ch13.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,153 行 · 第 1/5 页

MC1    GUID=260218f482a111d0889e08002bb74f65.msn.com    TRUE    /    FALSE    937396800    MC1    ID=260218f482a111d0889e08002bb74f65comsecltd.com    FALSE    /    FALSE    1293753600    EGSOFT_ID    207.171.18.176-3577227984.29104071
.amazon.com    TRUE    /    FALSE    858672000    session-id-time    855894626.amazon.com    TRUE    /    FALSE    858672000    session-id  0738-6510633-772498
</FONT></PRE>
<P>This cookie file is a real one, pulled from an associate's hard disk drive. You
will see that under the <TT>GUID</TT>, the leading numbers are an IP address. (I
have added a space between the IP address and the remaining portion of the string
so that you can easily identify the IP. In practice, however, the string is unbroken.)
From this, you can see clearly that setting a cookie may involve recording IP addresses
from the target. Now, this does not mean that cookies are a major threat to your
privacy. Many JavaScript scripts (and Perl scripts) are designed to &quot;get&quot;
your IP. This type of code also can get your browser type, your operating system,
and so forth. Following is an example in JavaScript:</P>
<PRE><FONT COLOR="#0066FF"> &lt;script language=javascript&gt;
     function Get_Browser() {
     var appName = navigator.appName;
     var appVersion = navigator.appVersion;
     document.write(appName + &quot; &quot; + appVersion.substring (0,appVersion.indexOf(&quot; &quot;)));
     }
&lt;/script&gt;
</FONT></PRE>
<P>This JavaScript code will get the browser and its version. Scripts like this are
used at thousands of sites across the Internet. A very popular one is the &quot;Book
'em, Dan-O&quot; script. This script (written in the Perl programming language) will
get the time, the browser, the browser's version, and the user's IP.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The &quot;Book 'em, Dan-O&quot;
	script was written by an individual named Spider. It is currently available for download
	at Matt's Script Archive, at <A HREF="http://worldwidemart.com/scripts/dano.shtml"><TT>http://worldwidemart.com/scripts/dano.shtml</TT></A>.
	
<HR>
<BR>
	
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>One site that will get
	many of your environment variables, particularly if you use UNIX, is located at <A
	HREF="http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-env"><TT>http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-env</TT></A>.
	What is interesting is that it will catch both the PPP-based address (as in <TT>ppp32-vn074.provider.com</TT>)
	as well as your actual IP. 
<HR>


</BLOCKQUOTE>

<P>Also, nearly all Web server packages log access anyway. For example, NCSA HTTPD
provides an access log. In it, the IP address of the requesting party is logged.
The format of the file looks like this:</P>
<PRE><FONT COLOR="#0066FF">- - [12/Feb/1997:17:20:59 -0800] &quot;GET /~user/index.html i HTTP/1.0&quot; 200 449
</FONT></PRE>
<P>The major difference between these devices and the cookie implementation, however,
is that cookies are written to a file on your hard disk drive. Many users may not
be bothered by this, and in reality, there is nothing threatening about this practice.
For example, a cookie can only be read by the server that set it. However, I do not
accept cookies as a rule, no matter how persistent the server may be at attempting
to set one. (Some programmers provide for this process on every page, hoping that
eventually the user will tire of dealing with dialog boxes and simply allow the cookie
to be set.)</P>
<P>It is interesting to note that some clients have not been preconfigured to deny
cookies. In these instances, a cookie may be written to the drive without the user's
consent, which is really the default configuration, even for those browsers that
support screening of cookies. Early versions of both Netscape Navigator and Microsoft
Internet Explorer shipped with the Deny Cookies checkbox unchecked. Absentmindedness
on the part of the vendors? Perhaps. If you have a problem denying cookies, for whatever
reason, there is an action you can undertake to prevent these items from being written
to your drive. One is to make the file <TT>cookies.txt</TT> read-only. Thus, when
a foreign Web server attempts to write to the file, it will fail.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>It has been reported that this can
	be done in MacOS by first deleting and then re-creating the cookie file and subsequently
	placing it into the Preferences folder. 
<HR>


