the following is excerpted from fred langa's emailed "lagalist". hope you enjoy...
"Don't Fall For This Hoax!
Frequent contributor Dennis Regele had a justifiable scare
last week: He was visiting a Russian web site and. well,
let's let him tell the story in his own words:
dear fred,
it's been a while since i wrote to you, i
know you're busy but i didn't know who to turn to
with this. the other night i was surfing some
russian newspapers on the web when i came upon a
listing for a radio station in st. petersburg. the
site had several frames an one said " we know who
you are " since i have my security set to medium, and
no info other than a secondary email address
listed in my browser(IE 5.0), i thought yea, sure
you do. well it went on to list my ip address,
domain and data about my browser. well that's not
to hard to get. BUT at the bottom is said, "We
also well know contents of your computer and we
can quietly up to him reach." [They mean: "We
know, and can quietly access, the contents of your
computer."] then there was a button above which said "
do not trust ? " [They mean: "You don't believe
us?"] i thought sure, pressed the button and the
contents of my hard drive appeared on the screen!
Well after the initial shock i thought how
did they get into my hd so i used the edit key in
the files menu and saved it. next i went off line
and used my anti-virus software to check for any
viruses, then went through my hard drive to find
and eliminate any files from that site (other than
the one i copied of the page itself.) again every
thing was clean.
My question is a) how do they do this, and
B) how can i protect against it.
if you can shed any light on this for me
i'd really appreciate it. i hope someone else can
be spared the hassle of this kind of ....
thanks in advance,
Dennis Regele
I visited the site ( freelines.ru )
and I could instantly see why Dennis was
disturbed. The "do not trust?" (i.e. "you don't believe
us?") button does indeed put the entire contents of your
hard drive right there in the browser window. It's
startling!
But it turns out just to be a clever and harmless prank, or
hoax. The button simply issues a local "file://c:/" command
to your browser, which then locally (and harmlessly)
displays your hard drive contents.
You can accomplish the same thing a lot less mysteriously
simply by typing
file://c:/
in the address bar of your browser. Try it!
That's all the button on that page does---it just locally
commands your browser to show you your own local drive
contents. Nothing is sent over the wire; the Russians never
see the results (the display of your hard drive contents) on
their end. In other words, it's a hoax: They're just pulling
our chains. 8-)
Cute hack, though!"
:)
mark |
