Home

Bulletins

Upcoming
Events

Posters

Recent Newsletters

Past Articles
*  Computer Security
*  Foreign Espionage
*  Industrial Espionage
*  Personal Security
*  Personnel Security
*  Physical Security
*  Security Management

VSAC Desktop
Guide

Security Books
On-Line

Other Security Links

About Us
*  ASIS
*  NCMS
*  VSAC

E-Mail Us
*  ASIS
*  NCMS
*  VSAC
*  Webmaster

We join with those who mourn the loss of life,  the injuries, and the disruption of lives caused  by the attacks  against Washington,  DC, and  New York, N.Y.    All those effected -- the brave people who helped in rescue efforts, those involved in America's response to terror and in the war with Iraq-- are in our thoughts and prayers.

The engineer raised his eyebrows when he saw a message in his e-mail inbox on February 20, 1997.  It seemed to be an e-mail from him to himself.

It was ominously entitled “security breached by NaughtyRobot.”  It announced “This message was sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web.”  It went on to warn it had “visited your host system to collect personal, private, and sensitive information.  It has captured your Email and physical addresses, as well as your phone and credit card numbers.”

It was a hoax.  This and other pranks prey on computer users’ realization that they are not experts and on their fear of what they do not understand.  Especially in a security-conscious environment like a military base or a defense contractor, they also take advantage of people’s diligence.

The NaughtyRobot hoax surfaced in January 1997.  It was detailed by Dave Beeler, who received his copy on February 6, 1997.  His message and at least 1,000 others had been routed through a server in Germany.  Others passed through Norway.  The messages apparently were sent from a site in San Francisco, CA.  Beeler could not tell if that was the original site or merely another stop along the route.

How were the NaughtyRobot victims picked?  Many were webmasters, whose e-mail addresses are available on their WWW pages.  Others left their e-mail addresses on guestbooks at websites, or in a public message in a USENET newsgroup.

The Vandenberg engineer who received the message immediately suspected something was not right.  He did not keep personal information on his PC at work, and was certain it was not on his company’s network server.  However, he has used e-mail, some USENET groups, and Listservers extensively in the past.

Several other Internet hoaxes plagued Vandenberg users recently.  They included “Good Times,” which has been around since December 1994.  That hoax warns that merely reading a message with Good Times as the subject would erase the reader’s hard drive.  A similar scare came when the JCS released a message in January 1997 warning about the Wazzu strain of the Microsoft Word Macro Virus.  It is not possible to infect a computer just by reading a message, though reading an attachment like a Microsoft Word document infected with a virus like “WM.Wazzu” will.  You can safely read an e-mail, but you should scan any attachment for viruses before executing or reading it.

Copycats spring out of the woodwork after every successful Internet hoax.  We can expect similar tricks to appear on April Fool's Day. How can you help stamp out the hoaxes?  Charles Hymes, a senior human factors engineer for Hewlett-Packard, offers several suggestions.  They include:

First, if you get a message “that seems like it should be shared with LOTS of people, ***DON’T SEND IT** unless you either KNOW the message is true, you can authenticate [the sender’s] identity. . .or you know the sender personally. . . .The more urgent it sounds, the more skeptical you should be.”  If you must forward it to anyone, send it to your Computer Systems Security Officer (CSSO).

Second, try to check with the purported originator before sending it on. Pranks usually have forged headers and signatures.  When you try to verify the validity of the message, you will discover the address is invalid.
Third, if the message tells you to do something, don’t.  This is especially true if it involves changing your account information or sending a message to a stranger over the Internet.

The USAF has released a new instruction (AFI 33-129 Transmission of Information via the Internet).  It specifically prohibits forwarding chain letters, etc.  Most defense contractors have similar policies in place.
For more information on frauds, you can visit the Computer Virus Myths Home Page at http://www.kumite.com/myths.  To read Dave Bealers account of “Stupid E-Mail Tricks - The NaughtyRobot Hoax,” point your browser to http://www.rah96.com/rah96/naughtyr.shtml. 

[Webmaster's note:  This article was originally written in February 1997 for the VSAC News and NCMS Channel Islands Newsletter.  The web links still worked as of this posting.  Another excellent site on hoaxes is at http://urbanlegends.about.com.]