 |
SPECIAL REPORT |
|
Is Your Hard Drive Wide Open?
The Single Most Important Security Breach
Known Today
Originally posted July 31st,
2001
 article
August 26th, 2001 front
page
| How its done
| Why are they
sharing their files?
| What can you
do to protect yourself
| What am I
doing about it
| Updates
| Contacts
If you're reading this then you probably
think that your data files on your computer are safe.
Think again!
Did you know that there are dozens
FREE programs on the internet that anyone can download that scan
the internet to see the entire contents of someone's computer
files? It's true. It's legal. You don't even need to use a program.
Microsoft Windows has this browsing capability built in. It's
as easy as opening up your browser! PC
Magazine and several others have published articles on
where to get the software and how to do it.
In fact, most internet providers
KNOW about this and do hardly anything about it. They know there
are hundreds if not thousands of their users vulnerable right
now and so do the hackers. It doesn't even take a hacker to access
your computer files. Anyone can connect to your C Drive right
now if your File Sharing is on. This is the utmost easiest way
to access someones data today on the internet yet it gets no
airtime at all.
On Saturday July 28th, 2001 I
ran a scan using one of these programs to see if anything would
show up. I didn't expect much. In the past, I've run scans using
older scanner software and didn't find much. If I ran a scan
for a day I might find 1 or 2. I found literally hundreds and
hundreds of open computers with shared files ready for anyone
to look at. I was absolutely amazed to say the least! I've always
known that there are users out there right now with their sharing
option turned on but I had no idea I would find so many users
ignoring it.
If this is freaking you out you're
not alone. I took it upon myself to contact of few of these users
to alert them to the security threat. It's not against the law
for me to do so. My intent is to notify the user of their vulnerability
(see Fed code Title 18, Section 1029
& 1030).
So far I've contacted over 30 people and with no negative responses
at all (almost none anyway...). Most of the people I contacted
were very appreciative of my efforts to call them and let them
know about their open shares on their computers. I found; doctors,
lawyers, accountants, a police officer, dentists, shipping companies,
and a large import/export company in southern California. The
rest were your average end user with no idea what is going on.
What could I see? EVERYTHING! As if I was sitting right there
in front of their PC. I had total access to everything they did.
How It's
done...
There are free programs out there
right now that can be downloaded in less than 1 minute if you
know the right keywords that have the capability of scanning
thousands of computers an hour. About 5 - 10 percent of all computers
that I scanned returned the users Computer Name, address and
all shares available like CDRIVE, PRINTER etc. And yes, most
had ALL their files available for anyone to access. In fact,
this one particular program I found to accomplish this made it
very easy to do. It didn't even require a installation process.
All I did was click on Download from the site hosting this (by
the way its a legitimate company), and there it was. One file.
I double-clicked on the file to run the program and then up pops
the program (it's only 220k. you could put 7 copies of it on
1 floppy diskette). I then clicked on SCAN... and here came the
computers... all of them with open C drives! The interface of
this program opens a window that looks just like folder on your
desktop. I saw directories similar to this one below:
Here's a sample:
I could then browse the drives...
Here it is... on John Q. Smiths
computer system...
Okay, pull your jaw up off the
table...
You may think you're protected
with that firewall software but one of the users I contacted
had McAfee Firewall and I still got on his system. Older versions
of Zone Alarm had problems as well, but the guys at Zone Alarm
according to Jim Aspinwall, have a patch available for you free
loaders but if I were you I'd anti-up for the Pro version for
much better protection.
Another way to see if you can see yourself on the net
is have a friend check to see if they can see your computer.
You don't need this scanning software to accomplish this. All
you do on your computer is go to this webpage http://www.whatsmyipaddress.com.
Write down the number you see there. It looks kind of like this
192.168.1.13. Now call your friend and have them open My Computer
(make sure their on the internet first...). Now have them click
on the My Computer address bar (seen below) and enter the IP
address you got from the website like it's pictured below.
You'll need to put 2 backslashes in front of the number then
press enter...
If you see anything in the following
folder, then the internet community can see it too. If you didn't
intend to share anything then turn off your File Sharing under
the Network Neighborhood or My Network Places if you have Windows
ME (see instructions).
