent reply to; sepeivy@k.ro Due to my sensitive position in the South African Government, I would not want you to phone or fax me.

The lawyer I will recommend to assist us will be representing our interest at the Reserve Bank of South Africa and all necessary quarters. All future correspondence must be made either to the attorney or myself. I am reposing huge trust on you regardless of your being a total stranger. Upon your reply, we shall discuss your percentage for your assistance.

Because of my sensitive position as serving government official, I will only give you more details of myself when we proceed further and I am sure of your sincerity. Thank you. Dr. Ivy Matsepe-Casaburri MINISTER OF COMMUNICATIONS Honesty and transparency, they are my best work tools

44

-------------------------------------------------------------------------------------------------------------------------------------------- Confidentiality Notice: The information in this e-mail is confidential and may also be the subject of legal privilege. It is intended solely for the addressee. If you are not the intended recipient, please notify me immediately. You are hereby placed on notice that any copying, publication or any other form of dissemination of this e-mail or its contents is prohibited.This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. --------------------------------------------------------------------------------------------------------------------------------------------- What a total crock! Sure, it looks legit but one thing you can count on with a good chunk of SPAM is it will contain spelling errors, grammar errors, etc. Since when does a high ranking government official not capitalize “africa” anyways? Let’s look at another…

Dear valued customer Help It has come to our attention that your eBay Billing Information records are out of date. That requires you to update the Billing Information If you could please take 5-10 minutes out of your online experience and update your billing records, you will not run into any future problems with eBay's online service. However, failure to update your records will result in account termination. Please update your records in maximum 24 hours. Once you have updated your account records, your eBay session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems. Please click here to update your billing records. http://billing.ebay.com Thank you for your time! Marry Kimmel, eBay Billing Department team.

As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreementif you have any questions.

Copyright 2004 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners.

45

eBay and the eBay logo are trademarks of eBay Inc

Copyright © 1995-2004 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use

of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

eBay official time Yeah…ok…it looks legitimate enough, except I don’t use E-Bay. There are some other hints here that this is a SPAM…let’s look in the headers (In Outlook double-click on the message, then View>Options): Microsoft Mail Internet Headers Version 2.0 Received: from SPCollege.edu ([172.16.1.12]) by EXVS1.SPCollege.edu with Microsoft SMTPSVC(6.0.3790.0); Mon, 10 Jan 2005 09:09:12 -0500 Received: from aslan.spcollege.edu ([66.194.104.39]) by SPCollege.edu with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Jan 2005 09:09:12 -0500 Received: by aslan.spcollege.edu (Postfix, from userid 501) id 9713270187; Mon, 10 Jan 2005 09:08:01 -0500 (EST) Received: from mailrelay.megawebservers.com (mailrelay1-2.megawebservers.com [216.251.35.241]) by aslan.spcollege.edu (Postfix) with ESMTP id DF0A770185 for <bashamm@spcollege.edu>; Mon, 10 Jan 2005 09:08:00 -0500 (EST) Received: from web152.megawebservers.com (web152.megawebservers.com [216.251.35.152]) by mailrelay.megawebservers.com (8.13.1/8.13.1) with ESMTP id j0AE9AT6012437 for <bashamm@spcollege.edu>; Mon, 10 Jan 2005 09:09:10 -0500 Received: from web152.megawebservers.com (localhost [127.0.0.1]) by web152.megawebservers.com (8.12.10/8.12.6/SuSE Linux 0.6) with ESMTP id j0AE9AVE004618 for <bashamm@spcollege.edu>; Mon, 10 Jan 2005 09:09:10 -0500 Received: (from Unknown UID 30500@localhost) by web152.megawebservers.com (8.12.10/8.12.6/Submit) id j0AE9Avf004617; Mon, 10 Jan 2005 09:09:10 -0500 Date: Mon, 10 Jan 2005 09:09:10 -0500 Message-Id: <200501101409.j0AE9Avf004617@web152.megawebservers.com> To: bashamm@spcollege.edu Subject: update your credit /debit card information on your eBay account

46

From: eBay <aw-confirm@ebay.com> Reply-To: aw-confirm@ebay.com MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on aslan.spcollege.edu X-Spam-Level: *** X-Spam-Status: No, hits=3.2 required=20.0 tests=AWL,CLICK_BELOW,HTML_70_80, HTML_MESSAGE,HTML_TAG_BALANCE_A,HTML_TAG_BALANCE_BODY, MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,SUBJ_YOUR_DEBT autolearn=no version=2.63 Return-Path: vip-newsletterz.com@megawebservers.com X-OriginalArrivalTime: 10 Jan 2005 14:09:12.0364 (UTC) FILETIME=[F5D3FEC0:01C4F71D] Where the heck is the E-Bay dot com part? Sure, they may use megawebservers but it would be highly unlikely E-Bay would not use the correct return path. Let’s “test” our theory by sending an email to E-Bay and see what the return headers “say.” I navigated through their help system to find something that would send me an email response…to here: http://pages.ebay.com/help/newtoebay/customer-support.html Then I sent an email requesting instructions on how to use Ebay…they should send me the link with instructions or at least send me an email telling me they received the email and I would be getting an answer soon. Then we can check the headers to see if the return path’s match. Oh sure, you probably won’t have to go through all of this but it is fun all the same. If you don’t know who it is, what it is, or if it sounds to “good” to be true then delete it. This is becoming a classic SPAM email using a technique known as “Phishing.” The SPAMMERS/Hackers are fishing for your information to steal your stuff. Never use the personal stuff over the net…enough said? Sure enough in about 5 minutes I got a reply…here is the headers: Microsoft Mail Internet Headers Version 2.0 Received: from SPCollege.edu ([172.16.1.12]) by EXVS1.SPCollege.edu with Microsoft SMTPSVC(6.0.3790.0); Thu, 13 Jan 2005 12:52:06 -0500 Received: from aslan.spcollege.edu ([66.194.104.39]) by SPCollege.edu with Microsoft SMTPSVC(6.0.3790.211); Thu, 13 Jan 2005 12:52:06 -0500 Received: by aslan.spcollege.edu (Postfix, from userid 501) id 4BDE77008E; Thu, 13 Jan 2005 12:50:51 -0500 (EST) Received: from smf-klm-02.corp.ebay.com (outbound1.smf.ebay.com [66.135.215.134]) by aslan.spcollege.edu (Postfix) with ESMTP id A70DA7008D for <Basham.Matt@spcollege.edu>; Thu, 13 Jan 2005 12:50:50 -0500 (EST) Received: from [10.112.115.41] (HELO rhv-kas-11.kana.corp.ebay.com) by smf-klm-02.corp.ebay.com (CommuniGate Pro SMTP 4.1.5) with SMTP id 49834794 for Basham.Matt@spcollege.edu; Thu, 13 Jan 2005 09:48:29 -0800 Precedence: bulk Auto-Submitted: auto-replied

