By Nick Tolk
Poor Rudolph and Hermey... If only they had Yukon Cornelius to help them
find their way... Oh well, maybe a visit from jolly old St. Gnick will
point them in the right direction.
1. What is the purpose of the first malicious wish text, and how does it
The first "wish" seems to be what is known as a "web bug". These are
very small image links (often 0x0 or 1x1) that are nearly invisible to
the average browser, but provide feedback to the person who placed them.
Recently, they have become very popular with spammers who place unique
web-bugs in their e-mail messages. That way, if the message gets viewed
and the image loaded, they can see that the web-bug was retrieved and
can assume that they've contacted an active e-mail address. Most likely,
the Bumble-Snow-Monster placed it on his wish list so that he would be
alerted as soon as an elf was authenticated and had loaded his wish list.
2. What is the purpose of the second malicious wish text, and how does
The second malicious "wish" is the really nasty bit. Because the elves
have the convenience of being able to authenticate only once and then
transparently use the administrative- and user-level applications, their
session-id is very likely being stored as a cookie so that the server
will recognize them and grant them appropriate privileges. The Bumble is
attempting to retrieve the cookies stored from the elf's computer so
that he can replicate them on his own machine and either hijack or
piggy-back on the administrative elf's session with all of the
3. How could Hermey and Rudolph thwart the first and second types of
attacks by altering the Web application? Alternatively, how could they
stop these attacks by changing the configuration of the analyst elves'
The right way to prevent this kind of abuse is almost certainly by
filtering the kind of input allowed by users into the application. By
strictly restricting the kiddies' input to only alpha-numeric
characters, virtually all risk from this kind of attack would be
eliminated. Some people may argue that the kids should be allowed to
insert hyperlinks and images to help clarify for the elves just exactly
which toys they want, but remember that we are working with experienced
toy professionals that need no such aids to accurately process any wish
that they may confront.
Alternatively, these attacks COULD be avoided by altering the elves'
browser settings, but this should only be done in conjunction with the
server side input filtering. There are several software packages that
are available to filter out web-bugs, but these often back-fire and may
disrupt the elves' net-surfing experience. For example, the page at
techrepublic.com.com on which this challenge was hosted contains more
than a dozen images that are sized 1x1 or smaller (b.gif and
spacer.gif). These appear to be in place only to ensure that everything
is laid out to look nice. If one REALLY wants to avoid loading very
small images in his or her browser, they can either install software
filtering, such as McAfee's Privacy Service, or they can disable
automatic image loading in their browser settings.
The first thing that may help control hazardous scripts is keeping your
browser-of-choice up to date by downloading the latest version. In
addition, the elves should certainly control automatic script running.
To do this, they would need to change their browser security settings to
either force a prompt before running scripts, or disabling script
running altogether. Under Internet Explorer, this security option is
found under Tools->Internet Options->Security->Custom
Level->Scripting->Active Scripting. The option there should be set to
either 'Prompt' or 'Disable' – certainly NOT the default, 'Enable'.
While there, it wouldn't hurt to verify and secure the settings for Java
an ActiveX stuff. Instructions for doing this under several other
applications can be found in Chapter 4 (Malicious Mobile Code) of the
indispensable internet-security manual, Malware: Fighting Malicious Code.
4. Beyond these browser-based attacks, Hermey was also concerned about
attackers submitting similar elements in children's wish lists submitted
via e-mail. What are two different methods for defeating such attacks by
altering an e-mail reader's configuration?
First and foremost – DON'T RUN OUTLOOK! Not any version. Not any
configuration. Not for any reason. Not ever. It is re-compromised weekly
and has kept that record running for a good long time now. It is one of
the most effective virus transfer utilities on the market. My first
question to any of my friends or relatives that have contracted a worm
or virus and want me to bail them out is always: "Are you using Outlook
Express?" About 90% of the time, I hear: "Yes, how did you know?" Don't
use it. Ever. 'Nuff said there.
Protecting your e-mail utility is a great idea. There are very few good
reasons to enable HTML content in mail applications. If an image is sent
in e-mail, it can be sent just as well in an attachment. In-line images
in e-mails are a spammer's best friend. Just by embedding a unique link
to a 0x0 image, a spammer can send out millions of messages and have a
relatively good idea of which ones got viewed. Automatically running
scripts under in e-mail is even more hazardous. Far worse than just
adding your name to spam-lists, an attacker that is allowed to run
scripts in your e-mail can do really nasty things like installing a
virus and then copying it to all of your friends and associates. Turning
off scripting content in e-mail should tackle both of these problems.
Using Eudora, scripting can be disabled under Tools->Options->Viewing
Mail->Allow Executables in HTML Content. Again, instructions for doing
this under other utilities can be found in Malware.
In addition to this, many ISP's offer on-line access to email to allow
you to screen, delete, or otherwise manage your mail using your internet
browser. This provides an easy way to delete spam without even
pre-viewing it to avoid scripts and web-bugs and applies the same
security measures configured into your browser to your e-mail. I don't
know which ISP Santa uses, but it may be worth looking into for the elves.
Well, hopefully Rudolph and Hermey were able to help Santa before any
nastiness took hold. And to all of you out there, naughty and nice, St.
Gnick says Merry Christmas to all, and to all a good night.