Re: ICQ >= 99* + CC Data

[Ken.Williams () EY COM (Ken Williams)]

> > "Could someone clarify what exactly means 'snag Credit Card data'?"

i apologize for the vague wording on that key point.

based on the, albeit brief, conversations i have had, my understanding is that the ICQ software attempted to extract CC 
data from [apparently known place(s) on] the HD and send it to mirabilis.  there are lots of variables and dependencies 
here, of course.

> > "does anybody actually know for sure that cc data is located somewhere on the hard disk, for whatever reason?"

which applications store, or facilitate the storage of, CC data on HDs?  how about Microsoft Passport or Microsoft 
Money, for starts.

your point about people noticing this traffic is a good one.  if said traffic is sent only one time, when the ICQ 
application is installed and run for the first time, how many people will fail to notice it though?  maybe the data is 
encrypted to avoid detection too.

i thought this whole thing sounded like FUD when i first heard about it, and i have yet to see any substantiation to 
these rumors - but stranger things have happened, so i have not completely dismissed it as the idle ramblings of 
paranoid ICQ users ... yet.  i have not bothered to spend any time investigating though - i don't use ICQ, we don't use 
it at work.

- kw

vanja () RELAYGROUP COM on 01/17/2000 12:46:47 AM

Please respond to vanja () relaygroup com@Internet
To:     VULN-DEV () SECURITYFOCUS COM@Internet
cc:     
Subject:        Re: ICQ >= 99* + CC Data

Ken Williams wrote:
> I agree that it sounds very unlikely, but one of the reports came from a
respected security software developer (who is now MIA, unavailable).
> Here is the only additional info I have:
>
> - All reports involved ICQ for Windows 95/98/NT4
> - Attempts to snag Credit Card data only noticed/picked up by firewall
and/or proxy when ICQ was initially started for the first time after ICQ
client installation

Could someone clarify what exactly means 'snag Credit Card data'?
Looking for a known file on a hard drive? Stealing cookies? Intercepting
traffic? Recording keystrokes? Or ... ?

It'd be interesting to know if there is a way that someone (not talking
about ICQ) is able to *locate* the credit card information on a hard
disk (yes, we can make many theories, but does anybody actually know for
sure that cc data is located somewhere on the hard disk, for whatever
reason?)

How could it send data to Mirabilis? Basically, if your firewall lets
ICQ traffic through - it will most likely be at port 4000. If cc data is
sent though port 4000, it shouldn't be too hard to distinguish between
'real' ICQ traffic, and "something else". If it's destined to some other
port (or even some other type of 'traffic') - I am pretty sure that many
people would notice that. Just take a look at what kinds of questions
(related to 'strange traffic') are posted on
Firewalls/FW-Wizards/Incidents lists. Someone would ask about traffic to
mirabilis.com, for sure... :)

Of course, there is always a possibility that some disgruntled employee
inserted a piece of code in order to get his/her "revenge" (for whatever
reason).

Or they have been 'r00t3d' ;)

--

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

*******************************************************************************
Note:          The information contained in this message may be privileged and confidential and protected from 
disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you have received this communication in error, please notify 
us immediately by replying to the message and deleting it from your computer.  Thank you.  Ernst & Young LLP
*******************************************************************************