Slashdot Mirror

← Back to Stories (view on slashdot.org)

Largest Hacking Scam in Canadian History

Posted by CmdrTaco on from the stole-all-the-maple-syrup dept.

vieux schnock writes "Police raided several homes across Quebec on Wednesday and arrested 16 people in their investigation, which they say uncovered the largest hacking scam in Canadian history. (...) The hackers collaborated online to attack and take control of as many as one million computers around the world that were not equipped with anti-virus software or firewalls."

2 of 211 comments (clear)

  1. Re:Really? by ultranova · · Score: 5, Interesting

    To make matters worse, some attacks may even occur if you are dealing with safe file types, like a PNG or even PDF.

    There are no safe file types. All files can be viewed as programs meant to run in a specialized virtual machine (the program which is used to open them). For example, a PNG file is a program which, when run, will compute an array of bytes (the image pixels). The same goes to PDF. In this view, since all files are programs, it is in principle possible that any of them could contain code which can result in unexpected behavior of the virtual machine executing them.

    Of course some file types are easier to compromize than others, either due to sheer complexity or ambiguity of the specification or because they are Turing complete. However, it is impossible to guarantee that every viewer for any file type is free of defects. Anyone still remember ANSI codes for DOS, which could be embedded to text to change color but also to set macros to keyboard keys when the file was viewed ? And of course SQL injection attacks are based on formatting a text string so it will cause unexpected results, not to mention causing a buffer overflow with an overlong string.

    I repeat: there are no safe file types. They all have a potential to contain malicious code, because there is no such thing as data which is not also a program. From a certain point of view, GIMP is simply a very specialized compiler...

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  2. Re:Really? by ultranova · · Score: 4, Interesting

    Is a text file containing a single line of text followed by a carriage return a program?

    It can be. For example:

    '; ROLLBACK; UPDATE users SET admin = true WHERE username = 'ultranova'; '

    If the virtual machine which handles the username field of Slashdot login form naively passed this string to the database layer without specifically quoting it, this text string would make my account an admin account; well, actually, since I haven't studied Slashdcode, it propably wouldn't, but the point still stands: even text is not an inherently safe data format in all circumstances.

    How about the standard input device? When I type at the console keyboard, is that a program feeding into a "virtual machine" created by the console driver?

    The virtual machine in this case would be whatever program receives the input. And yes, the text you type is indeed a program being executed by that machine; each time it receives a keypress from you, that keypress instructs it to do something, right ? Even if that something is merely to output the letter (altought a text editor would also store the input internally, of course). And that is what a program is: a list of instructions.

    If not, why is a disk device different from another device?

    It isn't.

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.