[Winn Schwartau/On Security]
It's getting easier to dig up DIRT on
criminals

Network World, 7/6/98

Imagine being able to monitor and
intercept data from any PC in the world,
anytime you want. If you find such a
notion appealing, then DIRT's for you.

DIRT stands for Data Interception by
Remote Transmission. Frank Jones, DIRT's
inventor and president of Codex Data
Systems, is hoping that DIRT will become
a major law enforcement tool for
stopping the bad guys.

Cops are having a terribly hard time
dealing with cybercrime, and they all
put online child pornographers at the
top of the most wanted list. Suspected
terrorists, drug traffickers and money
launderers are also potential DIRT
targets, as are various criminal
organizations that use anonymity, remote
control and encryption to hide
themselves.

DIRT operates as surreptitiously as a
Trojan horse. It is transmitted secretly
to a target via e-mail in several ways,
including as a proprietary protocol,
self-extracting executable, dummy
segment fault, hidden zip file or macro.

["Transmitted .. including as a proprietary protocol?"
 If it is proprietary, that means your computer does not have
 it by default. Meaning it can not transmit to you this way.
 "Transmitted .. inluding .. dummy segment fault." A segment fault
 occurs during a program's execution. You do not transmit
 segment faults.]

Once the DIRT-Bug is successfully
embedded in the target machine, two
things occur. First, all keystrokes made
at the target's keyboard are captured
secretly. When the machine is connected
online, it will stealthily transmit
captured keystrokes to a remotely
located DIRT-Control Central for
analysis. This is how encryption keys
are discovered and later used to develop
evidence in criminal cases.

Second, when the target PC is online, it
will invisibly behave like an anonymous
File Transfer Protocol (FTP) server,
giving the folks at DIRT-Control Center
100 percent access to all resources on a
targeted computer.

[FTP does not allow the control of all resources on a computer.
 The FTP protocol does not technically allow this. Either it is not an FTP
 server, or it does not give full control.]

Codex Data Systems' Web site notes that
the sale of DIRT technology is
"restricted to military, government and
law enforcement agencies" (www.the
codex.com/dirt.html). Nevertheless, DIRT
represents a questionably legal and
ethical means of information gathering.

Dave Banisar, staff counsel at the
Electronic Privacy Information Center in
Washington, D.C., notes that DIRT raises
disturbing questions about enforcement
and abuse: "The only way to control this
technology is after the fact, during the
trial when the police have to show how
they obtained evidence."

When I saw DIRT demonstrated last month,
I thought, "What if this gets out to the
entire Internet community ... what will
happen if we no longer trust our
e-mail?"

[Real programs that DO exist and have been publically 
 demonstrated (like Back Orifice and NetBus) are out there
 already.]

All that someone with DIRT needs to know
is your e-mail address, period. All he
has to do is send you an e-mail with the
embedded DIRT Trojan horse, and he's
home free while you are a clueless
victim.

[This is complete fabrication. Anyone who thinks this
 is true has something to sell, and no technical knowledge, plain and
 simple. What if I am on a unix machine? Apple? Amiga? Does it work
 on all of these platforms equally well? What if I choose to delete the
 mail without even looking at the attachment. On any unix system, nothing
 happens. No program is run, no stealth program launches. This statement
 is absurd.]

Large organizations usually worry about
hackers breaking into and entering their
networks. Now they have reason to worry
that DIRT-Bugs could invade their
networks as well, whether launched by an
investigating law enforcement authority,
international competitors, spies or just
hackers.

There are a few steps you can take to
increase your systems' resistance to
DIRT:

   * At your Internet nexus, institute a
     policy that no executables are to
     enter your organization without
     examination.

   * Disable macros at your browser as a
     matter of policy.

[But it can enter through "segment faults" and
 "proprietary protocols". This is of no help according to
 the 'facts' above.]

   * If possible, do not enable file and
     printer sharing.

   * Do not use NT File System unless
     absolutely necessary.

   * Make remote FTP useless by using
     your own cryptographic protection
     for critical files.

[But this claims to be able to 'sniff' out the passwords
 to such crypto via the keylogger. This is of no help according
 to the 'facts' above.]

   * Use cryptographic controls that do
     not require users to enter
     encryption keys at their keyboards.

   * Replace conventional password
     access with token-based or one-time
     passwords.

[This is not feasible for many password access controls.
 Programs like PGP, certain password entries for products like 
 MS Word and Excel.. they can not be updated to allow for this 
 kind of control.]

   * Remove all floppy disks from
     networked environments.

Unfortunately, most firms with which I
deal do not enforce even the few minor
security policies they have developed.
This makes it almost impossible to keep
DIRT out. However, organizations that
use Network Address Translation and
proxies in their firewalls achieve some
degree of confidence that DIRT's remote
access capability will not function.

According to the folks at Codex Data
Systems, if you have a solitary PC
sitting on a dial-up or a cable modem,
there is nothing you can do - today -
except refrain from clicking on your
e-mail attachments. Of course, ignoring

[But wait. I never 'click' on my email attachments.
 This leads me to believe only *windows* users are vulnerable.]

e-mail from strangers is always a good
idea. But if I were a cop or a bad guy
using DIRT, I would certainly go after
your home PC as well as the one at work.
It's a whole lot easier, and I am going
to learn just as much.

With the advent of more powerful Trojan
horses such as DIRT (which only occupies
20K bytes), the threat to our networked
systems gets clearer. As Codex Data
Systems' Jones says, "There are no more
secrets with DIRT."

[All of this in 20k? A program that does nothing
 but tell you how long your Win computer has been running
 (uptime.exe) is 22k. Yet this program can do key logging,
 run an FTP server, and more, all in 20k? Doubt it.]