[ale] OT: Help me figure out what is happening?

Jeff Hubbs hbbs at attbi.com
Fri Feb 22 08:25:20 EST 2002 

I did send a message back explaining about the security risk and asking 
if there were another way I could complete their form.  Interestingly, 
in the woman's original message, she talked about faxing back the end 
result, which stuck me as odd because the whole point of the exercise 
would seem to me to be online submittal.  

I've already decided that if I get back a ration of sheitz from that 
e-mail - basically, anything other than "My goodness, Mr. Hubbs, you're 
right - we didn't realize this" - I'm going to politely withdraw my 
application.  Fighting with co-workers/managers about the most basic and 
obvious computer security issues is something I've had more of in my 
career than I should have as it is.  

- Jeff

James P. Kinney III wrote:

>Jeff,
>This looks like a golden opportunity to sell yourself as a security
>expert. I would be leery of wanting to affiliate myself with a company
>that so poorly understands system security.
>
>Your legwork is correct about what is going on. In a perfect world,
>Omniform MF (use your own reverse acronym :) presents a form to a
>computer newbie and extracts newbie applied text and sends it to a
>receiving location. It is based on html forms. It has an embedded
>java-based browser that supplies the screen and does the network
>lifting. As it is not a very common application, it has not been subject
>to much scrutiny. 
>
>I wouldn't trust on anything but a disposable, standalone box that is OK
>to fdisk afterwards.
>
>
>On Thu, 2002-02-21 at 23:05, Jeff Hubbs wrote:
>
>>I applied for a job yesterday and I got an e-mail back with what appears 
>>to be a Windows executable attached that I am expected to run in order 
>>to fill out and submit some kind of online form.
>>
>>I have enough computer security 'fu to know that this is a very, very, 
>>bad practice and that every applicant is placed at risk by this 
>>practice.  So, I tried to fire it up under Wine to see what would 
>>happen.  Wine churns for a while and I eventually get an error box 
>>titled "OmniForm Mailable Filler" that says "Failed to launch 
>>application."  I did just a bit of Google research on this app.  I want 
>>to e-mail these people back and tell them that due to security concerns 
>>I don't want to run this application; for those of us to whom the 
>>reasons aren't plainly obvious, it's mostly because I have no way to 
>>know if this binary has gotten virus-infected along the way and that 
>>even if I had a Windows machine with anti-virus software, it isn't going 
>>to be any more effective at detecting such a virus than any AV software 
>>the sender used on it (presuming they even bothered).  
>>
>>Anyway, my question to you is this:  I pulled this command line out of 
>>/proc - can you tell me what OmniForm Mailable Filler is attempting to 
>>do here?
>>
>>/usr/bin/winereal--E:\EXEbaeb.tmp"E:\OFMbaec.tmp""F:\tmp\wine_c\JobAPPComplete.exe"\
>>http://www.eomniform.com/OF5/nsplugins/OFMailX.cab 
>>http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar \
>>http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
>>
>>Note:   "F:\tmp\wine_c\JobAPPComplete.exe" is the Windows filespec as 
>>seen by Wine to refer to the app in question.
>>
>>Without drilling real deeply here, it looks to me that the app tries to 
>>call up other Web-downloaded code (.cab, .jar), which would seem to 
>>further amplify the security risk (add to the virus risk the idea that I 
>>have no idea what all this stuff wants to do in my system).  Looking 
>>through my Google findings suggests that OmniForm Mailable Filler makes 
>>use of browser plugins.  
>>
>>If I had to guess, I'd suppose that the downloaded code constitutes an 
>>SMTP UA, mailing my inputted data to some mail server somewhere (begs 
>>the question, how am I being authenticated?).  
>>
>>- Jeff
>>
>>
>>
>>
>>---
>>This message has been sent through the ALE general discussion list.
>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
>>sent to listmaster at ale dot org.
>>




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list