47

Date: Thu, 13 Jan 2005 09:48:30 -0800 To: <Basham.Matt@spcollege.edu> Subject: Thank you for writing to eBay's Support Team (KMM26135441V38508L0KM) From: eBay Customer Support <cswebhelp@ebay.com> Reply-To: eBay Customer Support <cswebhelp@ebay.com> MIME-Version: 1.0 Content-Type: text/plain; charset = "us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: KANA Response 6.5.0.309 Message-ID: <auto-000049834794@smf-klm-02.corp.ebay.com> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on aslan.spcollege.edu X-Spam-Level: X-Spam-Status: No, hits=0.3 required=20.0 tests=AWL,SUBJ_HAS_UNIQ_ID autolearn=no version=2.63 Return-Path: cswebhelp@ebay.com X-OriginalArrivalTime: 13 Jan 2005 17:52:06.0271 (UTC) FILETIME=[988980F0:01C4F998] Yup…we have mostly confirmed the first email was not a legitimate email…oh sure maybe EBAY used a mass mailer to ask everyone for their information but they know better after all the phishing scams that are out there…Here is another golden oldie to get you to a site and steal or coax stuff out of you: Browsing through the CNN website I came across this CNN article which seems to be about you: http://www.cnn.com:USArticle1840@www.liquidshirts.com/ Yours, Jennifer Hawkings

48

Here is an example of an email that was stopped at the firewall as suspected SPAM. Certain words or phrases are assigned “points” and once you pass the pre-set threshold it is flagged as possible SPAM: Spam detection software, running on the system "aslan.spcollege.edu", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see spamd@aslan.spcollege.edu for details. Content preview: DEAR FRIEND: DO YOU WANT SOME EXTRA CASH? This is an UPDATED and IMPROVED version of a highly successful marketing program that is making people WEALTHY. It can easily make you many thousands of $$$ in the next few months. I know you have seen claims like that before, but do not just dismiss the idea. Give it a chance, and take the time to carefully read this ENTIRE letter. After you have read it all, if you still think it is nonsense, throw it away and you will have lost nothing. But I think you will keep it once you realize its potential. If you would enjoy honestly making big money from home, act on this offer today! [...] Content analysis details: (37.5 points, 20.0 required) pts rule name description ---- ---------------------- ------------------------------------------- 1.1 EARN_MONEY BODY: Message talks about earning money 2.8 NO_INVESTMENT BODY: No Investment 2.2 MLM BODY: Multi Level Marketing mentioned 2.8 ORDER_REPORT BODY: Order a report from someone 0.7 RISK_FREE BODY: Risk free. Suuurreeee.... 2.8 INVALUABLE_MARKETING BODY: Invaluable marketing information 0.9 BANG_MONEY BODY: Talks about money with an exclamation! 1.9 AS_SEEN_ON BODY: As seen on national TV! 1.1 DEAR_FRIEND BODY: Dear Friend? That's not very dear! 0.2 REMOVE_IN_QUOTES BODY: List removal information 0.7 FOR_FREE BODY: No such thing as a free lunch (1) 2.5 EXTRA_CASH BODY: Offers Extra Cash 1.6 OPPORTUNITY BODY: Gives information about an opportunity 2.1 FINANCIAL BODY: Financial Freedom 2.8 INITIAL_INVEST BODY: Requires Initial Investment 2.3 ONE_TIME_MAILING BODY: one time mailing doesn't mean it isn't spam 2.8 COPY_ACCURATELY BODY: Common pyramid scheme phrase (1) 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED 0.1 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED 3.3 MSGID_FROM_MTA_SHORT Message-Id was added by a relay 2.8 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date 0.0 CASHCASHCASH Contains at least 3 dollar signs in a row Heck from a “hacker” perspective I now know what phrases to avoid to be detected as SPAM, but we want to be good, right?

49

• Make a plan of attack for how you would research this email. • Is it or is it not SPAM? • Where does it come from? • How could you stop it from coming?

Where does it come from? Hackers typically look for vulnerable e-mail servers by scanning for openings on port 25 (see scanning lab for more instructions). Once they find one they must first determine if the email server can relay email by looking at the version number of the sendmail program. Earlier versions typically do not work as well…it just depends on the email program. Do your research.

SendMail v8.x instructions: 1. Telnet to smtp port (25) 2. type help to view available commands 3. type HELO hacker.com then hit <return>. This is the name (hacker.com) that

will appear just after the “Received: from:” header in the email. 4. Now you have to type the address from which it is coming from…yeah

sure…go ahead and put a fake one in…the mail program doesn’t know any better: MAIL FROM: 1.1.1.0

5. Then you have to tell the program where to send the email to…RCPT TO: your@bad.com

6. Then just add some text if you would like: DATA SUBJ: Crap blah, blah, blah

7. Add a period at the beginning of a line and hit <return> 8. If the message “accepted for delivery” appears then it worked!

Remember doing this over the net is a jailable offense…you probably don’t want to spend 10-20 years showering with convicts.

