Gaping Hole Found In Windows Internet Security
OTC  06-07-1998 22:29

TAMPA, FLORIDA, U.S.A., 1998 JUL 6 (Newsbytes) -- By Craig Menefee,
Newsbytes. A small start-up firm named ByteTight Computer Security  Corp.
has announced a gaping hole in Windows Internet security lets any  person
get into any other Internet-connected computer that has file  sharing
turned on. Programs ranging from games to file transfer  protocol (FTP)
servers to Windows 98 itself turn on file sharing  without even telling the
user, the firm says.

[This vulnerability has been known about and published for months
 before this article.]

   ByteTight's president, Michael Paris, told Newsbytes Monday morning  he
is taking the security problem public at this point because a very  popular
hacker site just posted a Windows program that automates the  intrusions,
making them simple enough for Grandma to pull off, if she's  feloniously
   To pull off the intrusion, a person needs the Internet protocol (IP)
address of any connected machine running Windows 95, 98 or NT, says  Paris.
A person opens the "run" box on their own machine and types in  two
backslash characters followed by the remote machine's IP address.  If file
sharing is turned on, a Windows Explorer window will open,  listing all
shared resources on the remote machine. If full access is  enabled, a
person can then open any file, make changes, add or delete  files, steal
information or do whatever else they want.

[If it is as simple as 'run' and a single command, what program was
 posted to the hacker web site that was such a threat?]

   A person then works on the other machine in your own copy of Windows
Explorer. Note this not the Internet Explorer -- it is the default  Windows
Explorer used on all Windows 95, 98 and NT machines to manage  files. They
can copy, delete, move or open files at will unless the  host machine's
file sharing is in "read only" mode, in which case they  can only look at
the shared drives and copy information they want to  steal.
   In Florida, accessing another's machine without permission in this
fashion is a Class 2 felony, Paris told Newsbytes. But the problem is
global, he stressed.
   Newsbytes tried the technique on another Newsbytes reporter's  computer,
with permission, and created a new file with "Ha ha - Kilroy  was here!" as
its contents.
   Newsbytes notes most machines connected to the Internet through an
Internet service provider (ISP) have dynamic IP addresses assigned by  the
ISP. Those numbers change from one session to the next. To find a  current
session's address, one opens the "run" box and enters the  command,
WINIPCFG -- Windows will return the current address in an IP  Configuration
dialog box. It consists of a series of numbers connected  by "dots,"
something like 234.567.890.24.
   The wildcat software, called WinHost Gold, has two main functions,  says
Paris. First, it can log onto the machine of anyone using an MIRC  Internet
relay chat room, where the intruder can then commit mischief.  Or it can
scan "C" blocks -- the "890" portion of the fictitious IP  address just
shown -- for live addresses, giving the intruder a place  to hack.
   Paris told Newsbytes, "In tests I've run here, if I take an IP  address
for, say, one of the major cable companies, I'll get a very,  very high
rate of connection to host machines. I don't understand why,  but a lot of
programs turn sharing on without asking permission. On  Windows 98, if you
disable file sharing and you then reboot, it turns  it back on again.
Without asking. I don't understand why they wrote it  that way."
   He says the percentage of vulnerable people on the Internet is
startlingly high, maybe as high as 80 percent, and they tend also to  have
their main "C" drives shared.

[Win95 OSR2 does NOT default to sharing your 'C' drive. Since it is the
 basis for most Win* installs and more widely used than Win98, does that  
 mean Mr. Paris is claiming that 80% of users have turned it on themselves?]

   "I don't understand why people do that," Paris told Newsbytes. "I  mean,
these are standalone machines. Maybe it's games. Most of the  popular
interactive games like Quake require file sharing. And other  programs turn
sharing on as well. The FTP programs (servers) do it  without telling you
and they do it without a password."
   He said the popular War FTP program is one such program.
   "Users need to be aware of this," declared Paris.
   His firm now markets a utility, HackerProof98, for $99 that not only
blocks such attempts but logs who tried to get on, their IP address,  user
name and machine name.

[So pay 99 bucks for this product that protects you from a SINGLE
 attack? One that can be trivially blocked by reviewing what is shared out to 
 the world?]

   Said Paris, "I contacted about 30 hackers and found two who knew  about
this, before. But now, with it up on (hacker site name), it will  be very
widespread. And the kids who use it will try to commit all  kinds of
   He added, "We started writing HackerProof originally just for us
in-house and realized it was a real problem for everybody on the  internet.
We figured we'd better make this commercial, protect the  world and maybe
make a few bucks. At the very least, people do need to  know about this."
   More information is available on the World Wide Web at .
   Reported by Newsbytes News Network: .