-> >From Wired
-> BS Detector: NaughtyRobot Is Panic Fodder
-> by Mark Frauenfelder
-> 9:00 am PST 31 Jan 97 - A minor panic is flowing through Usenet
this week, with people receiving email with their own addresses listed in
the "from" line and the words "EMERGENCY - security breached by
NaughtyRobot," in the "subject" line. The message claims it was sent by "an
Internet spider that crawls into your server through a tiny hole in the
World Wide Web," and collects personal information, such as credit card and
phone numbers.
-> People shouldn't panic, says Jonathan Wheat, lab manager at the
National Computer Security Association in Carlisle, Pennsylvania. "It's
probably just a simple ActiveX spider," that searches through public Web
documents, collecting email addresses, and then sending warning messages to
the addresses it collects, using a simple operation to forge the sender's
true identity.
-> Shortly after Microsoft released ActiveX, explains Wheat, people
started writing spiders and releasing them on the Web. "They are cake to
play with if you know Visual Basic," he says. The spiders "go around and
roam through each link [of a Web site] and capture email addresses and
other public information." But it's doubtful that the NaughtyRobot collects
credit card numbers or other private information unless an "ISP was stupid
enough to make that kind of information available on the Web," says Wheat.
The NaughtyRobot message offers no proof that any personal information was
gleaned by the spider.
-> The NaughtyRobot message, which warns recipients that the spider has
"captured [their] Email and physical addresses, as well as [their] phone
and credit card numbers," instructs recipients to alert their sysop,
contact the police, disconnect their telephone, and "report [their] credit
cards as lost." The message closes with: "This has been a public service
announcement from the makers of NaughtyRobot - CarJacking its way onto the
Information SuperHighway."
-> The Alachua Freenet has posted a notice on its Web site informing
clients to regard the NaughtyRobot message as a hoax. "No credit card
information for any Alachua Freenet user has ever been recorded by AFN, so
there is no such information to obtain from or through Alachua Freenet's
system. You can't squeeze blood from a turnip," states the message.
-> Many of the messages sent by NaughtyRobot have had's
domain name within the header, resulting in a flood of complaints to the
ISP. "The prankster used our server as a reflector, very similar to Simson
Garfinkel's story yesterday in Packet," says owner
Christopher Alan. "We closed the loophole that was exploited to send this
stuff. The messages did not originate from our site, or one of our user
