When a 15-year-old hacker discovered a way to log onto thousands of computers and send email from their Internet accounts, he thought he had unearthed a huge hole that could give spammers a new, dangerous weapon.
But the company that makes the software that can allow these random remote logons says it has known about the issue for years and that it hadn't posed a problem until the last few months, as crackers and spammers have gotten more devious in their constant search to find new ways to exploit vulnerabilities in the Internet. It added that anyone using the software can easily fix the problem.
The software is a proxy server called WinGate that, while serving as a firewall, allows several computers to share a single Internet connection. Hundreds of thousands of home offices and small businesses use it. Most have downloaded free copies of the program. WinGate also can allow users to log onto their computers from remote locations through an Internet application called Telnet.
Unless the user changes WinGate's default connections, the proxy server is set up to accept all Telnet connections. While most users leave the port open to accept such connections, it is simple to change the settings to secure the server. Users can change the default by editing the global access rules and "binding services to the network adapter of the machine," according to the company.
Users who want to change the default can go to directions on Deerfield's Web site.
But the default, as is, is set to leave the Telnet port open, and that is how it is configured for most people. That means that anyone, whether they belong there or not, can gain access to a small part of the system.
Once there, users have no access to any documents in the computers or secure information; the firewall is not breached. But they can use the account to send email. Such an action is untraceable, which worries antispammers.
Some users have already exploited the program to send allegedly harassing mail and phony Usenet postings. Those who oppose spam feel that it won't be long before spammers use it to send junk mail from seized accounts. They may already be doing this.
"It's not just spammers that I'm worried about," said Bill Mattocks, a proprietor of an Internet service provider in Wisconsin and an active antispammer. "What I'm concerned about is this is a very major security hole in a very major Internet program."
Mike Deerfield, CEO of Deerfield, the company that sells WinGate, denied it's a security hole. Users can change the settings on the software anytime to block remote logins. He also added that it would be hard to send out massive amounts of spam by Telnetting into a dial-up Internet account.
But he does acknowledge that the program can be exploited by the rogue elements of the Net. "I would agree that left unattended, it is a potential security hole," Deerfield said. "I would also agree that it is LAN [local area network] owners' responsibility to insure that their network is secure. Just as failing to read the documentation for anything can potentially cause undesirable results, so can be the case with WinGate."
Plus, he noted that the issue is not unique to WinGate. The open settings are "pretty common among the class of applications we compete with."
When the program was first designed two years ago, leaving a Telnet port open was a lot like leaving a door unlocked in a small town 40 years ago. But the Internet has changed about as much in two years as the nonvirtual world has in 40, or at least it's headed that way. Most people today lock their doors as a basic precaution.
Deerfield likened his situation to that of ISPs and their mail servers. Customers used to be able to log onto their ISPs' email servers from outside connections. They used the feature to send and receive mail. But once spammers learned that they could also use the servers to launch junk email, many ISPs have eliminated that capability.
"We're all being faced with the same issues," Deerfield said. "As more users come onto the Internet, all these things are being looked at with a microscope to see how they can be exploited by the end user."
Because of that, Deerfield said WinGate's next version, slated to be released in about 30 days, will offer users a "secure installation" that would not allow Telnet connections, as well as a "manual security setup" option where users could configure it to their liking.
Mattocks said that that's not enough. He thinks the company should issue an immediate fix to the problem. So does the 15-year old.
"Bug or not, I can go to any computer and make it look like I sent mail from it," said the teen, whom CNET's NEWS.COM is not identifying because he is a minor. "It's a security hole."
But Adrien de Croy, primary designer of WinGate, said in an email interview that users do have an immediate fix: They can simply go in and change the configurations. He added that "we will be mailing all our users with information about how and why they should have a security policy in place that denies unauthorized access to WinGate services."
The teen noted he feels bad because in his initial excitement at discovering the WinGate problem, he may have been responsible for inadvertently spreading the word about it.
He said he found the hole three weeks ago when he was setting up email for a friend--an older woman who wanted to use it to communicate with her family. "I was testing it, so I Telnetted to my own computer. I mistyped my IP number. I saw a little prompt that said 'WinGate.'"
Being a curious hacker, he looked around and discovered that he could, if he wanted to, anonymously use the connection to send email. No one would be able to trace it back to him.
De Croy emphasized that email can't be sent from "any machine," but only from "any machine left wide open." But machines that use the secure installation will be safe, he said. He added that the teenager "should not feel bad about spreading the word. Any spread of information that makes users more aware of their actions and the implications is good. He did them a favor."
Then he realized that there were thousands of setups on the Net using WinGate with open Telnet doors. He thought, "You could really use it for a big-time spam."
The youngster became so enthralled by the "hole" that he wrote a program that scans the Internet for open ports--a move he sorely regrets today. "I wrote the scanning program. It was very exciting to find there were so many hosts with a hole." He said he never meant to do any harm and that he's not a cracker, just a hacker.
However, he added, "I sent it to some people not realizing what kind of people they were. I didn't intend for this to happen.
"I'm responsible for net abuse--the very thing I have been working to stop," he posted in a public apology to an antispamming newsgroup. "I've unwittingly helped a troll [someone who spoofs Usenet messages] further destroy 'news.admin.net-abuse' and have also made an excellent tool for spammers. I'll remember in the future that real hackers don't talk to crackers."