If you turned off File Sharing
ask your friend to check again for you to see if it worked. You
may have to reboot your computer for the changes to take effect.
Why are they
sharing their files?
I feel that MOST don't know that
their File Sharing is turned on. Why would it be? If they just
have one computer on the DSL line then why turn on sharing? Did
the tech that installed the DSL line turn it on with hopes of
accessing their system after leaving? Back when providers of
DSL service started offering connections, they were so swamped
with calls for installations that many of these DSL providers
just started hiring as many technicians as they could. I know
because I had seen these trucks of various shapes, sizes and
colors that weren't your standard looking utility vans slapped
with a magnet sign on the doors identifying the company. Maybe
these DSL providers lowered their standard screening process
for hiring and a few unscrupulous technicians (just speculating
here kids) got through the cracks.
|
 08.04.01
- Back when DSL was new, most installations consisted of
a black box called a  Alcatel
1000 and network card by Kingston (KNE110tx), some cable and
that's it. When I got DSL they gave me a permanent or static
address as they say. Setting up DSL was easy. You just plug in
the DSL box to the power outlet, installed the network card,
connected the DSL box to your network card, let Windows detect
it, and follow the instructions in the setup booklet for setting
up a network connection.
After a while, I think the DSL
providers were running out of addresses for people so they adopted
a new scheme called PPOE
or Basic DSL as it was sold. Most people have this type of DSL
now.
With PPOE or Basic Installation you got a different DSL black
box, a choice of a network card or USB network connection and
some software on a CD called EnterNet 1.x. When you turned on
your computer you were assigned a address from a range of numbers.
This was kinda cool because when you logged on you got a different
number each time. Would be hackers and lurkers would have a harder
time finding you because everytime you logged in, you got a different
address. This was a pretty cool mini-security feature.
Now, I don't know for sure or not because I'm currently running
tests but I am simulating installations following the instructions
from the DSL provider to see if the software or something in
the installation process TURNS ON FILE SHARING without your knowing
about it leaving you wide open to hackers...
There is also another security
problem. A lot of people
had Windows 3.1, then Windows 95, then Windows 98 and so on.
Guess what... If you upgraded your computer like this without
erasing the hard drive each time between each upgrade and you
had any kind of network access albeit a modem, DSL or whatever...
the old networking protocols leftover from Windows 3.1 or 95
may still be there and turned on!
nuf said...
|
Most of the users scanned are
DSL users. I'd say about 75%. Some were modem users. Many of
them are webmasters hosting small websites that run from their
computer, many are just sharing public domain like files, I even
found people sharing hundreds of MP3 files, but most I think
are completely unaware that their systems are vulnerable. Microsoft
Windows has a program that comes with Windows 98 called Personal
Web Server. PWS let's a budding webmaster practice hosting
a website from their computer over the internet or in within
a company. This program as many of Microsoft's products has flaws
and security issues:
Here's a know problem when
running the PWS:
Q217763
- File Access Vulnerability in Personal Web Server
Windows 98 and Windows ME lets
users share their directories over the internet as well. Why
anyone would do this is beyond me. To disable this feature requires
a few clicks of the mouse. I found a link here
on cablemodemhelp.com's website that illustrates how
to share directories and files in your office/home but not to
through the internet. If you think you're vulnerable go ahead
and implement this. I highly recommend doing it.
My belief as to what really happed
is that when the users of these computers ordered DSL and the
technician came by to install the network card and software,
they didn't check the users computer for shared files. At the
very least the tech should have informed the user to buy a firewall
to complement the DSL/modem they installed with the DSL service.
A big yellow piece of paper would've been nice with big bold
letters on it saying to get a firewall. That would've been prudent
I think.
What can
you do to protect yourself
If you think you're vulnerable
don't take any chances.
- To be 100% safe you can unplug
your broadband connection equipment from your computer or at
least turn off
your file sharing until you figure out what to do.
- Another option; Turn off File
Sharing over the Internet. Microsoft has a technical article
(Q199346) for dialup users and broadband DSL/Cable users. Click here to read it. This leaves your
sharing turned on for the other computers in your house or small
office and stops cold the internet lurkers from peering into
your files.
