[Cybertalk logo] Copyright (c) 1998 by Timothy C. Barmann. This article is intended for personal viewing only and may not be re-distributed in any form. Please e-mail link requests.

August 30, 1998

Bogus programs can lure
users into giving up passwords

By Timothy C. Barmann

Psssst. What's your password?

You'd probably tell a stranger who asked for the password to your Internet account to get lost.

But when our computer asks us the same question, we usually oblige.

Most of us just type in our password when asked, assuming a connection went dead or a wrong button was clicked.

Now it's time to think twice about such automatic reflexes. It's possible for hackers to trick you into handing over your password without you even realizing what you've done.

On Monday, a Canadian programmer demonstrated just such a ruse that could be used to steal passwords from users of Hotmail, Microsoft's free E-mail service (http://www.hotmail.com/).

Fake or real? This is a bogus dial-up connection window that can trick you into giving away your password to a hacker. It looks nearly identical to the real one in Windows 95 or 98 that appears when you first log on to your Internet service provider. The one on top is the real one; the one on the bottom, which the programmer calls the Spartan Horse ruse, is found at http://www.thetopoftheworld.com/spartanhorse/.
The programmer, Tom Cervenka, who works for Specialty Installations Ltd. of Edmonton, Alberta, wrote a small computer program to draw attention to a security flaw he discovered in the Hotmail service.

Cervenka's program, when sent as part of a message to a Hotmail E-mail account, could surreptitiously take over all the controls on the Hotmail site for the recipient.

When the message is opened, the malicious program secretly starts running, and all appears normal. But clicking on any of the menu items on the site Web page brings up a "time expired" message, and asks the user to enter his or her user name and password. That information then is automatically E-mailed backed to Cervenka. All this could happen without the user detecting anything was awry.

Of course, if someone has the password to your E-mail account, they can read and erase your E-mail, send mail as if they were you, and they can change your password, locking you out.

Cervenka said he notified Hotmail and Microsoft, late last week, but got only an automated E-mail response.

Then he went public with the security problem, posting on his company's Web site a description of the problem, along with the code and instructions on how to recreate it. That site is at http://www.because-we-can.com/.

"It was important that everyone know about it and pressure be put on Hotmail to fix the problem," Cervenka said. Hotmail jumped into action on Monday.

"We think it's a serious issue and we're taking all steps we can to remedy the situation," said Sean Fee, director of product marketing at Hotmail.

Fee said that Hotmail had partially plugged the security hole as of Monday evening. "Believe me, it's the top priority here at Hotmail," Fee said.

Cervenka said the cause of the problem was that Hotmail allowed its customers to receive messages that contain computer programs that can spring to life when a user reads them. This particular ruse was written in JavaScript, a language commonly used on Web sites.

But other languages could be used to duplicate the problem, and other E-mail Web sites could also be vulnerable, Cervenka said.

In fact, just as Hotmail said it had fixed the problem on Thursday, Cervenka announced he had written another program, this one in Java, that could be used to steal passwords on Yahoo's free E-mail site.

Another trick to steal passwords also surfaced this month. The author calls it a "spartan horse," a play on the term trojan horse. It's less sophisticated than the Hotmail con, but it is sure to fool some Internet users.

When you go to a Web site that has the spartan horse computer program, a bogus error message appears on your screen:

"You have been disconnected from the computer you dialed. Please re-enter sign-on information to reconnect."

Once you click OK, another window appears that looks nearly identical to the Windows 95 and 98 dial-up window that's used to launch a connection to an Internet service provider.

Once you fill in the information, the program could E-mail it to someone else.

You can try it for yourself at http://www.thetopoftheworld.com/spartanhorse/.

The spartan horse takes advantage of the blurring line between the operating system and the Web browser. That blurring makes it hard to tell whether messages and windows appearing on your screen are from your own computer or from a computer program running on the Web.

The spartan horse program, written in JavaScript, was devised by Dannie J. Gregoire, the founder of an Internet access company that provides service in Ohio, Kentucky and Tennessee.

"As time goes on, it becomes increasingly difficult for the novice computer user to tell what is coming from their own computer and what is coming from a remote server," wrote Gregoire on his Web site. "As a result, it will become harder for the end user to recognize a spartan horse attack."

So how do you protect yourself against these deceptions? The only sure-fire solution is to turn off Java and JavaScript on your browser. (That's usually accomplished by finding the preferences or options menu.)

But doing so may keep you from enjoying features on perfectly legitimate Web sites.

Perhaps the best advice is simply to be cautious whenever you are asked for your password. If you are at all suspicious, don't offer up the keys to your electronic accounts.

Even your own computer can betray you if it's following the orders of a malicious hacker.

Timothy C. Barmann is a Journal-Bulletin staff writer. His column runs every other Sunday on the Computers and Technology page. Send him comments via e-mail at tim@cybertalk.com or U.S. mail, c/o the Journal-Bulletin, 75 Fountain St., Providence, R.I. 02902.