E-mail harvesting programs There are a couple of ways those SPAMmers get your email address: pure guessing and e-mail harvesting. Those harvesting programs , like Target 2001 (by Microsys Technologies… http://www.1-bulk-email.com/on-target-2001.html) is like a worm that crawls through the web (without permissions) and “harvests” emails from websites, cookies, and databases. The results are sent back to the originator. How easy is that? On that website you will see many programs for harvesting e-mail…chilling. Take a look sometime “behind the scenes of a webpage.” Try to figure out where all those advertisements link back too. There are really only a couple of companies doing them: doubleclick.com and akamai.net. Bet they have great databases that people would love to get their hands on. Since akamai.net does not charge for controlling their advertisements then they obviously get money from somewhere…hmmm selling databases? Using a SPAM filter Now on your computer you can change some of your settings once you have received SPAM. Microsoft Outlook is a client-based email system that transfers email from the

50

email server (sometimes called a POP or POP3 server) to the workstation and then deletes the email from the email server. This is one of the most widely-used email systems in the world and thus is the most vulnerable to hackers and exploits from hackers. Later we will discuss pop-up ads in the same vein. Being a client based has some advantages and disadvantages.

Overall good rules for keeping away from SPAM There are many good things you can do with emails you receive that you were not expecting. Never, ever, flame the SPAMmer. It could be an innocent reflector. Be nice now. Use that “anonymous” hotmail account address in newsgroups. Use a SPAM filter if you can. Never send a reply to be “removed from a mailing list.” This only confirms they have reached a valid address and you will be inundated with even more SPAM. Try not to use your email or web address if at all possible. Use that dummy account. Heck, once it fills up then no more can be received. Enough said…no more problem. What to do with SPAM once you get it… At home? Just delete it. At work? Just forward it to the network administrator of your company. That is you? Do your research you learned here in this lab and write an ACL for your router, tweak your firewall, or just delete it and do not worry about it right now. Besides, you have enough to worry about with all those cookies out there. If you are an administrator then you should have something about SPAM reception in your Acceptable Use Policy (AUP)…but that is another lab. The Federal Trade Commission also would

51

like to have unsolicited advertisements (SPAM or otherwise) sent to them (uce@ftc.gov). There are also anti-SPAM websites. Try searching for some of these. Using a SPAM filter in MS-Outlook (SPC Helpdesk Instructions) These are basic instructions for setting up a SPAM filter in your Outlook email. These filters can be very effective, but you should also be aware that they may occasionally filter valid email, therefore, it is not recommended that you set the filter to send the email directly to your “Deleted Items” folder. Instead, you should send it to a separate folder, where you can scan the contents to make sure there are no valid emails mixed in with the SPAM, and from there you can delete the messages. Depending on your version of Outlook, you may already have a “Junk E-mail” folder that can be used for this purpose. If you do not already have a “Junk E-mail” folder, you can right click on your Mailbox folder (Mailbox – User Name), and select “New Folder”. You can name this folder whatever you wish. Creating your SPAM Filter: From the Outlook Menu, select “Tools” then “Rules and Alerts” Click on “New Rule” Select “Start from a blank rule” With “Check Messages When They Arrive” highlighted, click “Next”

52

Under Step 1 – Select the box next to “with specific words in the message header” Under Step 2 – Click on the link “specific words”, and in the box that opens up, type X-Spam-Level: * then click on “Add”, which will move the asterisk(s) to the search list, surrounded by quote marks. Click “OK”

53

(NOTE: You can type from 1 to 5 asterisks in this box *****. The more you type, the higher the chances of getting SPAM in your Inbox. The fewer you type, the higher the chances of moving valid email to your SPAM mailbox.) Click “Next”. Under Step 1 – Select the box next to “move it to the specified folder” Under Step 2 – Click on the link “specified”, and in the box that opens up, highlight (select) the folder that you have created for your SPAM Mail, and click “OK”.

54

Click “Next”. Click “Next” again. Make sure that there is a check mark in the box next to “Turn on this rule”, and click “Finish”.

55

Click “Apply” and click “OK” So What Did I Learn Here? Boy…who knew there was so much to learn about SPAM? In this lab you learned about SPAM in general, how to read those headers, about e-mail harvesting, how to use a SPAM filter, and some things to do with SPAM once you get them. Go ahead and try some of the supplemental labs and check out some of these websites if you have some time. Supplemental Lab or Challenge Activity:

1. Go out and research RFC 821 and 822. Good SPAM reading. Look at those numbers? It really has been around for a while huh?

56

2. Go out and research the email package “Sendmail.” You should be able to get many tutorials and operating manuals on it. Hackers are only as good as their research.

So What Did I Learn Here? In the short term I feel you have learned a bit more about SPAM and should not be as afraid to deal with them. If nothing else you have learned more about my definition of SPAM:

(1) Non commercial electronic communications—this would include emails from person to person not of a commercial nature. This I would call “email.”

(2) Commercial electronic communications—this would include emails with respect to a commercial enterprise, offering, or solicitation for business

(a) “Legitimate” commercial electronic communications—this would be the commercial enterprises who, following a set of standards, would make it easier for network administrators to control at the border by filtering. By following a set of standards they would be immune from prosecution for spamming. Including “ADV” or “PORN” in the subject line may be two such examples of standards. This I would call “email advertisements”

(b) “Illegitimate” commercial electronic communications—this would be those enterprises, commercial or otherwise, that use falsified information in electronic communications in anticipation of receiving responses or business. This is what I would call “SPAM.”

By having those other categories will encourage much cooperation between the government, legal authorities, and commercial entities. You see, much discussion about “pink slip” deals has surrounded SPAM. On the one hand, ISP’s loathe SPAM in public documents, yet on the backside they cut these side deals with the SPAMMERs, sometimes called “pink slips” or “pink contracts” to allow them use of their band width for x amount of dollars. It actually makes very good business sense. I say “why not?” “God bless America.” By defining SPAM in this fashion we have also opened up a legitimate channel for advertisers that also make it easy for network administrators to control. Plus, now we have a method for, more or less, taxing commercial solicitations (at least the legitimate ones) through sales taxes at the ISP’s for the bandwidth. As it currently exists we all know we can “skirt” sales taxes over the Internet in most respects. For example, living in Michigan I can buy something over the Internet from a company in Florida. There are no sales taxes assessed in Florida because the purchase comes from an out-of-state buyer. I would argue that we need to change this loophole because when I visit Disney in Orlando I still get charged sales tax on my tickets, food, and souvenirs. Why one but not the other? Ok, now I am sure to get people screaming at me for “why am I arguing for more taxes?” Trust me, I don’t like to pay more than I should, however, we are talking about the context of curbing SPAM by changing a few legislative rules and procedures. In addition, I do not buy things over the Internet because it allows tracking of my information. Should there be a “tax” or an “Internet stamp” on emails? I do not think so because the Internet should be free. It will continue to be how business is

57

done and business can bear the burden of paying taxes so that citizens do not have to directly pay them.

