ch08.htm

Maximum Security (First Edition) 网络安全 英文版

a new user, that chapter (and in fact, the whole book) will serve you well. (Moreover,
users who are new to UNIX but have recently been charged with occasionally using
a UNIX system will find the book very informative.)</P>
<P>Oh yes. For those of you who are seriously considering wholesale e-mail bombings
as a recreational exercise, you had better do it from a cracked mail server. A <I>cracked
mail server</I> is one that the cracker currently has control of; it is a machine
running sendmail that is under the control of the cracker.</P>
<P>If not, you may spend some time behind bars. One individual bombed Monmouth University
in New Jersey so aggressively that the mail server temporarily died. This resulted
in a FBI investigation, and the young man was arrested. He is reportedly facing several
years in prison.</P>
<P>I hope that you refrain from this activity. Because e-mail bombing is so incredibly
simple, even crackers cast their eyes down in embarrassment and disappointment if
a comrade implements such an attack.
<H3><FONT COLOR="#000077"><B>List Linking</B></FONT></H3>
<P>List linking is becoming increasingly common. The technique yields the same basic
results as an e-mail bomb, but it is accomplished differently. List linking involves
enrolling the target in dozens (sometimes hundreds) of e-mail lists.</P>
<P>E-mail lists (referred to simply as <I>lists</I>) are distributed e-mail message
systems. They work as follows: On the server that provides the list service, an e-mail
address is established. This e-mail address is really a pointer to an executable
program. This program is a script or binary file that maintains a database (usually
flat file) of e-mail addresses (the members of the list). Whenever a mail message
is forwarded to this special e-mail address, the text of that message is forwarded
to all members on the list (all e-mail addresses held in the database). These are
commonly used to distribute discussions on various topics of interest to members.</P>
<P>E-mail lists generate a lot of mail. For example, the average list generates 30
or so messages per day. These messages are received by each member. Some lists digest
the messages into a single-file format. This works as follows: As each message comes
in, it is appended to a plain text file of all messages forwarded on that day. When
the day ends (this time is determined by the programmer), the entire file--with all
appended messages--is mailed to members. This way, members get a single file containing
all messages for the day.</P>
<P>Enrolling a target in multiple mailing lists is accomplished in one of two ways.
One is to do it manually. The harassing party goes to the WWW page of each list and
fills in the registration forms, specifying the target as the recipient or new member.
This works for most lists because programmers generally fail to provide an authentication
routine. (One wonders why. It is relatively simply to get the user's real address
and compare it to the one he or she provides. If the two do not match, the entire
registration process could be aborted.)</P>
<P>Manually entering such information is absurd, but many individuals do it. Another
and more efficient way is to register via fakemail. You see, most lists allow for
registration via e-mail. Typically, users send their first message to an e-mail address
such as this one:</P>
<PRE><FONT COLOR="#0066FF">list_registration@listmachine.com
</FONT></PRE>
<P>Any user who wants to register must send a message to this address, including
the word <TT>subscribe</TT> in either the subject line or body of the message. The
server receives this message, reads the provided e-mail address in the From field,
and enrolls the user. (This works on any platform because it involves nothing more
than sending a mail message purporting to be from this or that address.)</P>
<P>To sign up a target to lists en masse, the harassing party first generates a flat
file of all list- registration addresses. This is fed to a mail program. The mail
message--in all cases--is purportedly sent from the target's address. Thus, the registration
servers receive a message that appears to be from the target, requesting registration
to the list.</P>
<P>This technique relies on the <I>forging</I> of an e-mail message (or generating
fakemail). Although this is explained elsewhere, I should relate something about
it here. To forge mail, one sends raw commands to a sendmail server. This is typically
found on port 25 of the target machine. Forging techniques work as follows: You Telnet
to port 25 of a UNIX machine. There, you begin a mail session with the command <TT>HELO</TT>.
After you execute that command, the session is open. You then specify the FROM address,
providing the mail server with a bogus address (in this case, the target to be list-linked).
You also add your recipient and the message to be sent. For all purposes, mail list
archives believe that the message came from its purported author.</P>
<P>It takes about 30 seconds to register a target with 10, 100, or 500 lists. What
is the result? Ask the editorial offices of <I>Time</I> magazine.</P>
<P>On March 18, 1996, <I>Time</I> published an article titled &quot;I'VE BEEN SPAMMED!&quot;
The story concerned a list-linking incident involving the President of the United
States, two well-known hacking magazines, and a senior editor at <I>Time</I>. Apparently,
a member of <I>Time</I>'s staff was list-linked to approximately 1,800 lists. Reportedly,
the mail amounted to some 16MB. It was reported that House Leader Newt Gingrich had
also been linked to the lists. Gingrich, like nearly all members of Congress, had
an auto-answer script on his e-mail address. These trap e-mail addresses contained
in incoming messages and send automated responses. (Congressional members usually
send a somewhat generic response, such as &quot;I will get back to you as soon as
possible and appreciate your support.&quot;) Thus, Gingrich's auto-responder received
and replied to each and every message. This only increased the number of messages
he would receive, because for each time he responded to a mailing list message, his
response would be appended to the outgoing messages of the mailing list. In effect,
the Speaker of the House was e-mail bombing himself.</P>
<P>For inexperienced users, there is no quick cure for list linking. Usually, they
must send a message containing the string <TT>unsubscribe</TT> to each list. This
is easily done in a UNIX environment, using the method I described previously to
list-link a target wholesale. However, users on other platforms require a program
(or programs) that can do the following:</P>