If you take a computer back and forth from work to home, you'll
need to talk to your System Administrator and they can setup
a PROFILE for you on your laptop. Your systems guys should have
already done this. You better double check with them to make
sure.
- Configuring NetBIOS for Optimum
Security | How to
by MH (
 Under Construction
)
Set up your NetBIOS for maximum Internet security. Being on the
Internet and using file and print sharing through NetBIOS can
expose you to security risks.
- Test your system with Steve
Gibson's Shields
Up website (its free). If the report comes back indicating
you're okay then great.
- Download the free Zone Alarm,
buy a hardware DSL / Router / Firewall like a Linksys BEFSR11/BEFSR41
or comparable unit (you can then turn your file sharing back
on).
- Read the articles on the right
column about protecting your computer. One is by my good friend
Jim Aspinwall. Jim writes columns for CNET,
and is a author of several technical
books and Steve Gibson,
also a expert on internet security has authored many security
related software programs and papers.
What am I
doing about it?
I have contacted our local DSL
provider. I haven't heard back yet... interesting. Maybe they
knew about this for months/years and have neglected to take any
action to safeguard their customers. At the very least they could
have slipped in a that bright yellow paper in the material you
received indicating this vulnerability.
I have also contacted a attorney
to see if there isn't anything that can't be done to nudge the
broadband providers in the right direction.
If you have any questions, you
can call (650) 548-1010 or email
me.
Check back here for updates...
UPDATES:
09.01.01 - Jackie Spiear
08.26.01 - Front Page News!!
That's right, my message
finally gets to the masses via the San Francisco Chronicle. August
26th, 2001. Front page continuing on to page A18. A great many
thanks to Elizabeth Fernandez and Carrie Kirby staff writers.
08.21.01 - 20/20 Calling...
Looks like they want
to do a segment about it. They called and asked me to fax this
webpage to them in New York... We'll see what happens...
08.04.01 - Bob O'Donnell Computer
Show KSFO AM
I was calling the show
today since it aired to get on and talk about this at 415.808.5600
but I couldn't get through. So I sent a few email's about the
issue to Bob. Bob read one of the email's on the air (THANK YOU
Bob!!) directing users to this report on my site. Thank you again
Bob.
08.04.01 - Onward...
I'm continuing my scans
of my DSL provider today. Instead of contacting the user directly,
I've decided to notify my DSL's security department of the open
shares. This way I can still help more people at a faster pace.
I think this is a better plan all together.
08.04.01 - Under the radar...
Thinking my DSL provider
is masking my IP so I can't do scans I borrowed a friends dialup
account and disconnected my DSL line to test to see if I could
see the hundreds of users that were open last week. I found a
few on the address range that my friends dialup account was on,
but not near as many as last week.
08.04.01 - Periscope down!
Started doing a scan
today for computers again and it seems that nothing is coming
back. Interesting... I haven't got one single hit! Nothing. Either
(my DSL provider) is either blocking my ability to scan or they
have finally done something about it. Finally! Geez. I guess
the pressure got to them with the reporters on the way and everything...
08.03.01 - The Big Gun
Had a great conversation
with my good buddy Scott Garee (whom I've know since jr. high),
a real network security professional at Convex
computing located in Texas. I probed him with all kinds
of questions about internet security issues. He too is very aware
of all the open shares on individuals PCs on the internet. His
opinion on the matter; yeah, so what. If you're dumb enough to
share your files then you deserve what you get.
He also said that @Home has a policy in place to trap Scanners
from looking at addresses on their network that works pretty
well, but a lot of networks don't implement this security feature
Scott says, that's built in to most routers today that corporate
networks purchase. He goes on to say that all internet providers
are aware of this and it's a major concern. Some like @Home implement
the trapping of scanners but networks with large pipes (lots
of connections) have very small logs and it's a pain to catch
every little 13 year old that start his hacking career. There's
also another issue and that's the responsibility issue. If a
network like @home implements the security feature to trap most
scanners and then something new comes along or someone defeats
that, then they might be liable. Scott said a smart lawyer could
open up a big can of worms saying that @Home could be dragged
into court with a complaint saying they didn't do enough. On
the other hand other big networks who choose to do nothing could
also be liable. But if you read any of the privacy agreements
of these network providers you see that they are not liable for
your accidental or intentional actions of sharing your files.