Boy…who knew there was so much to learn about SPAM? In this lab you learned about SPAM in general, how to read those headers, about e-mail harvesting, how to use a SPAM filter, and some things to do with SPAM once you get them.

58

Chapter 11 Password Protection

• Introduction • Creating passwords • Where to record your password • Geek stuff: Password cracking basics • Summary Many people take password protection for granted yet, at the same time they are very protective of their car keys and locking their house. There is no difference when discussing password protection. Imagine a time not so long ago when tests were stored as hard copies in a locked filing cabinet. If someone broke into the cabinet by picking the lock or some other method and stole a test, then the teacher would usually not be negligent. On the other hand, if a test file was left open or the test was left on a desk in a public area then the teacher would surely have been reprimanded for poor security. By not protecting your passwords or creating them well enough you are leaving your tests out on the table. In this chapter we will examine general password creation guidelines, where to record your passwords, and a quick bit on computer geek stuff for passwords. Creating Passwords All kinds of books go into the mathematics of password creation and involve huge numbers and how long it will take to “crack” a password of “x” length. It is not my intention to do that here. Instead, from my experiences with computer security I wanted to share with you some of my insight. A couple of years back I was hired by a company in Ybor City as a consultant. The president had fired his network administrator earlier in the day for whatever reasons and he gave that person until the end of the day to clear out his desk and go home. BIG MISTAKE! Not only did the guy go home but he changed the passwords all over the network equipment and did not inform any one that he did so. So the new network administrator comes in the next day and cannot access anything on the network. First of all this is a violation of many laws and secondly it is not very nice. Fortunately this person was not very smart because using some general psychology and knowing about passwords in general I was able to “crack” through all but one of the passwords within an hour. The only one I could not “guess” I used a password cracker and obtained the password in a couple more hours. As I said earlier there is always someone smarter and better so it’s not even worth risking jail time over this. If you ever find your self in a position like that network administrator always give a copy of all of your passwords to your now former employer and document the receipt of them for your own protection. So how did I figure out his passwords? Simple. Most people are very lazy with their passwords. They tend to use things that are familiar to them when creating them. They will use their names, middle names, spouses names, children’s names, their favorite Disney character, their pet’s names, the names associated with their

59

favorite hobby, the name of their favorite color, nicknames, the names of their parents (especially mother’s maiden name), characters from their favorite movies or something very prominent from a theme in their office. For example, this guy had a lot of Star Trek stuff hanging around so I guessed and hit two of them right off the bat: captainkirk and enterprise. People also use numbers like anniversaries, birth days, graduation days, and other ones. The best passwords use a combination of numbers, letters, and special characters. I would also recommend the use of a combination of upper and lower case letters when creating them. How long should they be? You will be told for your specific network. Most require between 6 and 8 characters minimum. Let’s take a second and look at some good and bad passwords in table 1.

Bad Passwords Good Passwords mike Mi8cH*aEl anna AN^n@Na goofy B3++3r rover H4XorZ* beth 3ll1T3*5Io34K surfer $r52Much green 5+4Ow+ daddy 8o4w4Y momma 1<3wL5t\/f silentbob +ooH4rD3

Table 1—Good and Bad Passwords It’s not rocket science…its creating a password for you to use. Unfortunately many networks require you to change your password periodically (usually every 30 days). If that is not enough then they usually require unique passwords every time. So at some point most people write them down somewhere and that is what we will discuss in our next section. Where to Record Your Passwords Another dead give away when figuring out passwords is when they write them down. You would be surprised how many people put a sticky note on the monitor with their passwords in plain site. What good is having passwords then? It doesn’t stop there…stop me if you do these…people put them under their keyboards, on the little pull-out drawer in their desk, on the side of a garbage can, on a bulletin board, or even in a notebook (they think they are being cute by putting it on the last page, but I know better). Many people write them down and keep them in a purse or wallet too which is not bad but they forget about the imprint that is made on the subsequent pages below that top sticky note. I got one of that guy’s passwords in just that manner. The last thing he did was write one down on a sticky note but the imprint was still left on the pad on his desk.

60

The best thing I can suggest if you are going to write them down to make sure no imprint is being made and to keep them in your purse or wallet. You would be surprised how many people are keeping them in a manila file folder called “passwords.” There is a newer technology that is starting to spread which allows you to write down your password in a secured manner. This file uses very strong coding to prevent people from being able to read the contents of the file. In this file you will be keeping track of all of your passwords and will only be required to remember the password into this file. Whenever a password is required the program is executed and each password within the file is tried until the “magic” one (the one needed) allows access to whatever you needed. It still has a lot of problems (like maximum log in attempts) but the point is: someone is trying to make it easier for you. In our next section we will talk about how hackers can use software to “crack” passwords. It is my hope you will see how easy cracking passwords can be and, in turn, you will take greater care in creating your passwords.

Preface: Why do they do it? Microsoft is the most popular operating system in the world. The “hackers” of the world for years have known that (1) Microsoft has refused to make their programs open source and (2) that they can profit by the security holes in Microsoft, since they refuse to comply with the terms set in the “Hacker Manifesto.” Thus, hackers are in this for the profit, through referral payments from visitors. Part I: Legal Stuff Maine Public Utilities Commission v. Verizon [Docket no. 2002-543] www.state.me.us/mpuc/orders/2002/2002-543oai.pdf The gist: worms, viruses and other deeds are predictable and therefore preventable. Cobell v. Norton 240 F.3d 1081 (DC Cir. 2001) 274 F. Supp. 2d 111 (DDC 2003) http://www.indiantrust.com/ The gist: Courts can step in to decide security procedures. City of Clearwater v. Times Publishing Co. 27 Fla. L. Weekly D1544a. (Fla. 2d DCA July 3, 2002 The gist: not everything on your computer is for the public to see, but you must use due diligence and set up your computer appropriately. See also “Courts make users liable for security glitches” www.cio.com/archive/020104/tl_litigation.html

Part 2: Having fun on the Internet…or not? Trojans are programs or files that are executed on your computer…usually without your knowledge. Trojans can be: • Games • Videos • Audio Clips • Photographs • Advertisements

The key for you is to NOT use the Internet whenever possible…let discretion be your better guide. Save the fun surfing for at home. How to use your virus scanner: First of all make sure your technician has your computer set up to automatically download any patches or “updates” automatically. Also, I would have them set up your scanner to check files before downloading or copying from a disk or thumb drive. 1. Click on your Start button,

then Programs, then on Network Associates and finally on Virus Scan on-demand

2. To check your entire computer select “Start.” To check only a certain folder click on “Add” then “drive or folder” then select the location of that folder, then “ok” and then select “start.”