<UL>
	<LI>Extract e-mail addresses from messages<BR>
	<BR>
	
	<LI>Mass mail
</UL>

<P>There are other ways to make a target the victim of an e-mail bomb, even without
using an e-mail bomb utility or list linking. One is particularly insidious. It is
generally seen only in instances where there is extreme enmity between two people
who publicly spar on the Net. It amounts to this: The attacker posts to the Internet,
faking his target's e-mail address. The posting is placed into a public forum in
which many individuals can see it (Usenet, for example). The posting is usually so
offensive in text (or graphics) that other users, legitimately and genuinely offended,
bomb the target. For example, Bob posts to the Net, purporting to be Bill. In &quot;Bill's&quot;
post, an extremely racist message appears. Other users, seeing this racist message,
bomb Bill.</P>
<P>Finally, there is the garden-variety case of harassment on the Internet. This
doesn't circumvent either security or software, but I could not omit mention of it.
Bizarre cases of Internet harassment have arisen in the past. Here are a few:</P>

<UL>
	<LI>A California doctoral candidate was expelled for sexually harassing another via
	e-mail.<BR>
	<BR>
	
	<LI>Another California man was held by federal authorities on $10,000 bail after
	being accused of being an &quot;international stalker.&quot;<BR>
	<BR>
	
	<LI>A young man in Michigan was tried in federal court for posting a rape-torture
	fantasy about a girl with whom he was acquainted. The case was ultimately dismissed
	on grounds of insufficient evidence and free speech issues.
</UL>

<P>These cases pop up with alarming frequency. Some have been racially motivated,
others have been simple harassment. Every user should be aware that anyone and everyone
is a potential target. If you use the Internet, even if you haven't published your
real name, you are a viable target, at least for threatening e-mail messages.
<H3><FONT COLOR="#000077"><B>Internet Relay Chat Utilities</B></FONT></H3>
<P>Many Internet enthusiasts are unfamiliar with Internet Relay Chat (IRC). IRC is
an arcane system of communication that resembles bulletin board systems (BBSs). IRC
is an environment in which many users can log on and <I>chat</I>. That is, messages
typed on the local machine are transmitted to all parties within the chat space.
These scroll down the screen as they appear, often very quickly.</P>
<P>This must be distinguished from chat rooms that are provided for users on systems
such as AOL. IRC is Internet-wide and is free to anyone with Internet access. It
is also an environment that remains the last frontier of the lawless Internet.</P>
<P>The system works as follows: Using an IRC client, the user connects to an IRC
server, usually a massive and powerful UNIX system in the void. Many universities
provide IRC servers.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The ultimate list of
	the world's IRC servers can be found at <A HREF="http://www.webmaster.com/webstrands/resources/irc/#List of Servers"><B>http://www.webmaster.com/webstrands/resources/irc/#List
	of Servers</B></A>. 
<HR>


