Number 208 - September 2000
Intruder Alarm
by Ray Isenson, Central Coast Computer Club , ugfray@aol.com - May 19, 2000
    When Windows 95 or 98 was first installed, or reinstalled, on your hard drive your computer was given a name as was any network with which it was associated. The chances are that you have no recall of the incident. Would you be surprised to learn that a third party, without your permission, may be able to get into your computer and learn these names; and much more? Later in this article a means will be described by which you can test your computer's vulnerability and, perhaps, have your mind refreshed about those names.

    Are you using RealJukebox Player software, the free software available from RealNetworks to download from the Internet or play CD music? If so, you're one of more than 12 million users who've registered that software. And, every time you run the program to listen to music you send a message to RealNetworks identifying your computer and describing the music you're listening to. Or, are you running RealPlayer to hear sounds over the Internet? It will try to send a status report of some kind each time you access the Internet.

    Rumors circulated to the effect that a popular system for creating advertiser-supported software, a system used by 400 or more advertisers, was, in fact, functioning as an Internet Trojan horse. The rumors stated that the unwitting user's computer was being inventoried, the system registry was being scanned, and all manner of personal, private, and confidential information was being sent out across the Internet for collection by Aureate Media Corporation. Although a complete technical analysis is still pending, a preliminary examination by an independent research organization of Aureate's Web site and their privacy policy statements, while confirming that the software does create an open port through which your personal information can be gleaned, tends to dispel most, but not all, concerns about that company's immediate threat.

    The Aureate procedure typically works by presenting to the user a demographic profiling questionnaire. As an option, the installation can defer the presentation of the demographic profiling questionnaire. There have been creditable reports describing several cases where the Aureate system appeared to be missing after installation of an application, but in fact it was running with full stealth, collecting data and communicating with its remote servers without ever first presenting its demographic questionnaire. Since each user is branded with a unique user ID, they can collect and associate demographics at any later time.

    Information collected by this Spyware program is, presumably, limited to your computer activities associated with one or more of the sponsoring advertisers; how long did you examine it, what links did you select, did you order anything and the like. Nevertheless, it is certainly the case that you should be made aware of the potential privacy and security implications associated with the use of Aureate-hosted advertisement-supported software. In several cases of installations using this system: NO indication was provided that the Aureate system was being installed, the Aureate system communicates in complete secrecy, the Aureate system is running even when its hosting program is not, the Aureate system survives the removal of its hosting program, and even then it continues to operate secretly in the background. Further, ports created by the Aureate software could be exploited by individuals with other motives.

    Computers connected to the Internet via cable or ADSL links and allowed to remain connected for extended periods of time are more vulnerable to penetration than those connected via telephone modems. You might be thinking Hey, the Internet's a huge place, right? No one's ever going to notice me. Sure. But technically savvy intruders are using high-speed Internet Scanners that can probe every computer
in a small country within a short time! Nothing would make them happier than lifting your personal information, credit card numbers, bank account balances, and so forth through your computer's insecure connection to the Internet. No Internet user can afford to be complacent.

    Fortunately, you can protect yourself with little effort and at practically no cost. With respect to the Aureate system and its subscribers, the direct protection is by way of a small, free, program made available for the purpose by the Gibson Research Center (www.grc.com). The program, OptOut spyware removal tool can be downloaded from their web page in a matter of seconds. While on their page you can take advantage of two additional features offered by the Center.

    Press the Test My Shields button and, after a short wait you'll see a report; perhaps: Preliminary Internet connection established! Your computer has accepted an anonymous connection from another machine it knows nothing about! (That's not good.) This ShieldsUP! web server has been permitted to connect to your computer's highly insecure NetBIOS File and Printer Sharing port (139). Subsequent tests conducted on this page, and elsewhere on this Web site, will probe more deeply to determine the extent of this system's vulnerability. But regardless of what more is determined, the presence and availability of some form of Internet Server HAS BEEN CONFIRMED within this machine . . . and it is accepting anonymous connections!

    To complete the test of your computer's vulnerability, select the other button, Probe My Ports. After a short wait you'll get a report indicating the status of a number of checks. There are more ports than can be seen on one screen so you'll have to cursor down in the report box to see all of the results. If any of the tested ports are open to invasion, you'll see a red box. Click on the title just to the left of the red box to get more information.

    Digressing for a moment, California building construction laws require that a barrier be placed between an automobile garage or car stall and the main dwelling. This barrier intended to delay the movement of a fire from the auto storage area to the living area is called a Firewall. That name has been adopted by the computer world to describe any program that serves to block intrusion from the Internet into the protected computer. If you're going to expose your computer to the Internet even for very brief periods of time, you are well advised to install a firewall.

    Returning then to the GRC web page and the probe test, Following the report is a short treatise on Stealth. Read it for a better understanding of what the probe test was all about and how to protect yourself more completely. Continue reading until you're directed to a free firewall offered by ZoneLab. Click on the link to the ZoneLab web page and browse through it for an even better understanding of the problem and solutions. I strongly suggest that you download and install ZoneAlarm 2.1. This free to non-business users, 1.8 Mb program will provide the protection against unwanted intrusions.

Toggle Editor's Note:
    Long time members are aware of Steve Gibson's site and many have visited it. We have compiled a disk of his freebie software utilities on a floppy disk and have the current version of ZoneAlarm (also free-for-personal-use) split onto two floppies with HJSplit. See Librarian Tom Stepanek for copies.

    If you are a Click!, AT&T Cable Services, or ADSL user you should install Zone Alarm or one of the reasonably priced Firewall programs to protect your machine. These programs run in the background and don't interfere with your day-to-day operations.
 
  Number 208 - September 2000