3. Hopefully your check will be clean. Contact CSS if needed.

Instant Messengers I don’t recommend using Instant Messengers (AOL, MSN, ICQ, Yahoo, etc) because most of them are built on the Internet Explorer engine, allowing the IM companies (or hackers) to have full access to your computer and its documents. In their user policy you may see this line: “You waive all rights to privacy…” (enough said) Part 3: The four food groups of the Internet Java-Applets-Cookies-Spam Cookies can be disabled by: 1. Opening IE 2. Click on Tools, Internet

Options, Privacy (tab), Advanced, Over-ride Automatic Cookie Handling and then

3. Switching both party’s to “prompt” for cookies

I don’t recommend this…you will go nuts with all of the prompts at the various websites. Pop-up ads and spyware are simply avoided by switching from IE to using Mozilla Firefox as a browser (it is free and easy to use). http://www.mozilla.org It works with Peoplesoft, Crystal Reports, MS Outlook and other programs. If your application is video-intensive you may encounter slight problems.

SPYWARE AND POPUPs To “clean out” spyware and pop up ads you can use system restore points (XP/ME) in 2000 call your CSS technician: Creating a System Restore: 1. Click on Start, help, pick a

task, Create a restore point 2. Then name it (I do this

once a month). To restore to an earlier point: 1. Click on Start, help, pick a

task, Restore my computer to an earlier time

2. And the computer will “fix” itself. Your documents will be saved, but your programs will be reset to the state they were in at the restore point. If you installed any new software since then, you will have to do it again.

Part 4: Email Stuff 1. Proper “netiquette” dictates

that YOU SHOULD NOT TYPE WITH ALL CAPITAL LETTERS TO AVOID THE APPEARANCE OF SCREAMING!

2. Try not to use a font that will be difficult to read or to put in a lot of color or graphics.

3. Never be afraid to use the phone first, and email second. “Tone” can be greatly misconstrued with email. Also, in a Sunshine Law state think of any email as having the possibility of winding up in the newspaper.

4. Very sparingly use BCC. 5. Be careful not to “reply to

all” and use “reply.” 6. You can request receipts

for emails if needed. They can be blind requests or regular requests.

MS Outlook Email Stuff To request a regular receipt: 1. After typing the email,

click on “options”(on the standard toolbar).

2. Click on “request a delivery receipt for this message.

3. And then “close.” The “recipient” will then permit/deny a receipt to be sent to the sender. To request a blind receipt: 1. After typing the email,

click on “options”(on the standard toolbar).

2. Click on “request a read receipt for this message.

3. And then “close.” The “recipient” will send a “read” receipt (without their knowledge) to the sender. Have replies sent to: Sometimes you want to send out a bulk email for someone else but do not want replies sent to you: 1. After typing the email,

click on “options”(on the standard toolbar).

2. Click on “have replies sent to”

3. Select a recipient. 4. And then “close.” “Delayed email” 1. After typing the email,

click on “options” (on the standard toolbar.

2. Click on “do not deliver before” and then select the date and time.

3. And then “close.” Viewing Email Headers: 1. In MS outlook, open the

email 2. Click on “View” and then 3. “Header and Footer.” SPAM usually has time zones of -0400 and –0600 instead of -0500 EDT.

Quick check for SPAM: When viewing the headers, does the “return-path” match the sender? For example, is the email from E-Bay being sent to the return-path address of ebay.com? Setting up a SPAM filter Windows 2000 1. Select “tools” 2. Select “rules wizard” 3. Select “new” 4. Select “check messages

when they arrive” 5. Choose your “options” 6. Select the word or phrase 7. Select an action (like move

it to a folder or delete it) 8. Add any exceptions 9. Give the rule a name 10. Click on finish. Then you can add more rules if you like. I prefer to not do this because you never know when you might “miss” an important email. Part 5: Passwords It is very important that you select good passwords and do not write them down on post-it notes, put them under your keyboard or in notebooks. Choose one with a combination of letters, numbers, and symbols that will be easy to remember. Example: “Linda” becomes “1in0|400o1” (Linda 0001) Part 6: Backing up your data It is vital to have your technician set up your computer to back up your emails to another server or show you how to back them up to a CD at least once a month. Test them too! 727-341-3010 Basham.Matt@spcollege.edu

(c) 2

005

Mat

thew

J. B

asha

m

Stay

ing

one

step

ahe

ad o

f the

ha

cker

s: C

ompu

ter s

ecur

ity

tips f

or th

e ev

eryd

ay u

ser

Mat

thew

J. B

asha

m, P

h.D

. (a.

b.d.

)

(c) 2

005

Mat

thew

J. B

asha

m

copy

right

law

s of t

he U

nite

d St

ates

of

Am

eric

a. A

ll rig

hts r

eser

ved.

No

part

of th

is sl

ide

show

or m

anua

l, or

de

rivat

ives

ther

eof,

can

be

repr

oduc

ed o

r tra

nsm

itted

in a

ny

form

or b

y an

y m

eans

ele

ctro

nic

or

mec

hani

cal,

incl

udin

g ph

otoc

opyi

ng,

reco

rdin

g, o

r by

any

info

rmat

ion

stor

age

and

retri

eval

syst

em, w

ithou

t ex

plic

it w

ritte

n pe

rmis

sion

from

the

auth

or, e

xcep

t for

the

brie

f t

tii

iA

(c) 2

005

Mat

thew

J. B

asha

m

Som

e gr

ound

rule

s

♦Pl

ease

turn

you

r cel

l pho

nes,

beep

ers,

page

rs, b

lack

berr

ies t

o no

t mak

e an

y no

ise

♦Fe

el fr

ee to

go

to th

e re

stro

om w

hene

ver

♦Fo

od a

nd d

rink

are

not a

llow

ed in

the

room

♦C

all m

e “M

att”

(c) 2

005

Mat

thew

J. B

asha

m

Toda

y’s A

gend

a

1.Le

gal s

tuff

for y

ou to

kno

w…

2.H

avin

g fu

n on

the

Inte

rnet

…or

not

!3.

