Windoze 95/98 in the news? :{)

[Bruce Smith <bruce@xxxxxxxxxxx>]

For those of you who still surf the internet using Windoze:
   (this is NOT a joke!)


------------- Begin Forwarded Message -------------


August 10, 1998


PC Week via NewsEdge Corporation : Many of the known
security problems in Windows 95 have just become much easier
to exploit, not just by hackers but by anyone who can run a
Windows application. 

Using the Back Orifice application, which debuted last week at
the Def Con hackers' conference, PC Week Labs could remotely
monitor and control Windows 95 and Windows 98 systems and
could even add and delete files, directories and registry entries.
Back Orifice was created by the Cult of the Dead Cow, a hacker
group based in Lubbock, Texas. 

To protect against Back Orifice attacks, companies should
enforce policies against installing unauthorized applications and
limit the number of open ports on their firewalls. Also, a network
sniffer should be used at all times to detect an attack after it
starts. 

Back Orifice exploits poorly secured Internet connections and the
inability of Windows 95 and Windows 98 to assign different
security levels to users. (The program does not threaten
Windows NT systems.) 

Microsoft Corp.'s initial response to the program's release
advised customers that the program is not a threat to systems
that are behind firewalls and have dynamically assigned IP
addresses. However, using Back Orifice, we were able to sweep a
range of IP addresses and easily find machines that had Back
Orifice installed. Also, because the port number used by Back
Orifice can be configured, many firewalls will be unable to stop
attacks. 

Back Orifice consists of a client application for remotely
controlling systems and a server application that must be
installed on the remote system to be controlled. The latter is
probably the main thing protecting systems from Back Orifice.
However, the server app is very small (120KB), is self-installing
and can run under any name. 

Once the server app is installed, it is essentially invisible to the
system's users; the process doesn't appear in the Task Manager
or the Task bar. 

It is simple to attach the Back Orifice server to another
application installation program and run it on a remote system.
This is how many viruses are distributed, which means that any
company susceptible to viruses is subject to attack by Back
Orifice. 

The Back Orifice client program has a standard command-line
interface and, more important, has a standard Windows GUI.
Although the GUI isn't easy to use, any competent Windows user
should be able to figure it out. 

The program, available for free from www.cultdeadcow.com,
works in a similar fashion to many commercial remote control
applications and can actually be a useful tool for IS staff,
especially considering its small size and ease of distribution. Using
Back Orifice, we could access all information about a system and
could even view data on the networks to which the system was
attached. 

We could remotely launch applications and make the launch
invisible to the remote system's users. We could also view cached
passwords but, more important, Back Orifice can capture a user's
keystrokes to a log file. By examining this log file, we could see
what was typed and the name of the window in which it was
entered. This let us not only see passwords that had been
entered but also determine what they were for. 

How to protect systems against Back Orifice 

Limit points of entry through firewalls. 

Use a sniffer to detect unauthorized network activity. 

Enforce policies against installing questionable applications. 

Limit file access rights to systems. 

<<PC Week -- 08-10-98>> 

[Copyright 1998, Ziff Wire] 

------------- End Forwarded Message -------------