A Job for Spiderman

Worms, trojans, viruses, spam, phishing and now broadband security. It’s all too much! Should we stop using the Internet? A common question after my “phishing” article and the more recent concerns expressed in the popular press. In the same breath came the plea for guidance on how to detect or at least recognize such events.

The first answer is a definite no! And there is no need to become paranoid about the Microsoft products, which are at times unfairly maligned.

Firstly, we are talking about the malicious redirection to another site other than the desired destination. This can only occur if the intended site is chosen from a hypertext link, meaning the links we click on to navigate a site or the web. It cannot happen if you type the address into the address bar. This tactic works in any browser in addition to Internet Explorer, Outlook or Outlook Express. The problem starts with the Microsoft products, which handle legitimate code differently.

In 1994 the regulating body defined the various URL naming conventions to allow different protocols to operate. This became a mandatory prerequisite for all browsers.

We all understand a URL is the whole string we have to type into the browser address bar to reach our chosen destination. It consists of the www bit and what follows, as we all know but also handles a number of other letters and symbols. And this is where the problem starts.

If I typed http://www.cybercons.org┌%01%00@resortnews.com.au into my browser’s address bar I would not go to Cybercons at all but finish up at Resort News. The reason for this is that under the original standard, combinations such as %00,%01, @ and more, were part of address schemes and provide for the opportunity to enter short hand commands into the browser address bar (quite beyond us mere mortals).

All browsers support this but with one vital difference. Only the Microsoft products above don’t show the fancy bits after dot org yet all other browsers such as Opera, Netscape, Mozilla etc. do. So when you are redirected from Internet Explorer you are not given any warning. The other browsers show you the full detail of your new destination which then should stop you from proceeding. IE only shows the www.cybercons.org part. This means you are vulnerable to something called URL Spoofing and hence phishing.

Now the good news here is that Microsoft has had patches out since February to fix this. Once the patch is installed you would not be redirected. Instead you would end up with the default Explorer error screen, which says “This page cannot be displayed”. So if your Internet Explorer does that you are safe and need not worry further.

But the catch has deeper roots. I do not have to type the URL into my address bar. I can write that code into a web page or email, even disguise it, and - hey presto – click on it and you have been sent to some other destination. The other flaw not catered for by Microsoft is that the status bar, at the very bottom left hand side of your screen, and address bar tend to show the same address when your mouse hovers over a link whereas the other browsers show full URL details which would be different if redirection is intended. This means that you are again deprived of another vital clue.

To test your system you can go to www.cybercons.org/spoof.htm and try it all yourself. I promise nothing terrible will happen to you except perhaps peace of mind.

A final reliable option is to write some Javascript code into the address bar once you have arrived at a web site. I would not normally recommend this approach since it is possible to damage your system if you get it wrong, but it is an option recommended by Microsoft. We will put it into print here but the safest way is to go to my web page above and copy the code and then paste it into your address bar. That way you should not make a mistake. Full instructions are on that page.

I actually have a text file on my desktop containing this code so that I can quickly check out the true identity of a site if there are any doubts. All brought on by my own experience of being redirected. The code you enter after deleting the original URL from the address bar is as follows:

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");

This will pop up an alert screen as in Fig1.

The last piece of advice is about the lock symbol displayed on the right hand bottom corner of the status bar when you are on a secure (encrypted) site. If the lock is closed and you also see https:// instead of http:// in the address bar you are on a secure site. Double click on the lock and a window showing full details of the security certificate, which is how the lock symbol gets there in the first place, pops up. It should identify the owner, on the line Issued to as the URL you wanted to visit.

Fig2. shows an example for the ANZ bank. Were it anything but the ANZ bank, authenticated by Verisign or similar appropriate organization, I would not proceed.

Once again self help, good housekeeping and sensible alertness will avoid disasters.

Cybercons provides a comprehensive range of services for business Internet, intranet, and specialised software. For further information on any of these services available please contact us.