Also... I setup a Honeypot on
my network here. A Honeypot is a PC setup to look like a regular
computer user connected to the internet. When someone connects
to the PC and starts downloading files the Honeypot will log
their address and any files looked at. I will then turn over
the log to the security dept. of my DSL provider.
08.02.01 - Here come the Feds...
While attempting to get
my message out to any mass media entity that would listen, namely
Channel 7's 'Seven on your Side' I was told via email that they
don't want to handle it. Here's the email...
|
Thank you for writing 7
On Your Side. Unfortunately
we are unable to assist you with your problem.
However, many other resources are available, most
free or available at a low cost.
There are many government
agencies set up to deal
with both consumer and non-consumer issues. If you
need assistance determining which agency would be
appropriate, contact the Federal Information Center.
It can be reached by telephone at (800) 688-9889 or
on the Internet at http://www.info.gov.
Alternately,
there are many resources available through the
California Department of Consumer Affairs. It can be
reached at (800) 952 5210, or on the Internet at
http://www.dca.ca.gov.
We hope this information
is helpful. Thank you for
watching and thank you for writing.
|
So I started calling... I got
the Federal Information Center guys on the phone and told em
in a nutshell what's happening. They then transferred me to the
National Infrastructure Protection Center or NIPC. After I summarized
the story for them I was put on hold while they got the Chief
Director on the phone for me and they told me that tomorrow morning
I'll be getting a phone call about the proceedings. They were
VERY interested. Gave the website where the software can be downloaded
and they checked it out with me as I was on the phone talking
about it (very impressive).
08.01.01 - On The Radio
CNET radio here on 910AM in San Francisco allowed
me to get on the air with Alex
Bennett to inform the listeners about the file sharing
over DSL. I didn't get to talk as long as I wanted to due in
part to a technical problem (they kept saying they couldn't hear
me... dam). Anyway I got the word out <waving flag>.
08.01.01 - The Eagle Has Landed!
My DSL provider's privacy department called me today. After a
30 minute conversation explaining everything in detail to her
I was assured that this was to be a High Priority matter. Even
more so than the so called Code Red virus scare that's going
on now on all the news wires. She was very sympathetic and eager
to jump on it she led me to believe. She even downloaded one
of these program and ran it while I was on the phone with her
and she too found dozens of unsecured computers. She agreed with
me that something must be done.
07.31.01
Called my DSL provider today. Was on hold for 45 minutes. Got
nowhere... They said they would call me back, took my number
etc...
Called an attorney who is a client of ours. He's very interested.
He too is contacting my DSL provider.
07.31.01
I received an email from one of the users I contacted today expressing
his extreme unhappiness with me for looking at his computer system.
He told us that wanted us to stop scanning his computer (I only
did it once). I tried to assure him that nothing was taken off
(and it wasn't). He persisted to say I broke the law and 'exploited'
his data. Nothing of that sort happened. Many of the people I
contacted were extremely thankful for our efforts to take the
time and money to send on this effort to notify them.
I'm not going to let this (1)
complaint get us down. The other 99 people I contacted are now
OFF the internet and their files are safe from prying eyes. I
think my one complainant was disturbed by the fact that another
computer person (he was a computer guy too) could get into his
system. I know I would feel embarrassed myself if somebody did
that to me. I wonder how many other people have already been
in his system and looked at his file without him knowing about
it. Oh well, I guess No Good Deed Goes Unpunished...
Lets look at our intent here
for a moment; if you Ire walking down the street and found a
wallet would you not look inside to find the owner and then use
that information to contact them to give it back? What if you
Ire walking down the street and found some ones keys? Would you
not do something to get it back to them? I would. But that's
me I guess. I guess people today have a warped view on life or
are so myopic that they only see what they see.
Anyways, I have stopped scanning
for more computers. Not because of this complaint, but because
I are too busy helping those 99 others help themselves get off
the net.
