[dns-operations] Drive-by Pharming Threat (fwd)

Sean Donelan sean at donelan.com
Fri Feb 16 09:53:10 UTC 2007


On Thu, 15 Feb 2007, Barry Greene (bgreene) wrote:
>> It's cool, it's "new" and it won't be a huge problem quite yet.
>
> It is not "new." It is just unpublished.

In the 1990's annoying people would put +++ATH in mail messages.  When
you read the mail message on your dialup connection, it would hang up
some brands of modems.  In the 1980's annoying people would include
terminal command codes in messages, which would do all sorts of nasty
things to VT52/ADM/other terms and great for embarassing people in
public terminal rooms on campus.  Putting commands in the terminal's 
answerback buffer let you do all sorts of things. In the 1970's there were 
probably JCL codes you could put on punch cards which would do bad things 
to card readers.

Fast forward to UPnP, Postscript printers, mobile code, etc.  If you
are relying on perimeter security to protect you, anytime you let
external commands execute on devices inside the perimeter, you are
at risk.  The javascript/activex/etc could send commands to anything the 
user's computer can access, i.e. internal websites, printers, databases, 
control systems, etc.

The more general problem is why should mobile code be allowed to initiate 
or receive commands on a user's computer with arbitrary destinations.




More information about the dns-operations mailing list