PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
After finishing a speech recently in Denver, privacy guru Richard Smith tried to shut down his laptop and sever his Internet connection. But he received an ominous and unexpected message telling him that his hard drive was still in use. Was he sure he wanted to shut down? Smith deduced that someone had hacked into his computer. "I thought: Oh my God -- yes, I want to shut down," Smith remembers.
Usually, Smith's laptop is behind a firewall, software that protects the network of three computers his family shares in their Massachusetts home. Because only the family uses the computers, Smith hadn't bothered to put password protection on the network. He had also enabled a Windows function called file sharing. That function allows networked computers to share files easily. But when he went on the road, he forgot to shut down file sharing on the laptop. With no firewall to protect his machine, Smith was exposed. Someone cruising the Internet latched onto his laptop and gained unfettered access to his hard drive.
File-sharing attacks, such as the one Smith suffered, have long been a favorite tool of malicious hackers who troll the Internet. With file sharing, they can plant programs that allow them to hijack machines for nefarious uses, such as the denial-of-service attacks that shut down Yahoo! in February last year.
IDIOT-PROOF SOFTWARE. The intrusion sounds like something only a serious geek can do? Think again. A new program dubbed ShareSniffer could make hacking hard drives as easy as downloading songs on Napster. First reported on the security portal SecurityFocus.com, ShareSniffer lets users scan thousands of computers, then zero in on the hard drives of folks with exposed files. It has a graphical user interface and is extremely easy to use. ShareSniffer's creator, long-time programmer Kerry Rogers, says it has valid uses, such as allowing people to share files over the Internet. That could be. "But it sure sounds like a tool for hacking," says Smith.
You don't have to be on the road and using an exposed Internet connection to be vulnerable. Millions of people are exposed to ShareSniffer and other file-sharing attacks without knowing it. Steve Gibson, a computer programmer who has written a free security-testing program called Shields Up, reports that 24.5% of the more than 7 million people who have used his program are exposed.
And those are the ones who are concerned enough about privacy to check it out. Most consumers have little or no security on their home or office networks. Users who configure their computers for file sharing often inadvertently make their files accessible to the Internet as well. If users don't choose a password, then their disk drives are open to anyone who knows -- or can guess -- their system's IP address. That's the unique number that identifies a computer on the Internet.
TIME-SAVER. Discovering a computer network with exposed files has always been possible. But for an aspiring hacker, it required painstaking grunt work. The Internet comprises more than 4 billion IP addresses. To find out if files are available to be shared, a user would have to manually type each nine-digit IP number. ShareSniffer automates the process. A user selects a block of IP addresses to search. Then ShareSniffer's scanning engines, called nostrils, ferret out the vulnerable machines.
If any are found, the ShareSniffer user simply double-clicks to surreptitiously access the other person's files, just as if the two were on a regular computer network. The program also automatically posts all IP addresses with open files to an Internet newsgroup, alt.sharesniffer. So savvy snoops don't even have to spend too much time running the program. ShareSniffer costs a mere $4.95 to download. The price will rise over time to $99.95 for one year's use.
ShareSniffer's Rogers defends his product, saying sharing files is a conscious decision. "If people don't want everyone to have access to their files, they will use the 'robust' security Windows has put in place. It doesn't have to taint the landscape for the rest of us," says Rogers. ShareSniffer, he states, is simply the electronic directory. It catalogs who is willing to share files. "It could be a starving artist who wants to show his work. Or a writer who can't get a publishing deal. ShareSniffer aims to enable uncensored sharing of any electronic information."
And what about posting exposed IP addresses to a newsgroup without warning the exposed computer users? Rogers sees this as an even better way to maximize sharing. "This is distributed computing at its finest," Kerry says proudly. "Everyone reaps the rewards of everyone else's work."
"IMPLIED CONSENT?" Assertions such as these are precisely what send a collective shudder down the spines of privacy experts and advocates. It's true, ShareSniffer doesn't encourage people to break in to computers without authorization. But it does effectively rattle the door to see if it's open and signal to intruders to walk in if it is.
That greatly worries UCLA law professor Eugene Volokh. He believes ShareSniffer raises a troubling legal issue: "If you interpret someone leaving their computer unprotected as the same as forgetting to lock the front door, then you could conclude that the program exploits an error to let hackers look at something they're not supposed to have access to," he says. "But if you look at leaving the door open as implied consent, then there's nothing wrong with that."
Current laws, such as the Electronic Communications Protection Act, are aimed at regulating phone taps and are therefore not well crafted to address invasions of this type, adds Brooklyn Law School professor Paul Schwartz. But as with gunmakers who are sometimes sued for accidental deaths, "if some serious damage were done, it's only a matter of time before someone could argue that a company who made this kind of product should shoulder the blame," he says.
"BECAUSE IT'S THERE." Whatever your take on file sharing, here are three simple things you can do. First, get a firewall for your home or office network. ZoneLabs.com offers a free firewall that's recommended by most security experts and PC Magazine. About 8 million ZoneLab firewalls have been downloaded to date.
Second, if you set up a network, take advantage of the function that allows you to create user names and passwords. Sophisticated hackers might be able to get around such setups, but it will keep the average spy at bay. Finally, limit what files are shared. You can do this when you set up Windows file sharing by selecting which folders you want to make accessible to other computers on the network. And it's definitely worth taking the extra time to set up separate directories financial and other sensitive information.
ShareSniffer's current motto is: "Because it's there," a sly reference to what explorers once said about climbing Mt. Everest. But ShareSniffer President Michael Pommerer says the company is considering changing it to: "Let the sharing begin." The name change won't change the facts. ShareSniffer is fine and dandy for those who want to share files. But if you don't want to grant access, be sure to protect yourself.
Black covers privacy issues for BusinessWeek Online in New York Edited by Alex Salkever
Copyright 2001 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
