Unicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left order; this facility is used to write text in Arabic, Hebrew, and other right-to-left scripts. However, this can (and is) also used by malware creeps to disguise the names of the files they attach to their phishing emails. For example, the file "CORP_INVOICE_08.14.2011_Pr.phylexe.doc" is actually "CORP_INVOICE_08.14.2011_Pr.phyldoc.exe" (an executable file!) with a U+202e placed just before "doc."
This is apparently an old attack, but I've never seen it, and it's a really interesting example of the unintended consequences that arise when small, reasonable changes are introduced into complex systems like type-display technology.
Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:
“evil ”cod.exe is an executable file. For security reasons, Gmail does not allow you to send “this type of file.
Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.
(via Command Line)
The ACLU is suing to repeal parts of the Computer Fraud and Abuse Act (CFAA), a 1980s-vintage hacking law that makes it a felony to “exceed authorization” on a remote computer, and which companies and the US government have used to prosecute researchers who violated websites’ terms of service.
June’s Decentralized Web Summit at San Francisco’s Internet Archive was a ground-breaking, three-day combination of workshops, lectures, demos and a hackathon, all aimed at figuring out how to restore the decentralized character of the early internet — and keep it that way.
Maciej Cegłowski (previously) keynoted the Society for the Advancement of Socio-Economics conference with a characteristically brilliant speech about the “moral economy of tech” — that is, the way that treating social problems like software problems allows techies to absolve themselves of the moral consequences of their actions and the harms that result.
The realm of web development is constantly evolving. New platforms, languages, and processes materialize all the time, so staying on top of all that innovation is a tall order.Whether you’re brushing up on new tricks, starting from scratch, or just looking to make your own website a little jazzier, Rob Percival’s new Complete Web Developer Course 2.0 (now […]
Folks used to rely on alarms to protect their home – and before that, the family dog. Now, anyone looking to guard their homes can choose from some high-tech options, including the Amaryllo iCamPRO FHD Home Security Camera (now just $219 in the Boing Boing Store).In fact, this 2015 CES “Best of Innovation” award-winner boasts so many features, it’s […]
If you want a quality vaping experience, it’s usually going to cost you. Vaporizers that deliver a fast, controlled burn will set you back up to $300, which is why the FEZ Vaporizer (now just $99) is an absolute steal.The FEZ dry herb pen does everything that more expensive models handle at a reduced price. It heats up […]