[Winn Schwartau/On Security]
It's getting easier to dig up DIRT on
criminals
Network World, 7/6/98
Imagine being able to monitor and
intercept data from any PC in the world,
anytime you want. If you find such a
notion appealing, then DIRT's for you.
DIRT stands for Data Interception by
Remote Transmission. Frank Jones, DIRT's
inventor and president of Codex Data
Systems, is hoping that DIRT will become
a major law enforcement tool for
stopping the bad guys.
Cops are having a terribly hard time
dealing with cybercrime, and they all
put online child pornographers at the
top of the most wanted list. Suspected
terrorists, drug traffickers and money
launderers are also potential DIRT
targets, as are various criminal
organizations that use anonymity, remote
control and encryption to hide
themselves.
DIRT operates as surreptitiously as a
Trojan horse. It is transmitted secretly
to a target via e-mail in several ways,
including as a proprietary protocol,
self-extracting executable, dummy
segment fault, hidden zip file or macro.
["Transmitted .. including as a proprietary protocol?"
If it is proprietary, that means your computer does not have
it by default. Meaning it can not transmit to you this way.
"Transmitted .. inluding .. dummy segment fault." A segment fault
occurs during a program's execution. You do not transmit
segment faults.]
Once the DIRT-Bug is successfully
embedded in the target machine, two
things occur. First, all keystrokes made
at the target's keyboard are captured
secretly. When the machine is connected
online, it will stealthily transmit
captured keystrokes to a remotely
located DIRT-Control Central for
analysis. This is how encryption keys
are discovered and later used to develop
evidence in criminal cases.
Second, when the target PC is online, it
will invisibly behave like an anonymous
File Transfer Protocol (FTP) server,
giving the folks at DIRT-Control Center
100 percent access to all resources on a
targeted computer.
[FTP does not allow the control of all resources on a computer.
The FTP protocol does not technically allow this. Either it is not an FTP
server, or it does not give full control.]
Codex Data Systems' Web site notes that
the sale of DIRT technology is
"restricted to military, government and
law enforcement agencies" (www.the
codex.com/dirt.html). Nevertheless, DIRT
represents a questionably legal and
ethical means of information gathering.
Dave Banisar, staff counsel at the
Electronic Privacy Information Center in
Washington, D.C., notes that DIRT raises
disturbing questions about enforcement
and abuse: "The only way to control this
technology is after the fact, during the
trial when the police have to show how
they obtained evidence."
When I saw DIRT demonstrated last month,
I thought, "What if this gets out to the
entire Internet community ... what will
happen if we no longer trust our
e-mail?"
[Real programs that DO exist and have been publically
demonstrated (like Back Orifice and NetBus) are out there
already.]
All that someone with DIRT needs to know
is your e-mail address, period. All he
has to do is send you an e-mail with the
embedded DIRT Trojan horse, and he's
home free while you are a clueless
victim.
[This is complete fabrication. Anyone who thinks this
is true has something to sell, and no technical knowledge, plain and
simple. What if I am on a unix machine? Apple? Amiga? Does it work
on all of these platforms equally well? What if I choose to delete the
mail without even looking at the attachment. On any unix system, nothing
happens. No program is run, no stealth program launches. This statement
is absurd.]
Large organizations usually worry about
hackers breaking into and entering their
networks. Now they have reason to worry
that DIRT-Bugs could invade their
networks as well, whether launched by an
investigating law enforcement authority,
international competitors, spies or just
hackers.
There are a few steps you can take to
increase your systems' resistance to
DIRT:
* At your Internet nexus, institute a
policy that no executables are to
enter your organization without
examination.
* Disable macros at your browser as a
matter of policy.
[But it can enter through "segment faults" and
"proprietary protocols". This is of no help according to
the 'facts' above.]
* If possible, do not enable file and
printer sharing.
* Do not use NT File System unless
absolutely necessary.
* Make remote FTP useless by using
your own cryptographic protection
for critical files.
[But this claims to be able to 'sniff' out the passwords
to such crypto via the keylogger. This is of no help according
to the 'facts' above.]
* Use cryptographic controls that do
not require users to enter
encryption keys at their keyboards.
* Replace conventional password
access with token-based or one-time
passwords.
[This is not feasible for many password access controls.
Programs like PGP, certain password entries for products like
MS Word and Excel.. they can not be updated to allow for this
kind of control.]
* Remove all floppy disks from
networked environments.
Unfortunately, most firms with which I
deal do not enforce even the few minor
security policies they have developed.
This makes it almost impossible to keep
DIRT out. However, organizations that
use Network Address Translation and
proxies in their firewalls achieve some
degree of confidence that DIRT's remote
access capability will not function.
According to the folks at Codex Data
Systems, if you have a solitary PC
sitting on a dial-up or a cable modem,
there is nothing you can do - today -
except refrain from clicking on your
e-mail attachments. Of course, ignoring
[But wait. I never 'click' on my email attachments.
This leads me to believe only *windows* users are vulnerable.]
e-mail from strangers is always a good
idea. But if I were a cop or a bad guy
using DIRT, I would certainly go after
your home PC as well as the one at work.
It's a whole lot easier, and I am going
to learn just as much.
With the advent of more powerful Trojan
horses such as DIRT (which only occupies
20K bytes), the threat to our networked
systems gets clearer. As Codex Data
Systems' Jones says, "There are no more
secrets with DIRT."
[All of this in 20k? A program that does nothing
but tell you how long your Win computer has been running
(uptime.exe) is 22k. Yet this program can do key logging,
run an FTP server, and more, all in 20k? Doubt it.]