</BLOCKQUOTE>

<P>I recommend denying cookies, not so much because they are an invasion, but because
they leave a trail on your own hard disk drive. That is, if you visit a page that
you have been forbidden to access and it sets a cookie, the evidence will be in <TT>cookies.txt</TT>.
This breaks down to cache issues as well: even if your cookies file is clean, your
cache will betray you.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Although this is a well-known issue,
	new users may not be aware of it, so I will explain. To retrieve the sites you have
	most recently visited, type <TT>about:cache</TT> in the Open Location box in Netscape's
	Navigator. A new page will appear, showing Web pages you have recently visited. So,
	if you browse the Net at work when you are supposed to be performing your duties,
	you will want to kill that cache every few minutes or set its value to <TT>0</TT>.
	
<HR>


</BLOCKQUOTE>

<P>Currently, denying a cookie does not dramatically influence your ability to access
a page, although that may change in the future. At best, the cookie issue has assisted
in heightening public awareness that a remote Web server can cull your IP address
and, in certain instances, your location, your operating system, your browser, and
so forth.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>If you are uncomfortable with denying
	cookies from all sites, perhaps you should check out a program called Cookie Jar.
	Cookie Jar allows you to specify what servers you will accept cookies from. The program
	was written by Eric Murray, a member of the Sams technical editorial team. Cookie
	Jar is located at <A HREF="http://www.lne.com/ericm/cookie_jar/"><TT>http://www.lne.com/ericm/cookie_jar/</TT></A>.
	The main amenity of Cookie Jar is convenience. Many sites require that you accept
	a cookie to access certain services. Cookie Jar can perform filtering for you. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Public Postings</B></FONT></H3>
<P>We will now assume that no one knows who you are. They are about to find out,
however, because you are about to post a message to a Usenet newsgroup. From the
moment you post a message to Usenet, your name and e-mail address are fair game.</P>
<P>The Usenet news network is somewhat different from other forms of communication
on the Internet. For a start, it is almost entirely public, with a very few exceptions.
Moreover, many Usenet news newsgroups are archived--that is, the articles posted
to such groups are bundled and stored for later use. I have seen archived messages
ranging back to 1992, some of which are reachable by WAIS, FTP, Telnet, and other,
antiquated interfaces.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>Note that these are private archives
	and have nothing to do with search engines. The big search engines generally archive
	Usenet messages for a few weeks only. In contrast, private archives (maintained by
	non-commercial, special interest groups), especially those that have listservers
	in addition to newsgroups, may be maintained for a long, long time. 
<HR>


