IP: Making something look hacked when it isn't: Risks Digest 21.16

[Dave Farber <farber () cis upenn edu>]

> Date: Sat, 16 Dec 2000 15:03:27 -0500
> From: "Richard J. Barbalace" <rjbarbal () MIT EDU>
> Subject: Making something look hacked when it isn't
>
> A brief e-mail has been getting forwarded around our campus which reads:
>   Check out breaking news at CNN:
>   http://www.cnn.com&story=>   http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm
>
> At first glance, this appears to be a genuine article on CNN, but a quick
> read reveals that a cute joke.  Most people who have seen the fake article
> have immediately assumed that www.cnn.com has been hacked in some manner.
>
> Those more familiar with HTTP specification, however, will notice that the
> URL is completely valid, and does not lead to or redirect from any cnn.com
> computers.  No machines have been hacked.  Instead, the e-mail just plays
> with your expectations of what a URL should look like.  The risk here is not
> a computer one at all, but a social risk that even (or perhaps especially)
> knowledgeable people will assume something has been hacked when it hasn't
> been.
>
> An even sneakier URL might be:
>   http://www.cnn.com&story=>   http://www.cnn.com&story=breaking_news@306511916/evarady/www/top_story.htm
>
> For those of you still pondering why that URL works, read the HTTP
> spec and try the equivalent:
>      http://>   http://username@18.69.0.44/evarady/www/top_story.htm
>
> Richard J. Barbalace <rjbarbal () mit edu>
>
> ------------------------------
>
> Date: Mon, 18 Dec 2000 21:09:19 -0800 (PST)
> From: rpw3 () rigden engr sgi com (Rob Warnock)
> Subject: The risk of a seldom-used URL syntax
>
> Recently, a mailing list I'm on forwarded a report of a "hack" of the
> CNN.com site.  Upon looking closely, I found that the CNN site hadn't
> been hacked at all -- it was the *minds* of readers of this hoax "report"
> that were being hacked! Rather cute, actually, but it exposes what is
> perhaps a larger RISK, so please bear with me while I set up the story...
>
> An MIT student named Eric Varady took a parody news article from
> The Onion <URL:http://www.theonion.com/onion3637/bush_horrified.html>,
> edited the layout to resemble CNN's format, and copied it to his own site
> <URL:http://salticus-peckhamae.mit.edu/evarady/www/top_story.htm>.
> (Note that multiple threatened legal actions have since forced him
> to remove the original content, but an explanation page is still there.)
>
> He then passed around a "report of a hack of the CNN site" with a URL
> [which I *do* hope makes it through the mail-to-HTML scripts at Catless!] of
> <URL:http://www.cnn.com&story=><URL:http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm>.
>
> If you look very closely, you'll see that the actual host named by this URL
> is not "www.cnn.com", but "18.69.0.44" (a.k.a. salticus-peckhamae.mit.edu).
> That is, for IP-based/Internet URL "schemes" such as HTTP or FTP, the
> general format defined in RFC 1738 is:
>
>     <scheme>://[<user>[:<password>]@]<host>[:<port>]/<url-path>
>
> The "user" field is very rarely used, and even then is more often seen with
> FTP than HTTP. But since it contained an at-sign before the first slash,
> the hoax URL was really <URL:http://18.69.0.44/evarady/www/top_story.htm>
> with the (ignored) user field of "www.cnn.com&story=breaking_news". Cute, eh?
>
> More serious scams of this sort are possible, given the number of users
> who (1) have *no* idea what the formal syntax of a URL is, and (2) routinely
> access the Web through "portals" which often create complicated indirection
> URLs to aid with logging or tracking to support advertising revenue, e.g.:
> <URL:http://www.foo.bar.com/logger.cgi?http://www.other.place.com/some_article>
>
> The RISK is that users are being bombarded with these monstrosities so
> often that they've grown used to it, and that they'll fail to recognize
> when they're being sent someplace they might not really want to go!!
> (Perhaps when it's not a joke, such as being sent to a porn site while
> working at a company with a "no tolerance" policy.)
>
> ------------------------------



For archives see: http://www.interesting-people.org/