NOTE: If this alert pops up when you visit another page on my web site, it is because I am trying to warn you about a security risk in your browser not because your browser is trying to warn you about a security risk at this site.
On October 11, 2001, the one month anniversary of the September 11th destruction of the world trade center, computer terrorists released a virus called nimda onto the net. This virus distributes itself via a number of different mechanisms. It attacks vulnerable web servers from infected client machines and infects HTML files (not merely executable programs) as well as infecting HTML files on the users hard disk and file shares which may later be uploaded to web servers which are not vulnerable to direct attack. It can infect HTML files by embedding malicious javascript in those files. As a result, you are likely to unknowingly visit malicious pages on legitimate sites.
This is not the first and certainly won't be the last java/javascript vulnerability. Java and Javascript allow webmasters to non-consensually and without notice run their computer software on your computer. This gives them WAY TO MUCH POWER, including the power to invade your privacy and crash, corrupt, or damage your computer system due to malice or incompetence. Supposedly, these programs run in a protected environment but there are flaws in those environments. Webmasters use java and javascript to do things which should have been done with plain HTML instead or to produce stupid gimicks you would be better off without. And in so doing, they make websites which are inaccessible to the handicapped.
Expect more computer terrorism.
Instructions for disabling java and javascript can be found below. Once you disable it, this page will stop popping up.
Everything bad said about java and javascript on this page goes double for Microsoft proprietary ActiveX/VBS.
This advisory describes a variety of security exploits
Web Users Should Disable Scripting Languages in Their Browsers
-
CERT Advisory 2000-02
Read 52 security advisories, vulnerability notes, etc. concerning Javascript at CERT.
The compromise of your insignificant home machine might ultimately lead to the serious consequences at a bank or military installation. As an example, your home machine can be used to compromise your office machine. Your office machine can compromise other machines in your office. Someone in your office accesses sites at another employer, university lab, etc., which is then compromised. Someone at that lab has access to a low security machine at a bank or military installation. The low security machine is used to attack a high security machine at the same organization or the low security machine turns out to be more mission critical than originally thought.
Some of the examples which follow are a bit graphic. But if you haven't had the sense to disable java and javascript by now, maybe you need to have things spelled out in gory detail.
| Name | John Q. Public | |
| Social Security Number | 123-445-6789 | |
| Drivers License | VA 123-445-6789 | |
| Home Address |
123 Main Street
Anytown, USA 12345 |
|
| Phone numbers: |
987-6543 (unlisted)
876-5432 (cell phone) 800-765-4321 (pager) |
|
| Date of Birth | 1943.10.15 | |
| Place of birth | Peterborough New Hampshire | |
| Spouse | Jane Q. Public | |
| Children |
Susie, age 7, attends Walker elementary School [pictures]
Ted, Age 5, attends Jackson pre-school [pictures] |
|
| Sex: | Male. Bi-sexual, cross-dresser, likes humiliation. Subscribes to Penthouse. Purchases 14 tubes of KY Jelly at annually at supermarket. Frequently visits sites like asianporn.com and spankme.com. Can't get it up without viagra. | |
| Annual Income: | $43,250 | |
| Monthly mortgage payment: | $1270 | |
| Doctor: | John Q. Quack | |
| Prescription Drugs: | viagra, | |
| TV Shows | Watches Friends, Will and Grace, and ER. | |
| Bank | Death Valley Savings and Loan, Checking account #1234-5678, account balance $1326.47 | |
| Credit Cards |
Visa 1234-5678-9012-3456 01/02 Available credit $4763
Mastercard 2345-6789-0123-4567 04/02 Available credit: $2345 |
|
| Mothers Maiden Name | Spencer | |
| Pets | Cat's name is napolean | |
| Employer | Wilson Concrete | |
| Car |
95 Chevy Blazer, license plate ABC-123
93 Ford Escord, license plate XYZ-789 |
|
| Digital Camera | Sony Mavica | |
| Adult DVD Empire |
Debbie Does Dallas
Asian Sluts Backdoor Love Muscle Men |
$47.23 |
| CVS Pharmacy | Viagra 50mg #10, erythromyacin 100mg #20 | $176.20 |
| Food Lion Supermarket | KY Jelly Tinactin Eggs Milk Preparation H Kellog's Fruit Loops Trojan Condoms | $12.34 |
| Dr. Peter, Urologist | Office Visit | $67.40 |
| United Airlines | 4 Tickets to Orlando, FL | $2315 |
| Disneyworld | 2 adult tickets, 2 children | $1473 |
| Tony Keller, Veterinarian | Office Visit | $37 |
Maybe the cracker will use your information to order a new computer or stereo system charged to your credit card and shipped to your house while you are on vacation. They retrieve their free merchandise from your doorstep and your credit card is denied, and your vacation ruined, when you try to pay for your dinner at epcot center. But it could have been much worse...
