April Fools Pranks Target Security Industry

Phony vulnerability advisories and other hoaxes floating around the Web Tuesday ruthlessly satirized the security industry and its denizens.

Several security-related April Fools Day hoaxes began floating around the Internet Tuesday, several of which ruthlessly satirized the security industry and its denizens.

From phony vulnerability advisories warning that the end of the world is upon us to a "product announcement" for a tool that automatically strikes back at hackers, the hoaxes have become far more elaborate than simple false virus warnings.

Perhaps the most clever—and certainly the most widely believed—of these is a bogus RFC published by security and networking expert Steve Bellovin, of AT&T Labs Research in Florham Park, N.J.

Titled "RFC 3514: The Security Flag in the IPv4 Header," the document proposes utilizing an unused bit in the IP header to define whether a given packet is "evil" or "benign."

Evil packets, e.g., those sent by attackers, must have this bit set to 1; benign packets must have the bit set to 0. The idea, Bellovin writes, is to help intrusion detection systems, firewalls and other security technologies to distinguish between malicious packets and those that are simply odd.

Many members of the security mailing lists on which the document was distributed appear to have fallen for the gag, mystifying Bellovin, who has jokingly referred to the evil bit in IP headers for years.

"What can I say? Its clearly an April 1 joke," he said. "I finally got around to writing it up. Ive thought about doing it other years and then realized that the deadline had passed. Ive gotten a lot of mail about it and people appreciate the joke."

The proposal is identical in layout and format to genuine RFCs, down to the details of how applications might set the evil bit and the list of technical references at the end.

Messages posted on some security mailing lists complain of having to write patches to make applications compliant with Bellovins RFC.

"If the bit is set to 1, the packet has evil intent. Secure systems should try to defend themselves against such packets. Insecure systems may choose to crash, be penetrated, etc.," Bellovin writes in the RFC.

Adding to the aura of believability around the document is a follow-up message from Fyodor, the author of the popular port-scanning tool, Nmap. In his message to the Nmap mailing list, Fyodor floats several options for making his program compliant with RFC 3514.

"Perhaps an -evil option would be handy, or maybe a standard environmental variable should be used (SCRIPT_KIDDIE=1) so that all security programs run by the hacker set the flag appropriately?" he writes. He also suggests that perhaps he could include a hard-coded list of Unix usernames of known hackers.

An obviously fake, but still poignant, vulnerability advisory posted to BugTraq Tuesday warns that "a distributed denial-of-service condition is present in the election system in many polypartisan democratic countries. A group of determined but unskilled and not equipped low-income individuals, usually between 0.05% and 2% of the overall population of the country, can cause serious disruptions or even a complete downfall of the democratic system and its institutions."

The advisory purportedly comes from a company called S.E.L.L., which describes itself as "a number one provider of deep-insight security strategies for maximizing ROI with state-of-the-art TCO management customer-facing security philosophy. Founded in a garage in Latvia, we soon became the realization of the American Dream, growing to an extended family of 300. Then down to 15."

The fix for this vulnerability, according to the advisory, is for affected parliaments to either "establish a convenient dictatorship or a monarchy, or [become] the 51st state."

The bulletin also lampoons the discovery-to-disclosure timeline included in a typical vulnerability report. The vulnerability was discovered and tested by S.E.L.L. on Jan. 5, 1999; the companys customers were notified the next day; the vendors were notified March 30, 2003; and the report was released April 1.

Not to be outdone, a U.K.-based marketing and public relations firm created a security company and its product out of whole cloth. Multimedia P.R. and Marketing, with a helping hand from the folks at The Register, a U.K. IT news Web site, announced the availability of Payback 1.0 an application that supposedly is able "to instantly and dynamically trace the IP source address—no matter how well masked—of the network attack/infection and respond by launching either a Domain Name or mail server flood attack in the direction of the attacker."

The software is allegedly the first of a new breed of anti-hacker applications known as Intruder Retaliation Systems (IRS).

The Register ran a story on the product Tuesday and was in on the joke from the start, according to representatives of Multimedia. The company put out a press release late Tuesday revealing the prank.

"It was a very effective exercise in gauging how people feel about hackers and virus-writers, and the threats they pose to their everyday lives," said Barrie Desmond, Managing Director of Multimedia Public Relations & Marketing, architect of the trick in conjunction with client Mindshare Group, an IT security appliance distributor. "Weve had hundreds of emails from people telling us theyd appreciated the joke, and hundreds more from people interested in finding bona fide ways of combating IT security threats."

Latest Security News:

Search for more stories by Dennis Fisher.
Find white papers on security.