COMMAND

    passwd

SYSTEMS AFFECTED

    Win95

PROBLEM

    Peter Moon discovered a  major Windows 95 security  hole. Internet
    access  passwords,  once  thought  to  be  hidden by the operating
    system, can be revealed in a few seconds by a program the size  of
    a digital thimble.

    Access passwords are  meant to ensure  that only an  account owner
    can run up  charges on an  Internet account.   Once a third  party
    knows your password, they can use your account from any  computer,
    surfing for hours  at your expense,  viewing your e-mail  and even
    sending messages under your name.  Windows 95 can remember  access
    passwords so that you need not retype them every time you want  to
    dial up the Net.  Probably the majority of dial-up account holders
    use the feature.   Why not?   When Win95 stores  the password,  it
    appears on  the screen  as nothing  more than  a row of asterisks.
    The true  password is  hidden from  sight.   Well, was hidden from
    sight. Hands  On has  located a  tiny program  that sees  straight
    through  the  asterisks  and  displays  the underlying password --
    instantly.

    To learn your password, someone must have physical access to  your
    PC.  Apart from one of  the kids, or one of their  school friends,
    or your brother, or a  co-worker, or a computer repair  person, or
    a  student  in  your  school,  or  one of your employees, Hands On
    can't think of many  people who have access  to a PC that  belongs
    to  another.   And  if  that  other's  PC  has a "hidden" Internet
    password on it, any  one of those persons  might walk away with  a
    copy in their pocket.

    The program can run from a floppy disk and takes up so little room
    that it could  be buried among  dozens of innocent  files. Someone
    who borrows your  PC to print  out an innocuous  letter could view
    your password in far  less time than a  page takes to print.  Your
    account key could be spirited out  while you are a few feet  away.
    Because  it  doesn't  need  to  be  installed on the target PC, it
    leaves no footprint. Subsequent  examination of the machine  won't
    give any hint as to whether passwords have been leached out.

    Info on this was based on:

        http://www.afr.com.au/content/970822/inform/inhands.html

SOLUTION

    The fix is easy, but you  will have to enter your access  password
    every time you dial your service provider: tell Win95 not to  save
    your password. The option is set by a check box that appears  when
    you click on the dial-up icon.