[ISN] Windows 98 vulnerable to hacking

From: mea culpa (jerichoat_private)
Date: Fri Aug 28 1998 - 00:18:34 PDT

  • Next message: mea culpa: "[ISN] Bulletin on SAFE bill"

    Windows 98 vulnerable to hacking
    By Stephanie Miles                     
    Staff Writer, CNET News.com
    August 27, 1998, 6:15 p.m. PT           
    An old feature of the Windows operating system (OS) which enables
    networked PCs to access shared files may expose users of the newest
    Windows software to hackers, although there is disagreement as to how
    likely the scenario is. 
    The problem lies in the fact that Windows 98--like Windows 95 and Windows
    3.11 before it--allows users to create shared files without passwords,
    although not easily. But once those files are created, anyone who can
    access that system's IP (Internet Protocol) address can access private
    documents, spreadsheets, or other sensitive data residing on that system's
    hard drive. 
    While Windows 95 became the operating system of choice for many in the
    corporate world, Windows 98 has been targeted more at the
    less-sophisticated consumer market and, importantly, is more
    Internet-centric. This means that some consumer users may be more
    vulnerable to attacks as they are less knowledgeable about creating a
    secure connection to the Internet. 
    The issue has been the subject of numerous Internet newsgroup discussions.
    Michael Scanlen, a CNET News.com reader who stumbled across the problem,
    symbolizes the anxiety that some consumer users face: "What this all
    means...If someone can get ahold of your IP address, either via IRC
    (Internet Relay Chat) or any other methods, and you have shared folders on
    your PC...they will be able to access it." 
    Microsoft executives declined to be interviewed about the reported
    security problem, but spokesman Ryan James said that the "feature is in
    response to customer demand--it was included in Windows 95, and the
    response was positive that this feature is desired. As a result, it is
    included in Windows 98." 
    Additionally, Windows 98 will warn users creating shared files that they
    are opening their systems up to potential security problems, James said,
    and other security experts concurred that those warnings should be
    adequate to protect most unsophisticated users. 
    "Windows 95 and 98 make it very easy to share things, and that sharing is
    great among a group of people in a trusted network. But now you're
    providing that sharing capability over the Internet, and you have the
    capability where someone can see the hard drive," explained Stephen Cobb,
    director of research and education for Miora Systems Consulting, who added
    that the shared file feature in Windows 95 raised eyebrows among security
    experts at the time of its release, as well. 
    Additionally, Cobb said the warnings may not explain clearly enough that
    by creating shared files without a password, the user is opening his or
    her hard drive to anyone who can find the right IP address. 
    "This is something that people pointed out as a problem area several years
    ago, and that it still exists is disappointing in terms of Microsoft's
    security awareness and product development," Cobb said. 
    "It's kind of irrelevant whether some geek somewhere knew about it before,
    when half the people on the Internet today just got there last year, and
    90 percent of them don't know about this problem." 
    "It's a legitimate argument for Microsoft to say, 'We can't be held
    responsible for people doing stupid things with their computers,'" Cobb
    said. "The other side is that you have a responsibility when you're
    selling the OS (Operating System) that 90 percent of the people use to
    warn them more strongly." 
    Other experts believe the responsibility ultimately falls upon the
    shoulders of the user. 
    "Pretty much, it has to do with the way the person has set up the
    Operating System," said Gerhard Eschelbeck, vice president for Windows NT
    server development for Network Associates. "If you leave shared files open
    without the password, they're open. And when you do this setup, you get
    warnings and dialogue messages that the security is as wide open as it can
    Windows 95 made it easy to share information among computers on a LAN
    (Local Area Network) in a corporate or small business setting, and
    Microsoft included this functionality as a "legacy" (hold-over) feature in
    Windows 98. 
    Despite Microsoft's positioning of the upgrade, consumers have already run
    into problems with Windows 98 when technical sophistication is required. 
    Many PC owners complained of upgrade problems and troubles locating and
    installing the necessary drivers to get peripheral devices to work with
    Windows 98. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:31 PDT