</BLOCKQUOTE>

<P>Because these messages are kept, your e-mail address (and identity, because your
identity can be traced with it) has a shelf life. Hucksters like list brokers routinely
tap such archives, searching for <I>leads</I>--collections of e-mail addresses of
persons who share a particular interest, such as all females over 40 years of age
who smoke a pipe, have an eye patch, and voted Republican in the last election. If
you think that this level of refinement is ludicrous, think again. Applying various
search spiders (and a number of personal robots), one can narrow the search to something
that specific.</P>
<P>The first step in developing such a list is to capture e-mail addresses. To do
this, any garden-variety search engine will do, although AltaVista <TT>(</TT><A HREF="http://altavista.digital.com"><TT>altavista.digital.com</TT></A><TT>)</TT>
and DejaNews <TT>(</TT><A HREF="http://www.dejanews.com"><TT>www.dejanews.com</TT></A><TT>)</TT>
have the most malleable designs. Even though these engines are well known to most
users, I am providing screen captures of their top-level pages, primarily for reference
purposes as I explain Usenet snooping.</P>
<P><A NAME="06"></A><A HREF="06.htm"><B>Figure 13.6.</B></A><B><BR>
</B><I>The top-level page of AltaVista.</I></P>
<P>AltaVista is one of the most powerful search engines available on the Internet
and is provided as a public service by Digital Equipment Corporation (DEC). It accepts
various types of queries that can be directed toward WWW pages (HTML) or Usenet postings.
(The Usenet postings are archived, actually. However, DEC reports that these are
kept only for a period of &quot;a few weeks.&quot;)</P>
<P>One key point about the AltaVista engine is that it was coded nicely. By enclosing
strings in quotation marks, you can force a case-sensitive, exact regex (regular
expression) match. As a result, you can isolate one page out of millions that contains
the exact string you're seeking. Similarly, you can isolate all Usenet postings made
by a particular author. By taking each of those postings and analyzing them, you
can identify that person's chief interests. (Perhaps the person is a militia member,
for example.)</P>
<P>The DejaNews search engine is a very specialized tool. It is solely a Usenet robot/spider.
The DejaNews archive reportedly goes back to March 1995, and the management indicates
that it is constantly trying to fill gaps and get older articles into the database.
It claims that it is working on providing all articles posted since 1979. Figure
13.7 shows the top page of DejaNews.</P>
<P><A NAME="07"></A><A HREF="07.htm"><B>Figure 13.7.</B></A><B><BR>
</B><I>The top-level page of DejaNews.</I></P>
<P>DejaNews has some more advanced functions for indexing, as well. For example,
you can automatically build a profile on the author of a Usenet article. (That is,
the engine will produce a list of newsgroups that the target has posted to recently.)</P>
<P>Defeating the archiving of your Usenet messages on both AltaVista and DejaNews
is relatively simple--for direct posting, at least. Either in the X headers of your
Usenet article or as the first line of your article, issue the following string:</P>
<PRE><FONT COLOR="#0066FF">x-no-archive: yes
</FONT></PRE>
<P>This will ensure that your direct postings made to Usenet will not be archived.
This does not, however, protect you from third-party postings that contain your e-mail
address. For example, if you belong to a mailing list and that list is archived somewhere
on the WWW (or even at FTP sites), your e-mail address is already compromised. If
your e-mail address appears in a thread of significant interest (and your reply was
sufficiently enlightening), it is guaranteed that the entire thread (which contains
your address) will be posted somewhere. And it will be somewhere other than Usenet;
perhaps a WWW page or a Gopher server.</P>
<P>Let us continue to suppose that you have no knowledge of how Usenet indexing works.
Let us further assume that although your real name does not appear on Usenet postings,
it does appear in the <TT>/etc/passwd</TT> file on the UNIX server that you use as
a gateway to the Internet. Now you are a viable target. Here are some steps that
will lead the snooping party not simply to your real name, but to the front door
of your home. The steps are as follows:

<DL>
	<DD><B>1. </B>The snooping party sees your post to Usenet. Your e-mail address is
	in plain view, but your name is not.<BR>
	<BR>
	<B>2. </B>The snooping party tries to finger your address, but as it happens, your
	provider prohibits finger requests from the void.<BR>
	<BR>
	<B>3. </B>The snooping party Telnets to port 25 of your server. There, he issues
	the <TT>expn</TT> command and obtains your real name.
</DL>

<P>Having gotten that information, the snooping party next needs to find the state
in which you currently reside. For this, he turns to the WHOIS service.
<H3><FONT COLOR="#000077"><B>The WHOIS Service</B></FONT></H3>
<P>The WHOIS service (centrally located at <TT>rs.internic.net</TT>) contains the
domain registration records of all Internet sites. This registration database contains
detailed information on each Internet site, including domain name server addresses,
technical contacts, the telephone number, and the address. Here is a WHOIS request
result on the provider Netcom, a popular Northern California Internet service provider:</P>
<PRE><FONT COLOR="#0066FF">NETCOM On-Line Communication Services, Inc (NETCOM-DOM)
   3031 Tisch Way, Lobby Level
   San Jose, California 95128