[Previous] [Next] [Index]
[Thread]
Re: Hacking a Personal Computer via E-mail
>I recently saw a German tv-show that claimed that it is possible to
>hack into someones personal computer via e-mail. Program (Computer Club)
>said that two Dutchman from Rotterdam made them aware of this fact. To
>prove their point they send them some password information they'd hacked of
>the PC of one of the presentors.
>
>Since I'm fairly new to this list, I don't know if this might be old news,
>if so please let me know. If not, I would like to know if there is someone
>out there, who could elaborate on this and tell me if this is indeed
>possible, and what countermesures one can take to prevent this.
>
Whether this is possible depends on the level of sophistication of the email
system being used by the target. If the email system is text-only, there is
little danger. Some email systems have the sophistication to recognise
executable attachments and to run them automatically. In that case, sending
someone mail can do anything that a program running on their system can do,
like reformatting their hard drive or looking for non system .txt files and
mailing them back to the attacker.
Executable attachments might not take an obvious form. Microsoft Word has a
macro facility that allows commands to be executed as part of loading a
document. If a mail system recognises Word documents and automatically launches
Word, bad things might happen. Similarly, Postscript is a rich programming
language and a full function postscript interpreter could add lines to your
autoexec.bat or .login file as a side effect of displaying the document on your
screen. Both of these are true whether the postscript interpreter or Word
system are invoked automatically by the mail system or whether the user
extracts the mail to a file and then runs them.
There is little a user can do to protect himself other than to limit himself to
extremely primitive tools or use sophisticated ones that were designed with
this threat in mind. As hackers discover the security flaws in various
applications, the application designers will fix them - for example postscript
interpreters should probably refuse to write files - at least not without an
explicit OK from the user. It's hard for a careful user to know how secure his
applications are.
It would also be good if operating systems had the sophistication to run
programs in a protected mode so they can't arbitrarily scramble system
information - just like time sharing systems in the '60s.
But for today, yes, this is a serious worry.
--Charlie Kaufman
(charlie_kaufman@iris.com)