Scene outside Walker Elementary School: "Hi, are you Susie, John and Janes daughter? I thought so, I recognized you from the snapshots your dad took using his sony mavica at teddy's birthday party. I am Chester T. Molester, I work with John at Wilson Concrete and he sent me to pick you up. Your dad took Napolean in the blazer to Dr. Keller's and your mom couldn't get the escort to start so your dad called me from their cell phone to come pick you up at school and give you a bath so you won't be late catching your plane to disney world. Are you excited about seeing Mickey?" Now, Susie knows not to accept rides from strangers, but Mr. Molester must not really be a stranger because he knows all this information that someone wouldn't know unless they were a friend of her parents. He knows the names of Susie's mom, dad, brother, dog, where dad works, what brand of camera he uses, what cars you drive. And Susie doesn't want to miss the plane to disney world.
Or, maybe the DEA kicks down your door. You see, in some states people who purchase insulin syringes at their local pharmacy don't need a prescription but they do need to sign their name and social security number in the control log. DEA agents got suspicious when someone signed your name and social security number at every pharmacy in a neighboring town and the survaillance equipment on the DEA helicopter detected some light from the grow lamp you use because your windowsill isn't large to support your basil and parsley habits (people also use grow lamps to grow marijuana).
With java/javascript disabled, you will find that some broken sites do not work. Instead of following their directions to re-enable java(script), send the incompetent webmaster a complaint and check out the web site's competitors.
With javascript disabled, you won't have to put up with those annoying popup advertisements including those full screen ones you stumble across that take over your screen and wont let you use your computer until you click through to one of their porn sites where the process repeats until you have to reboot your machine and lose the documents you were creating in other applications.
In netscape or mozilla, pull down the "Edit" menu and select "preferences". Click on "Advanced" and deselect all options which mention "java" or "javascript".
In arachne, lynx, blynx, brooks-talk, w3m, arena, or amaya,, no action is required. These browsers do not support mis-features such as javascript. Lynx is a text based browser. blynx is a varient of lynx used by the blind and dyslexic. Arachne is a graphical web browser which runs on old computers, network appliances, and kiosks.
Browsers for wireless handheld devices generally do not support java(script).
Users of internet explorer: under "view -> options -> security", uncheck "Active Scripting" or "Run Activex scripts" Better yet, remove this criminal monopoly backed bug ridden gaping security hole from your computer entirely.
Opera: under "Preferences -> Multimedia", uncheck "Enable Scripting Languages".
AOL: Members --> Preferences --> WWW --> Security: uncheck Javascript or Security --> Custom --> settings: check disable java.
iCab users: Edit --> Preferences --> UnScript --> Identity Settings: uncheck "Activate Inscript"
WebTV: does not support java. To disable javascript, you will need to return the product to the store where you purchased it and ask for a refund.
Disable services you are not using on all of your machines. Many systems come with HTTP, FTP, DNS, file sharing, and many other services enabled by default that you don't use on every machine.
Microsoft software is an unjustified security risk.
Don't send or accept attachments in proprietary formats. Never open executable attachments.
Visit my other Security Pages.This file is maintained by Mark Whitis (whitis@freelabs.com).
|
Software Development - Electronic Design - Embedded Systems - Device Drivers - System/Network Administration and Security - Motor Control, RobotCNC - Linux/Un*x - 25+ years experience The author of these pages is looking for a new gig. [RESUME] |
| Engineers and electronic hobbyists: The new Open Symbol Project is creating open schematic symbols and PCB footprints for a variety of different CAD packages. |
| Mark Whitis's Website | Home Page | Linux | Book: Linux Programming Unleashed | My Resume | Genealogical Data | Contact Info | Security | About |
All email messages received must pass the turing test or they will be considered SPAM. If it could have been written by a machine, it was.
Under no circumstances are you to email me with questions regarding windoze, any other microsoft operating system or application, or any software which runs under any form of windoze.
*