GOODIES TO GO! (tm)
October 1, 1999 -- Newsletter #48
Application Security Testing: An Integral Part of DevOps
GOODIES TO GO! (tm)
October 1, 1999 -- Newsletter #48
Please visit http://www.htmlgoodies.com
Greetings, Weekend Silicon Warriors,
**You're right, you're right, I know it's Friday, but there's no mistake, this is the next issue of Goodies to Go! Look for #49 on it's regular Monday, October 11, schedule!**
Did you hear...
>The earthquake in Taiwan disrupted Web traffic coming from and going to many Asian countries. It couldn't have come at a worse time as Singapore telephone companies have just signed a one billion dollar pact to lay a second underwater fiber line. I would think that is going to be put on hold for awhile.
>In a related story, Motorola Inc. took a big hit in the stock market due to the quake in Taiwan. Apparently the quake knocked out most of the country's biggest chip manufacturers.
>On an unrelated note, Friday the 24th was my eleventh wedding anniversary. I gave my wife the present of staying off of the computer for one whole day... except at work.
Now, on to today's topic...
You have no doubt heard of car-jacking. If not, it's a rather bold method of stealing someone's car. The basic premise is a no-brainer: You go up to a stopped, but running auto, stick a gun in the driver's face, and tell them to get out or you'll shoot. Most people will smartly get out, the thief gets in, and away goes the car. It's a rather nasty method.
Well, the practice has now come to the Web in something termed "cyberjacking" and it's just angering.
The U.S. Federal Trade Commission (FTC) warned Internet users of the practice last Wednesday September 23, 1999, after leveling charges against Carlos Pereira (probably living in Portugal), Australian national Guiseppe Nirta, and the company WTFRC Ltd. for cyberjacking.
Allen Asher, deputy chairman of the Australian Competition and Consumer Commission, reported that federal police served search warrants to Nirta and WTFRC that Wednesday morning.
So, what is it?
Cyberjacking is a method of redirecting people from one Web site to another, in this case pornography. The U.S. government demonstrated the practice by attempting to log into a site for the movie "Saving Private Ryan." Upon entering, they were immediately redirected to a pornography site. Furthermore, once in the site, code was used to disable back and forward buttons and any attempt to close the browser window simply spawned new windows.
So, how is it done?
After getting an equal representation of the page, you alter the meta tags to include a meta refresh, set to zero, that redirects the user somewhere else.
Now the rough part. You have to crack into the system and repost the pages you've altered. Now, when someone logs in, they will be sent to the site you set in the meta tags. Persons whose computers don't understand meta tags, get the page as it normally would appear.
Heck, if I can think of ways to stop you from leaving the page, then you know the pros have really given the topic some time.
Once again, I get a page from a popular site, alter some of the links, crack it back in, and when someone clicks on the link, he or she is sent to the site of choice. My guess is the Mousetrapping is done through a SPAN flag set with an onClick=location.href format and set to blue text so that it appears to be a link. Maybe that's even thinking it too far through. You could just set the link to fire to a new URL. The problem with that is people could see the link in the status bar unless the cracker set up onMouseOver Event Handlers to hide the link's destination.
I guess the only upside of the scam is that it certainly cannot run forever, or even for a long time. I would assume that once cracked, it would only be a matter of time before e-mail flowed into the site giving them heck for setting up links to porn. That kind of e-mail would certainly raise a few eyebrows around here. The page would be taken down, the cracked hole would be closed, and the process stopped.
Besides, how many hits could you really get doing this? I would think the cracker would post the pages later in the evening so that it would be the longest length of time before it could be caught. But let's say it runs all night, nine hours. Is that really worth all the hassle of cracking and altering a page?
You know there's money in this, bad money, but money nonetheless. My guess is that the site that receives the hits pays a few cents per visitor, but is it profitable? I don't know how it could be. The time span just isn't that long. The people who are coming are not there of their own free will so the banner ad views cannot be counted as true impressions. I'm still trying to find the upside to doing this.
Plus, do porn sites really need visitors that badly?
No matter what your thinking is about the porn industry on the Net, you have to admit it is unbelievably profitable. The reason is content, obviously. Loads and loads of people will basically crawl through garbage dumps to get at this material. Does a porn site really need to do this kind of attack on unsuspecting people? Plus, wouldn't you think the site that received the hits is pretty much putting itself in the blast zone? It would be taken down faster than you could blink an eye... hopefully.
So, again I ask, why would you go through all this trouble where the law will come down hard when you can do it legally? There's a reason why gambling is fully legit in Las Vegas: Doing it by the rules is too profitable. Why would you take the risk of cheating?
Maybe it's not for profit. Maybe it's another form of "just wanted to see if I could do it." If so, then I still think it's goofy.
Either way, this is just the latest in the many pitfalls to be aware of on the Web. However, I don't think this one will be around long. It's just too much work for not a lot of return.
And that's that for another week. We're just about to top 40,000 subscribers. Cool.
Joe Burns, Ph.D.
And Remember: Ever drink Hawaiian Punch? If so, then you've seen the little characters. One always asks the other if he would like a nice Hawaiian Punch. He says "Sure" and the little guy with the straw hat punches him in an explosion of fruit. Did you know those characters have names? The little guy is named "Punchy" and the one who always gets hit is called "Oaf." Also, just in case you're wondering, the full names of the characters from the Rocky and Bullwinkle show are Rocket J. Squirrel, Bullwinkle J. Moose, Boris Badenov, and Natasha Fatale. Bullwinkle graduated from Watsamatter U.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...