Contacts:
Mike Chukov
http://www.mikeshardware.com
Consultant / Computer Buddy
Email
650.548.1010
Jim Aspinwall
http://www.raisin.com
Consultant / Author / Cnet writer
jim@raisin.com
408.371.6242
Elizabeth Fernandez
http://www.SFgate.com
San Francisco Chronicle / staff writer
efernandez@sfchronicle.com
Carrie Kirby
http://www.SFgate.com
San Francisco Chronicle / staff writer
ckirby@sfchronicle.com
Steve Gibson
http://www.grc.com
Security Consultant
support@grc.com
FBI Computer Crime Lab
202.324.5520
NIPC - National Infrastructure
Protection Center
http://www.nipc.gov
CERT - CERT/CC Vulnerability
Notes Database
http://www.kb.cert.org/vuls/
...
.
|
Links
|
Check Your System Now!
Steve Gibson's Test Site to see if you're open!
Turning off your File Sharing
By Mikeshardware.com
Windows File Sharing 101
by MikesHardware.com
Exploitation of
Unprotected Windows Networking Shares > over the Internet
CERT REPORT
Turn Off Your File
Sharing!!
Great instructions from ACN
Remove File Sharing
by Secure Design
Hack Attack Targets
Verizon, AT&T Wireless
June 30, 2001
Users' Social Security numbers and other personal data may have
been exposed online.
Privacy Matters
Recent developments in
privacy law and net surveillance.
Fortress PC
Snoops, hackers, and
viruses abound online. We identify all the tools you need to
defend yourself against these hazards.
Hacker Nation
Hackers tell us about themselves in their own words.
The Complete Guide
to Internet Privacy
by Jim Aspinwall
Can anyone crawl into your computer while
you're connected to the Internet?
by Steve Gibson
Internet Fraud Watch
On Guard at Home
Great Article from PC Mag
June 12, 2001
FBI Security Study
Attack The Hack
Important Security
Alert
From Microsoft on Internet
Explorer
Network.vbs Virus
Cert Advisory
Network.vbs Worm Info
by Abe Singer
BlackIce
Home of one of the better personal
firewalls.
Cable Modems & xDSL Security
Some good quick broadband security
tips.
Cable Modem Privacy and Security
This site is dedicated to cable
modem users and has a lot of good information on privacy and
security.
ZoneLabs
Learn about and download one of
the best personal firewalls on the Internet.
Microsoft withdraws claim about new product's
protection against viruses, hackers.
08/17/2001
Broadband users beware of hackers.
05/06/2001
Web Gives Lessons in Civic Duty.
05/29/2000
Broadband users beware of hackers
Lawrence Magid
If you have a broadband Internet connection such as a DSL or
cable modem, the good news is that you probably enjoy full-time
high-speed access to the Internet. The bad news is that someone
else co...
05/06/2001
THE DESKTOP EVOLUTION
Windows ME adds PC care, online integration, digital media
Henry Norr
It's difficult to resist the temptation to poke fun at Microsoft's
claim that Windows Millennium Edition, the new version that goes
on sale today, is ``a simpler, more robust and more useful opera...
09/14/2000
Web Gives Lessons in Civic Duty
Henry Norr
Judging by the Internet ads on TV -- or, for that matter, the
press releases that flood tech reporters' in boxes -- you could
be forgiven for concluding that the Internet is all about e-commerce
a...
05/29/2000
Remains of the data
Some firms that close auction off computers, neglect to delete
confidential information
Carrie Kirby
Jamie Flournoy got more than he bargained for when he bought
four laptops in an auction a few months ago -- left on the computers'
hard drives were reams of private information, including e-mails,
a...
08/23/2001
Microsoft withdraws claim about new product's
protection against viruses, hackers
D. IAN HOPPER, AP Technology Writer
(08-17) 11:01 PDT (AP) -- AH: With BC-Microsoft-Antitrust, Bjt...
08/17/2001
Germ warfare
Battle against computer viruses escalate
Carrie Kirby
After hours of tinkering with Zmist, the most complex computer
virus he's ever seen, researcher Peter Szor has figured out how
it works...
05/28/2001
Microsoft's Virus Patch Draws Fire
Henry Norr
The Microsoft Outlook e-mail security update I mentioned last
week finally...
06/12/2000
10 Steps to Prevent Internet Sabotage
Peter Sinton
03/15/2000
|
