FRAMINGHAM (07/17/2000) - As soon as last week's Hack of the Month column appeared, in came a flood of e-mail claiming I had overstated the threat and was just plain wrong on some important points. Well, I was wrong on some points and had been given incorrect information about others. But I stand by my central point that Napster Inc.'s software poses some important threats for corporate users.
I reported that "Sinister Geek" could trick a Napster client into sending non-MP3 files when the hacker also used a wrapping tool called Wrapster. Bruce Hubbert, director of West Coast operations at IFSec LLC, a security consulting group in New York, told me he had done exactly that. Outside sources verified that, because Napster provides no authentication or encryption when downloading files, there is a threat.
However, I did make some mistakes. The first is how the attacker would exploit the Napster client. One reader said Napster can upload MP3 files only from directories selected by the Napster users. He's right - unless a hacker uses a buffer overflow (confusing command buffers with unacceptably high numbers the client PC can't understand) to trick Napster into displaying file directories it shouldn't, Hubbert says.
The second error is that, contrary to what I wrote, Wrapster can't be executed remotely by an attacker. Wrapster must already be installed on the hard drive of the user, by the user.
Hubbert acknowledges that it would take the installation of a Trojan horse such as Black Orifice to get Wrapster to do a hacker's bidding.
And as one reader said, once you get a Trojan horse in the victim's machine, why not just find an easier way to ship data out, such as exploiting Outlook?
This is the part of the supposed threat Hubbert acknowledges is theory: "I did not actually manipulate Wrapster to ship data off the test machine. But I did buffer-overflow Napster to show me file directories it shouldn't have."
A final error suggested that Napster automatically logs the speed at which the client PC is linked to the Web. In fact, whoever downloads Napster has control over the connection speed recorded at the Napster site.
Hubbert and other security professionals say Napster is still a security threat. He also denies having any hidden agenda against Napster.
"You can transfer files with a Napster client," says Hubbert. "There's no authentication. No encryption. And the code isn't open source, so you can't really be sure what it does. I already proved it's vulnerable to buffer overflows, which is a very common problem in most client software."