The

four

food

gro

ups o

f the

Inte

rnet

4.Em

ail s

tuff

5.Pa

ssw

ords

: You

got

’em

, I c

an g

et’e

m!

6.B

acki

ng u

p yo

ur d

ata

♦Q

NA

(c) 2

005

Mat

thew

J. B

asha

m

The

Wor

ld w

ould

be

bette

r off

w

ithou

t Mic

roso

ft…or

wou

ld it

?♦

Mic

roso

ft is

the

mos

t pop

ular

(by

defa

ult)

oper

atin

g sy

stem

.♦

As s

uch,

it is

the

targ

et o

f fre

quen

t crit

icis

m

and

hack

ers.

♦If

you

use

Mic

roso

ft th

en y

ou st

and

“in

betw

een”

the

hack

ers a

nd M

icro

soft,

as

such

, you

may

hav

e “p

robl

ems”

with

you

r co

mpu

ter f

rom

tim

e to

tim

e.

(c) 2

005

Mat

thew

J. B

asha

m

“It w

on’t

happ

en h

ere…

”

♦“H

acke

rs c

rippl

e SP

C In

tern

et C

lass

es”

St

. Pet

ersb

urg

Tim

es; S

t. Pe

ters

burg

, Fla

.; Fe

b. 1

1, 2

004;

A

DR

IEN

NE

P. S

AM

UEL

S;

♦“H

acke

rs p

ilfer

eig

hth-

grad

e sc

ienc

e ex

am”

St. P

eter

sbur

g Ti

mes

; St.

Pete

rsbu

rg, F

la.;

Dec

14

, 200

0; L

IND

A G

IBSO

N;

♦“B

oy, 1

4, c

harg

ed w

ith h

acki

ng”

St. P

eter

sbur

g Ti

mes

; St.

Pete

rsbu

rg, F

la.;

Feb

19, 2

000;

B

ill V

aria

n (th

e bo

y ha

cked

into

a se

rver

in w

hich

gra

des

wer

e st

ored

at C

ryst

al R

iver

Hig

h Sc

hool

)

(c) 2

005

Mat

thew

J. B

asha

m

Lega

l Stu

ff fo

r you

to K

now

Part

1

(c) 2

005

Mat

thew

J. B

asha

m

Lega

l Stu

ff fo

r you

to K

now

…

♦M

aine

Pub

lic U

tiliti

es v

. Ver

izon

–“T

he g

ist:”

Wor

ms,

viru

ses,

and

othe

r dee

ds a

re

pred

icta

ble

and

ther

efor

e pr

even

tabl

e–

You

get

’em

…it’

s you

r ow

n fa

ult

♦C

obel

lv. N

orto

n–

“The

gis

t:” C

ourts

can

step

in to

det

erm

ine

adeq

uate

secu

rity

proc

edur

es

(c) 2

005

Mat

thew

J. B

asha

m

Lega

l Stu

ff fo

r you

to K

now

…

♦C

ity o

f Cle

arw

ater

v. T

imes

Pub

lishi

ng C

o.–

“The

gis

t: no

t eve

ryth

ing

on y

our c

ompu

ter i

s fo

r the

pub

lic to

see…

”♦

The

“key

phr

ase”

for y

ou to

rem

embe

r is:

–“D

ue d

ilige

nce”

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or

not

!

Part

2

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

♦H

acke

rs n

ow u

se p

rogr

ams c

alle

d “t

roja

ns”

that

are

dow

nloa

ded

onto

you

r com

pute

r, us

ually

with

out y

our k

now

ledg

e.♦

This

can

be

done

sim

ply

by a

n “e

xecu

tabl

e”

prog

ram

bei

ng ru

n fr

om y

our c

ompu

ter t

o th

e w

ebsi

te a

nd d

epos

iting

“st

uff”

ont

o yo

ur

com

pute

r.

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

♦Tr

ojan

pro

gram

s can

be:

–G

ames

–V

ideo

s–

Aud

io c

lips

–Ph

otog

raph

s–

Adv

ertis

emen

ts

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

♦W

hy d

o ha

cker

s do

this

?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

♦Th

e ke

y ph

rase

her

e is

“av

oida

nce.

” ♦

Mos

t of t

he ti

me

you

do n

ot n

eed

to b

e us

ing

the

web

…th

e le

ss y

ou u

se it

the

less

lik

ely

you

are

to “

caus

e pr

oble

ms.”

♦H

as a

nyon

e se

en th

e co

mm

erci

al fo

r the

“p

ink

slip

” vi

rus?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

♦B

e su

re to

lear

n ho

w to

use

you

r viru

s ch

ecke

r to

“sca

n” d

ocum

ents

for v

iruse

s

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

(c) 2

005

Mat

thew

J. B

asha

m

Hav

ing

fun

on th

e In

tern

et…

or n

ot?

♦Fi

nal n

ote

here

abo

ut In

stan

t Mes

seng

ers

(AO

L, M

SN, Y

ahoo

, IC

Q, e

tc)

♦U

sing

them

mig

ht c

reat

e a

secu

rity

brea

ch

for y

our c

ompu

ter a

nd y

ou…

do y

ou w

ant t

o po

ssib

ly c

ause

hav

ing

stud

ent d

ata

rele

ased

on

to th

e In

tern

et?

(c) 2

005

Mat

thew

J. B

asha

m

The

four

food

gro

ups

of th

e In

tern

et

Part

3

(c) 2

005

Mat

thew

J. B

asha

m

The

“Fou

r Foo

d gr

oups

of

the

Inte

rnet

”♦

We

all k

now

abo

ut fo

od g

roup

s:

Nut

ritio

nIn

tern

etM

eat

SPA

MFr

uits

App

lets

Bre

ads

C

ooki

esD

airy

Ja

va

♦Th

e ke

y ph

rase

for y

ou is

the

four

food

gro

ups c

an

crea

te “

prob

lem

s for

you

.”

