Monday, July 27, 2009

From: God To: Fed.Gov Subject: Shape Up

About the first thing a larval hacker learned, back in the day, was how to forge email. It's trivially easy, and frankly I'm not letting the cat out of the bag by showing you here. There's a point to all of this, but first I want to show how trivially easy it is to do this.

Disclaimer: You know this, but don't try this at home. Srlsy.

Telnet is the program Unix machines use to log in across the network. It's horribly insecure, but sadly ubiquitous. Basically, it takes a character (or line) that you type on your computer, wraps it up in network packets, and sends it across the network to the other computer, which handles it like it was typed directly on the keyboard there.

A cool thing about telnet is that you don't have to use the normal telnet port (TCP/23); you can use any old port that you want. If there isn't some program listening on the other computer, this won't do you any good. But if there is something - like email - listening on the other side, you can send data directly to the program. In this case, you can forge email.

Here's what it looks like:
First, I open command prompt & go to telnet client by typing telnet.. Below is the session:

Microsoft Telnet>o 25
220 ESMTP Sendmail Version 8.x.x; Mon, 28 Sept. 2008;
We do not allow to send fake or bulk emails...
250 Hello Nice to meet you..
250 Sender Ok
250 Recipient Ok
354 Enter mail, end with "." on a line by itself..
I am Bill Gates, the chairman of Microsoft. I would like to offer you a job for Microsoft

Corporation. If you are interested to work with Microsoft, then reply me at my mail address.
Bill Gates
250 2.0.0 iF3NDLS240106 Message Accepted For Delivery.
My first one was a little different - I sent it from ""* but it's exactly the same. Fake.

So what does this have to do with anything? Well, it seems that the UK.Gov is spinning up criminal investigations based solely on an email they received:

Exclusive The government faces accusations of technical incompetence and waste after it went to the High Court to shut down the Fathers 4 Justice website, wrongly claiming campaigners had threatened to publish the home addresses of 237 judges.

Lawyers for Matt O'Connor, the controversial group's founder, are now preparing action against the Ministry of Justice to recover costs and damages from taxpayers. He alleges civil servants failed to perform basic checks on the origins of the threat before launching a legal attack.

The battle began in late June, when the Ministry of Justice received an email falsely purporting to come from O'Connor. It said Fathers 4 Justice would expose judges on its website as revenge for perceived unfairness in family court decisions.

The UK.Gov got an injunction forcing Fathers 4 Justice to take their web site down. Fathers 4 Justice complied, and appealed, asking for the email. Guess what they found:

"I'm not a techie but any fool could have looked at the Message-ID and seen it was a fake - a 10-year-old could have done it," O'Connor told The Register, adding that no attempt was made to verify the email by contacting him directly.

"Someone there is either extremely gullible or vindictive."

Let's leave aside the question about whether the UK.Gov would have targeted say, a mother's group, or a minority rights group, as opposed to white males. What's clear is that there are a bunch of mouth breathers in the UK Ministry of Justice. Mouth breathers that can get court orders.

I know that the *.Gov exempts itself from Criminal Negligence statutes, but this seems to rise to that occasion.

Oh, and one last word to the wise: Don't do this at home. Srlsy.

* Heaven is a non-profit organization, so it has a .org domain.

No comments: