Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Are you really in any danger?
The Internet is full of great information and many useful resources. But it also contains things that crawl around in the dark and go bump in the night. I think you'll be as surprised as I was to learn how much of that is really happening today.

Beyond Lie Monsters

Yes, there can be no question that you're in danger:

If your computers are only connected to the Internet briefly, when you're browsing the web or retrieving and sending eMail, your connection exposure will be minimal. But if you are one of the millions of people who are discovering the amazing power and convenience of a persistent connection to the Net — through a cable modem or DSL line — and if you leave any of your computers on and connected for hours at a time, then your exposure is substantially greater.

" But the Internet is a BIG place. What's the chance, really,
that my little computer would even get noticed? "

That's a very good and reasonable question, but the answer might frighten you as it frightened me. Here's the crux of it:

There are MANY FREELY AVAILABLE "scanners" being run by bad
people who are sweeping the Internet looking SPECIFICALLY for
computers running Windows File and Printer Sharing! And if those
shares are password protected and sufficiently interesting, any
freely available password cracker will silently pound on your
password until your defenses have been penetrated!



Scanners?


Oh yes. Many Internet scanners specifically seek out and locate Windows file and printer shares (see samples below), whether they are protected by passwords or not! Malicious computer vandals leave these scanners running night and day collecting IP addresses — one of them might be yours! — then they "map" that drive's shares onto their local drive letters to gain total access to your computer's files!

The power of these tools is a matter of great pride for the true hackers on the Net. By "true hackers" I mean someone who is more interested in what they can do, than in what they can do to you. This is why I'm careful here to call people who break into your computer "intruders", "crackers" or "vandals" rather than "hackers." Hackers don't necessarily "do bad" with their tools and knowledge. They pursue "hacking knowledge" for its own sake.

To give you a feeling for what goes on out there in the nether regions of the Internet, here is a boast made by the author of the powerful "Asmodeus" scanner:

"Right now, Asmodeus is capable of scanning ranges of TCP ports on subnets. At the time I originally wrote the socket engine, it was the fastest scanner on the Net. Since that time, a few other scanners have been released which are pretty darned fast. Most of these are commercial and very expensive at that. Asmodeus can keep up. I have scanned entire class C's in less than a minute. You can scan some small countries in one night ;) I believe Asmodeus can stream along at a modest 30,000 sockets per minute under optimum conditions. All of the data that is gleaned from the scan is passed through a user-supplied script. This script allows you to define what security holes will be checked for. Also, you can trigger events based on what you find. If you REALLY want to hear a wave file play every time you find an IMAP service running, go crazy. You can spawn external processes, or other scripts."
Greg Hoglund

As you can see, it's more about the technology than about the damage that can be done. Greg, for example, is much more interested in how many countries he can scan than in their individual computers. (If you haven't clicked on either of those links right above you might get a kick out of reading something else Greg wrote.)

The manifestation of The Internet has created
a huge intellectual playground for people with
a passionate love of computers and computing.

Unfortunately, the technology generated by the really top-notch hackers is made freely available to anyone on the Net. This technology is picked up by much less accomplished vandals or "crackers" (often referred to by the disparaging term "Script Kiddies") who take those powerful tools and apply them to much less intellectual nefarious ends.

Two typical NetBIOS shares scanners


Click image for full description.
 
Click image for full description.

My Own Experience With Scanning. . .

While I was conducting the background research for this web site, I encountered one of these "File Shares" scanners and gave it a try on a region of the Net that I knew to be populated by cable modem users. (That's very easy to determine too — see my Further reading page.) I was shocked by the number of file shares that were wide open, made available by well-intentioned people who had unwittingly exposed the contents of their PCs to the entire world! (See screen shots above.) Their lonely drives are calling out for company on the Net . . . and before long they're probably going to get some!

My next "experience" with scanning was on the receiving end!
While testing a number of high-quality Internet monitoring and security products — described and reviewed on the Personal Firewalls page — I monitored the "Internet packet traffic" arriving at the main grc.com server. My mouth dropped open when, within minutes, that machine was methodically scanned and "probed" for openings and weaknesses! And then a few minutes later it was specifically probed (from a different source) for Windows File and Printer Sharing!

Four friends subsequently purchased and downloaded an intrusion monitoring personal firewall product that I found (more on that later) and every single one of them has detected multiple probes and sweeps of their systems!

This really is going on all the
time without our knowledge!

As Stan Miastkowski recently wrote for PC World Magazine:

August 16, 1999 — They're everywhere: scary stories about hackers trying to sneak their way from the Internet into your PC. And separating the rumors from the genuine threats isn't always easy, especially since all too often the companies that report threats stand to make a profit by selling solutions. I've been skeptical about how common hack attacks really are. But after living with BlackICE Defender for a couple of weeks, and detecting an attempt on one of my dial-up Internet sessions, I'm much more of a believer.

Stan's comment about "scary stories about hackers trying to sneak their way into our PC's from the Internet" brought to mind something relevant:

Many years ago when I was writing my weekly "TechTalk" column for InfoWorld Magazine, I got into a number of arguments with the "SysOps" on CompuServe. They were claiming that the vague rumors of "bad programs" that stayed in your computer and could do damage after you had run them, was pure science fiction.

Something seemed to be going on, but no one knew for sure. What I knew for sure was that it was possible (even if it wasn't happening) and I was pissed off by the closed minds of the CIS SysOps who seemed to be in denial, and who apparently didn't want to be blamed for their service being a distributor of "viral" software. So I wrote a series of four columns about how such "software viruses" might operate and replicate themselves. Being a software developer myself, I described their reproductive systems in detail and hypothesized their optimal survival strategies. And to make it more fun, even though I had never seen such behavior, I wrote about it as if it were real.

To my amazement, John McAfee phoned after the third column was published. He said he had no idea that another viral researcher was operating and he wanted to compare notes and exchange viruses since I'd exactly described the reproductive behavior, methods, and strategies of all the viruses they had captured in their lab. He wondered if I also had some that they didn't. Well, I remember how disappointed he was when I told him that I didn't have any viruses, didn't know that such things really existed, and had certainly never seen one. But it was gratifying to know that I'd been right.

The situation HERE feels very familiar to me:

I again believe that I'm writing about and discussing something that's in the very early stages of BECOMING A HUGE PROBLEM for all Internet-connected Windows users. The following pages describe highly effective proactive measures that anyone can take to "raise their shields" against the forthcoming onslaught. But first, you need to know about the "Password Crackers" so please read on . . .

If you're curious to read more about the threat from Internet scanners, check out these links:

Freeware scanners find network holes ...
"... One of the most important -- and most dangerous -- tools crackers will use to breach your security is a port scanner. Scanners were devised to help crackers quickly and accurately assess the portals of entry and weaknesses in targeted networks."
June 8, 1998 / InfoWorld

Free Windows-based scanners are plentiful ...
"... At the bottom of the scanning food chain is IP Prober ... Port Scanner is a shareware utility offered by Blue Globe Software ... Sam Spade is freeware written by Blighty Design ... Internet Maniac is a freeware utility by Sumit Birla ..."
July 6, 1998 / InfoWorld

New Generation of Scanning Tools Mask Source of Attack
"... just before Christmas, experts began noticing widespread use of sophisticated scanning tools that mask their activities in a barrage of what appear to be multinational attacks. "
March 15, 1999 / ComputerWorld

When Good Scanners Go Bad
"Network scanning tools help information technology managers find security holes such as open ports or lists of running services on a host. But crackers are using a new generation of "stealth" scanners to plot attacks on the networks they were designed to protect."
March 22, 1999 / ComputerWorld

Cracking Tools Get Smarter
"With awe and alarm, security analysts have observed the capabilities of Nmap, a network-scanning program that crackers are now using to plot increasingly cunning attacks. "
March 3, 1999 / Wired News

So . . . are you in danger?  Could you possibly have any doubt?

Check out this recent article from U.S. News and World Report
titled: New high-speed modems put home computers at risk

I don't mean to be an alarmist, but isn't the conclusion inescapable? If my Shields UP! security test came up with either of the blocks shown below, YOU are at much greater risk than if only your user, machine, and workgroup names were exposed.

This resource is WIDE 
OPEN
for access by
anyone in the world!
This resource does require a
password for access, but any-
one
can learn of its existence.



But Passwords provide safety, right??


Nope . . . Passwords ONLY slow them down a bit . . .

If you have passwords protecting those resources (most people don't even have that), and if it seems worthwhile, an intruder can run any of a number of available password crackers against your system in the background, pounding away at your shields — without you ever being the wiser — until they crumble. Mature and secure systems have many forms of protection against these age-old and well-known password cracking attacks. Secure systems will notify their user of failed attempts or completely lock-out remote access after some number of password failures. But Windows has no protection whatsoever against silent password cracking on your file shares that are exposed to the entire world! You'll never know that someone has a powerful battering ram pounding away at your door, and nothing keeps them from pounding away day and night so long as your computer is on and connected to the Net. This is a problem.

Once your password is broken, YOUR DRIVE becomes just like one of theirs! They can browse around within it, read your files, download your Quicken accounting files, find your online banking files, search for credit card information, CHANGE your data, plant any number of trojan horse and software viruses ... and, of course, delete anything they choose. In fact, one of the latest tricks is to upload a "forwarding server" into your computer without your knowledge. Then they break into OTHER computers using YOUR computer as a "connection forwarding and masquerading point". Any attempts at backtracking their identity leads the FBI to your door instead of theirs!

A Typical Windows-based Password Cracker:

Click image to view full size.

Click image to view full size.
This utility's Help/About screen describes the program as a "Multi-Protocol Authentication Negotiation Agent." (Yeah, right.) It goes on to describe itself as a "Brute force/Dictionary password guessing application effective against Telnet, FTP, HTTP, POP3, IMAP, and other interactive logon services." Wonderful.

So, clearly, password crackers are no myth, and it takes no particular skill to locate one for free download as I did (158 times!). As you will see in the following pages, it is not necessary for you to send your computer out onto the Net without protection. But if you must for some reason, at least give it uninteresting share names and random nonsense passwords! (The next page elaborates upon that.)

If your computers are running with a persistent connection to the Net, the presence of file shares scanners and password crackers prowling the Internet right now guarantee that ...

It's just a matter of time until your
computer is visited with neither your
knowledge nor your permission!

And now, it's not only malicious HACKERS who might get into your machines! The FBI has recently isolated a nasty "Windows Shares Virus which is able to travel among insecure Internet-connected Windows machines! For information on detection and removal of this new threat: CLICK HERE!

In fact, given my brief experience monitoring my own connection to the Net, there's a very good chance that it has already happened without your knowledge. Your computer's Internet address may already be logged into many cracker lists where their motto is:

So many computers, so little time!

To continue, please see: What can I do?

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Aug 04, 2006 at 20:43 (3,947.32 days ago)Viewed 23 times per day