Napster alternative: hack people's hard drives

[InfoSec News <isn () C4I ORG>]

http://www.theregister.co.uk/content/8/17188.html

By: Kevin Poulsen
Posted: 26/02/2001 at 21:27 GMT

With the future of music-swapping site Napster looking grim, on Friday
a tiny Nashville-based startup began touting an even more
controversial milieu for peer-to-peer file sharing: random,
unprotected hard drives on the Internet.

ShareSniffer's newly-launched software, itself called ShareSniffer,
allows people to hunt for exposed Windows file systems with the ease
of a Napster-user searching for a favorite track. "Right now... there
are tens of thousands of computers worldwide that have their files
deliberately shared with the Internet with no password required,"
reads the ShareSniffer Web site. The site goes on to encourage
Netizens to rummage through strangers' music files, digital movies,
Microsoft Word documents and spreadsheets.

The company motto: "Because it's there."

Microsoft Windows' NetBIOS support makes it easy to share hard drives
and printers over a network. But users who configure their home or
office network for file sharing often inadvertently make their files
accessible from the Internet as well. If such a user hasn't chosen a
file sharing password, then their disk drives are open to anyone who
knows their system's Internet (IP) address.

These so-called "open shares" are one of the Internet's most
persistent security issues. The problem made the SANS Institute's list
of top ten security holes in 2000, and has been the subject of
warnings from the government-funded Computer Emergency Response Team
(CERT), and the FBI's National Infrastructure Protection Center
(NIPC). The vulnerability is a favorite among computer intruders and
virus writers: last year even saw a malicious worm that spread through
open shares, seized victims' modems and dialed 911.

ShareSniffer Inc. appears to be the first enterprise to try to harvest
open shares for commercial gain. The three-person company offers the
software as a free download, but plans to offer more full-featured
versions for between $5 and $100.

A program that scans Internet addresses for unprotected disk drives
might be viewed as a hacking tool. But to the man who wrote it,
ShareSniffer is an honest peer-to-peer venture that brings out the
full potential of Windows' networking features.

"I want people to know that they don't have to take the time to make a
web site and pay somebody to host it," says ShareSniffer Inc.
co-founder Kerry Rogers, 40, the author of the program. "All they have
to do is right-click on a folder, and they can make all their music
and art and other incredible stuff available to the world."

Legal Issues

Others see it differently. "Federal law makes it illegal to knowingly
obtain unauthorized access to a computer," says Mark Rasch, a former
federal computer crime prosecutor, now an attorney with the Science
Applications International Corporation (SAIC).

"The person who has, through no knowledge of his own, left file
sharing 'on' with no protection, that is the electronic equivalent of
leaving your door unlocked," says Rasch. "You can't with any degree of
certainly say it is an invitation to enter....Therefore, when you
enter through an open file share, that's likely an unauthorized
access."

"We have a bevy of lawyers that say just the opposite," Rogers claims.
Rogers also points out that ShareSniffer only locates open shares, it
doesn't access them. The user does that through a normal Windows
function.

Programs that scan for open shares are already available online -- as
hacking and security auditing tools. What distinguishes ShareSniffer
is the user interface, which has all the trappings, icons and
trademark touches you'd expect from a serious P2P commercial software
package. A user selects a block of Internet addresses and clicks on an
icon to set the program's scanning engines, or "nostrils," into
action. ShareSniffer eventually returns a list of addresses with open
shares.

The program automatically posts its bounty of unprotected systems to a
particular Usenet news group, where other ShareSniffer clients can
pick it up and display it. "It's distributed computing -- everyone is
getting the benefits of everyone else's sniffing," explains Rogers. As
a side effect, the ShareSniffer news group has quickly become an open
repository of unprotected systems. Monday morning, thirty Internet
addresses were listed.

In a Usenet posting, Rogers predicted that number will "soon easily
exceed 2000 per day," and will increase ten-fold in the months to
come.

Rogers maintains that those open shares are not accidents or security
holes: people share files deliberately, he says, particularly on
college campuses, where students use open shares to swap music and
software with one another. "I want to emphasize that this is public
and voluntary," says Rogers. "Microsoft Windows by default will not
expose files to the Internet. It has to be consciously configured to
expose files to the Internet."

But Patrick Prokop, a TV weatherman in Savannah, Georgia, says he
never intended to open his home computer to the world. Nevertheless, a
ShareSniffer client sniffed out Prokop's machine earlier this month,
apparently in pre-launch testing by the company, and the address was
posted on Usenet. On Friday, anyone could read, modify, or delete
files on Prokop's system.

"I don't like that idea," said Prokop, after SecurityFocus notified
him that his computer was accessible. Prokop says he meant to share
files between two computers on a home network, and didn't realize they
were accessible to everyone else. "I'll have to password protect them,
or put a firewall up."

Asked about Prokop's system, Rogers acknowledged that ShareSniffer may
expose unintentional file shares. "We're seeing stuff on the Usenet
group that we don't necessarily want to see," he admits, but he claims
that will become rare when ShareSniffer catches on. "People will
realize that they're going to be exposed."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".