(c) 2

005

Mat

thew

J. B

asha

m

How

doe

s IE

wor

k?

♦W

hen

you

are

on th

e In

tern

et fi

les a

re

“dow

nloa

ded”

to y

our c

ompu

ter a

nd

“upl

oade

d” fr

om y

our c

ompu

ter.

♦So

me

of th

ese

files

are

cal

led

“coo

kies

” an

d “a

pple

ts.”

♦Th

ere

are

secu

rity

setti

ngs y

ou c

an c

hang

e to

not

ify y

ou e

very

tim

e th

ese

thin

gs h

appe

n bu

t the

y w

ould

be

a pa

in in

the

keis

ter.

(c) 2

005

Mat

thew

J. B

asha

m

How

doe

s IE

wor

k?

(c) 2

005

Mat

thew

J. B

asha

m

Why

not

IE?

♦“S

pyw

are”

and

“Po

p-up

Ads

” w

ork

on th

e sa

me

prem

ise…

♦Y

ou a

re u

sing

IE…

and

“the

y” k

now

that

IE

MU

ST a

llow

file

s to

be u

ploa

ded

and

dow

nloa

ded

at w

ill.

♦Th

us, i

t is v

ery

easy

to “

dow

nloa

d” tr

ojan

son

to y

our c

ompu

ter a

nd m

ake

your

life

“i

nter

estin

g” w

hen

you

use

your

com

pute

r.

(c) 2

005

Mat

thew

J. B

asha

m

Wha

t els

e is

ther

e?

♦M

ozill

a’sF

irefo

xpr

ogra

m is

ver

y, v

ery

sim

ilar t

o IE

, exc

ept t

hat t

he “

code

” w

as

writ

ten

com

plet

ely

diff

eren

tly.

♦Th

us, a

ny p

robl

ems w

ith h

acke

r, tro

jans

, sp

ywar

e, a

nd p

op-u

p ad

s are

“el

imin

ated

” by

sim

ply

switc

hing

to F

irefo

x.♦

Moz

illa

Fire

fox

is a

free

pro

gram

.

(c) 2

005

Mat

thew

J. B

asha

m

Moz

illa

Fire

fox

Bro

wse

r

(c) 2

005

Mat

thew

J. B

asha

m

Som

e “i

ssue

s” w

ith F

irefo

x

♦Th

ere

are

som

e, n

ot m

any,

web

site

s tha

t en

coun

ter “

prob

lem

s” w

ith F

irefo

x.♦

Usu

ally

it is

thos

e si

tes t

hat r

equi

re F

lash

pl

ayer

s, or

adv

ance

d gr

aphi

cs to

ols.

♦Fi

refo

xw

orks

ok

with

Peo

ples

oft,

Cry

stal

R

epor

ts, a

nd M

S O

utlo

ok.

(c) 2

005

Mat

thew

J. B

asha

m

How

can

I ge

t Fire

fox?

♦Si

mpl

e, ju

st p

ick

your

favo

rite

web

se

arch

ing

engi

ne…

put i

t “m

ozill

afir

efox

” an

d yo

u sh

ould

be

poin

ted

right

to th

e w

ebsi

te.

♦Th

en, j

ust d

ownl

oad

it an

d yo

u ar

e re

ady

to

go!

♦P.

S. I

don’

t get

any

mon

ey fo

r sug

gest

ing

Fire

fox

(c) 2

005

Mat

thew

J. B

asha

m

Wha

t if I

hav

e a

bunc

h of

Pop

-ups

?

♦Po

p up

ads

are

not

hing

mor

e th

an tr

ojan

sth

at h

ave

been

dow

nloa

ded

to y

our

com

pute

r tha

t hav

e “a

ltere

d” th

e m

ain

core

of

the

Win

dow

s ope

ratin

g sy

stem

kno

wn

as

“the

regi

stry

.”♦

To fi

x an

y pr

oble

ms y

ou n

eed

to d

o a

syst

em re

stor

e (w

hich

is b

eyon

d th

is c

lass

bu

t inc

lude

d in

the

on-li

ne c

ours

e).

(c) 2

005

Mat

thew

J. B

asha

m

Emai

l stu

ff

Part

4

(c) 2

005

Mat

thew

J. B

asha

m

E-m

ail S

tuff

♦N

etiq

uette

:–

You

shou

ld tr

y to

refr

ain

from

usi

ng a

ll ca

pita

l le

tters

SO

YO

U D

ON

’T S

EEM

TO

BE

SCR

EAM

ING

AT

ME.

–A

lso,

try

to u

se a

n “a

ccep

tabl

e” fo

nt…

noth

ing

too

big,

nor

too

diffi

cult

to re

ad–

Try

not t

o us

e th

e “B

CC

” op

tion

too

muc

h…pe

ople

will

be

afra

id to

ope

n yo

ur

emai

ls

(c) 2

005

Mat

thew

J. B

asha

m

E-m

ail S

tuff

♦B

e ca

refu

l to

chos

e “r

eply

” an

d no

t “re

ply

to a

ll”♦

You

can

requ

est a

“r

ecei

pt”

or p

hysi

cal

ackn

owle

dgem

ent b

y th

e re

cipi

ent

(c) 2

005

Mat

thew

J. B

asha

m

(c) 2

005

Mat

thew

J. B

asha

m

SPA

M

♦W

hat i

s SPA

M?

♦A

“bu

nch”

of w

hat y

ou re

ceiv

e is

not

SP

AM

, it w

as “

farm

ed”

or “

min

ed”

info

rmat

ion

and

“tar

get m

arke

ted.

”♦

Mos

t adv

ertis

emen

ts a

re g

ener

ated

from

th

ese

met

hods

and

from

you

ask

ing

“to

be

kept

info

rmed

of s

peci

al e

vent

s, di

scou

nts,

etc.

”

(c) 2

005

Mat

thew

J. B

asha

m

Whi

ch o

nes a

re S

PAM

?♦

Hun

tingt

on B

ank:

You

r acc

ount

info

rmat

ion

need

s to

be

upda

ted.