</BLOCKQUOTE>

<P>Once attached to an IRC server, the individual specifies the channel to which
he or she wishes to connect. The names of IRC channels can be anything, although
the established IRC channels often parallel the names of Usenet groups. These names
refer to the particular interest of the users that frequent the channel. Thus, popular
channels are</P>

<UL>
	<LI><TT>sex</TT>
	<LI><TT>hack</TT>
</UL>

<P>There are thousands of established IRC channels. What's more, users can create
their own. In fact, there are utilities available for establishing a totally anonymous
IRC server (this is beyond the scope of this discussion). Such programs do not amount
to warfare, but <I>flash</I> <I>utilities</I> do. Flash utilities are designed to
do one of two things:</P>

<UL>
	<LI>Knock a target off the IRC channel<BR>
	<BR>
	
	<LI>Destroy the target's ability to continue using the channel
</UL>

<P>Flash utilities are typically small programs written in C, and are available on
the Internet at many cracking sites. They work by forwarding a series of special-character
escape sequences to the target . These character sequences <I>flash</I>, or incapacitate,
the terminal of the target. In plain talk, this causes all manner of strange characters
to appear on the screen, forcing the user to log off or start another session. Such
utilities are sometimes used to take over an IRC channel. The perpetrator enters
the channel and flashes all members who are deemed to be vulnerable. This temporarily
occupies the targets while they reset their terminals.</P>
<P>By far, the most popular flash utility is called <I>flash</I>. It is available
at hundreds of sites on the Internet. For those curious about how the code is written,
enter one or all of these search strings into any popular search engine:</P>
<PRE><FONT COLOR="#0066FF">flash.c
flash.c.gz
flash.gz
megaflash
</FONT></PRE>
<P>Another popular utility is called <I>nuke</I>. This utility is far more powerful
than any flash program. Rather than fiddle with someone's screen, it simply knocks
the user from the server altogether. Note that using nuke on a wholesale basis to
deny computer service to others undoubtedly amounts to unlawful activity. After some
consideration, I decided that nuke did not belong on the CD-ROM that accompanies
this book. However, for those determined to get it, it exists in the void. It can
be found by searching for the filename <TT>nuke.c</TT>.</P>
<P>There are few other methods by which one can easily reach an individual. The majority
of these require some actual expertise on the part of the attacker. In this class
are the following methods of attack:</P>

<UL>
	<LI>Virus infection and malicious code<BR>
	<BR>
	
	<LI>Cracking
</UL>

<P>Although these are extensively covered later in this book, I want to briefly treat
them here. They are legitimate concerns and each user should be aware of these actual
dangers on the Net.
<H3><FONT COLOR="#000077"><B>Virus Infections and Trojan Horses</B></FONT></H3>
<P>Virus attacks over the Internet are rare but not unheard of. The primary place
that such attacks occur is the Usenet news network. You will read about Usenet in
the next section. Here, I will simply say this: Postings to Usenet can be done relatively
anonymously. Much of the information posted in Usenet these days involves pornography,
files on cracking, or other potentially unlawful or underground material. This type
of material strongly attracts many users and as such, those with malicious intent
often choose to drop their virus in this network.</P>
<P>Commonly, viruses or malicious code masquerade as legitimate files or utilities
that have been zipped (compressed) and released for general distribution. It happens.
Examine this excerpt from a June 6, 1995 advisory from the Computer Incident Advisory
Capability Team at the U.S. Department of Energy:</P>


<BLOCKQUOTE>
	<P>A trojaned version of the popular, DOS file-compression utility PKZIP is circulating
	on the networks and on dial-up BBS systems. The trojaned files are <TT>PKZ300B.EXE</TT>