Gaping Hole Found In Windows Internet Security OTC 06-07-1998 22:29 TAMPA, FLORIDA, U.S.A., 1998 JUL 6 (Newsbytes) -- By Craig Menefee, Newsbytes. A small start-up firm named ByteTight Computer Security Corp. has announced a gaping hole in Windows Internet security lets any person get into any other Internet-connected computer that has file sharing turned on. Programs ranging from games to file transfer protocol (FTP) servers to Windows 98 itself turn on file sharing without even telling the user, the firm says. [This vulnerability has been known about and published for months before this article.] ByteTight's president, Michael Paris, told Newsbytes Monday morning he is taking the security problem public at this point because a very popular hacker site just posted a Windows program that automates the intrusions, making them simple enough for Grandma to pull off, if she's feloniously inclined. To pull off the intrusion, a person needs the Internet protocol (IP) address of any connected machine running Windows 95, 98 or NT, says Paris. A person opens the "run" box on their own machine and types in two backslash characters followed by the remote machine's IP address. If file sharing is turned on, a Windows Explorer window will open, listing all shared resources on the remote machine. If full access is enabled, a person can then open any file, make changes, add or delete files, steal information or do whatever else they want. [If it is as simple as 'run' and a single command, what program was posted to the hacker web site that was such a threat?] A person then works on the other machine in your own copy of Windows Explorer. Note this not the Internet Explorer -- it is the default Windows Explorer used on all Windows 95, 98 and NT machines to manage files. They can copy, delete, move or open files at will unless the host machine's file sharing is in "read only" mode, in which case they can only look at the shared drives and copy information they want to steal. In Florida, accessing another's machine without permission in this fashion is a Class 2 felony, Paris told Newsbytes. But the problem is global, he stressed. Newsbytes tried the technique on another Newsbytes reporter's computer, with permission, and created a new file with "Ha ha - Kilroy was here!" as its contents. Newsbytes notes most machines connected to the Internet through an Internet service provider (ISP) have dynamic IP addresses assigned by the ISP. Those numbers change from one session to the next. To find a current session's address, one opens the "run" box and enters the command, WINIPCFG -- Windows will return the current address in an IP Configuration dialog box. It consists of a series of numbers connected by "dots," something like 234.567.890.24. The wildcat software, called WinHost Gold, has two main functions, says Paris. First, it can log onto the machine of anyone using an MIRC Internet relay chat room, where the intruder can then commit mischief. Or it can scan "C" blocks -- the "890" portion of the fictitious IP address just shown -- for live addresses, giving the intruder a place to hack. Paris told Newsbytes, "In tests I've run here, if I take an IP address for, say, one of the major cable companies, I'll get a very, very high rate of connection to host machines. I don't understand why, but a lot of programs turn sharing on without asking permission. On Windows 98, if you disable file sharing and you then reboot, it turns it back on again. Without asking. I don't understand why they wrote it that way." He says the percentage of vulnerable people on the Internet is startlingly high, maybe as high as 80 percent, and they tend also to have their main "C" drives shared. [Win95 OSR2 does NOT default to sharing your 'C' drive. Since it is the basis for most Win* installs and more widely used than Win98, does that mean Mr. Paris is claiming that 80% of users have turned it on themselves?] "I don't understand why people do that," Paris told Newsbytes. "I mean, these are standalone machines. Maybe it's games. Most of the popular interactive games like Quake require file sharing. And other programs turn sharing on as well. The FTP programs (servers) do it without telling you and they do it without a password." He said the popular War FTP program is one such program. "Users need to be aware of this," declared Paris. His firm now markets a utility, HackerProof98, for $99 that not only blocks such attempts but logs who tried to get on, their IP address, user name and machine name. [So pay 99 bucks for this product that protects you from a SINGLE attack? One that can be trivially blocked by reviewing what is shared out to the world?] Said Paris, "I contacted about 30 hackers and found two who knew about this, before. But now, with it up on (hacker site name), it will be very widespread. And the kids who use it will try to commit all kinds of mischief." He added, "We started writing HackerProof originally just for us in-house and realized it was a real problem for everybody on the internet. We figured we'd better make this commercial, protect the world and maybe make a few bucks. At the very least, people do need to know about this." More information is available on the World Wide Web at http://www.hackerproof98.com . Reported by Newsbytes News Network: http://www.newsbytes.com .