♦EB

AY

/PA

YPA

L: Y

our a

ccou

nt h

as b

een

susp

ende

d.♦

St. P

eter

sbur

g C

olle

ge: Y

our a

cces

s may

be

disc

ontin

ued.

♦In

tern

et M

illio

naire

Gua

rant

ees y

our s

ucce

ss!

♦I a

m a

Nig

eria

n of

ficia

l try

ing

to g

et m

oney

out

of

Afr

ica.

(c) 2

005

Mat

thew

J. B

asha

m

How

to te

ll if

an e

mai

l is S

PAM

.♦

In M

S O

utlo

ok V

iew

>Hea

der a

nd F

oote

r♦

We

are

in th

e Ea

ster

n Ti

me

Zone

five

hou

rs

behi

nd G

MT

whi

ch is

-050

0 in

com

pute

r spe

ak.

(c) 2

005

Mat

thew

J. B

asha

m

How

to te

ll if

an e

mai

l is S

PAM

.

♦A

qui

ck c

heck

is to

look

for t

he re

turn

ad

dres

s.

(c) 2

005

Mat

thew

J. B

asha

m

SPA

M fi

lters

♦Th

ey w

ork

by lo

okin

g fo

r “ke

ywor

ds”

♦Ea

ch k

eyw

ord

is a

ssig

ned

a “p

oint

.”

(Eve

ryth

ing

is m

athe

mat

ical

in c

ompu

ters

)♦

Enla

rger

=1; s

ex=1

; che

atin

g ho

usew

ife=1

; po

rnog

raph

y=1;

hun

tingt

onba

nk=2

0, e

tc.

♦If

too

high

a to

tal i

s rea

ched

for a

n in

com

ing

emai

l it i

s “fla

gged

” as

pos

sibl

e SP

AM

.♦

You

can

set y

our o

wn

keyw

ords

too.

(c) 2

005

Mat

thew

J. B

asha

m

MS

Out

look

SPA

M fi

lter s

etup

(c) 2

005

Mat

thew

J. B

asha

m

MS

Out

look

SPA

M fi

lter s

etup

(c) 2

005

Mat

thew

J. B

asha

m

MS

Out

look

SPA

M fi

lter s

etup

(c) 2

005

Mat

thew

J. B

asha

m

MS

Out

look

SPA

M fi

lter s

etup

(c) 2

005

Mat

thew

J. B

asha

m

MS

Out

look

SPA

M fi

lter s

etup

(c) 2

005

Mat

thew

J. B

asha

m

Pass

wor

ds: Y

ou g

ot’e

m,

I can

get

’em

!

Part

5

(c) 2

005

Mat

thew

J. B

asha

m

Pass

wor

ds: Y

ou g

ot’e

m,

I can

get

’em

!♦

Peop

le a

re la

zy w

ith th

eir

pass

wor

ds...

–O

n a

lam

p–

post

-it n

ote

–de

sk to

p–

side

of m

onito

r–

pull-

out d

raw

er–

garb

age

can

–un

der a

key

boar

d–

in a

rolo

dex

–or

in a

not

eboo

k

(c) 2

005

Mat

thew

J. B

asha

m

Bac

king

up

your

dat

a

Part

6

(c) 2

005

Mat

thew

J. B

asha

m

Bac

king

up

Dat

a

♦Se

t up

your

com

pute

r so

an a

rchi

ve c

opy

of

your

em

ails

are

sent

to a

noth

er c

ompu

ter o

r se

rver

.♦

If y

ou d

o no

t kno

w h

ow, t

hen

subm

it a

wor

k or

der t

o yo

ur C

SS th

roug

h th

e he

lp

desk

to a

ccom

plis

h th

is ta

sk.

♦Pe

riodi

cally

“sp

ot c

heck

” an

d te

st th

e va

lidity

of t

he b

ack

up.

(c) 2

005

Mat

thew

J. B

asha

m

SPC

Rul

es a

nd P

roce

dure

s

♦Y

ou a

re re

spon

sibl

e fo

r eve

ryth

ing

on y

our

com

pute

r and

the

colle

ge c

an lo

ok a

t an

ythi

ng a

t any

tim

e, p

rivat

e or

not

(6

Hx2

3.6.

900)

♦Y

ou a

re re

spon

sibl

e fo

r the

secu

rity

of y

our

data

and

you

r pas

swor

ds (P

6Hx2

3-1.

8104

)

(c) 2

005

Mat

thew

J. B

asha

m

Sum

mar

y of

“K

ey P

hras

es”

“Due

Dili

genc

e”“A

void

s”“P

robl

ems f

or y

ou”

(c) 2

005

Mat

thew

J. B

asha

m

Wha

t is n

ext?

♦N

orm

ally

ther

e is

a h

ando

ut w

ith st

ep-b

y-st

ep in

stru

ctio

ns o

n ea

ch su

bjec

t dis

cuss

ed

here

, but

fund

s pro

hibi

t rep

rodu

cing

it.

♦Y

ou c

an g

o to

ht

tp://

ww

w.lu

lu.c

om/le

arni

ngby

doin

gan

d do

wnl

oad

it fo

r fre

e.

(c) 2

005

Mat

thew

J. B

asha

m

Que

stio

n an

d A

nsw

er se

ssio

n

Feel

free

to c

onta

ct m

e34

1-30

10B

asha

m.M

att@

spco

llege

.edu

(c) 2

005

Mat

thew

J. B

asha

m

copy

right

law

s of t

he U

nite

d St

ates

of

Am

eric

a. A

ll rig

hts r

eser

ved.

No

part

of th

is sl

ide

show

or m

anua

l, or

de

rivat

ives

ther

eof,

can

be

repr

oduc

ed o

r tra

nsm

itted

in a

ny

form

or b

y an

y m

eans

ele

ctro

nic

or

mec

hani

cal,

incl

udin

g ph

otoc

opyi

ng,

reco

rdin

g, o

r by

any

info

rmat

ion

stor

age

and

retri

eval

syst

em, w

ithou

t ex

plic

it w

ritte

n pe

rmis

sion

from

the

auth

or, e

xcep

t for

the

brie

f t

tii

iA