Microsoft exec calls XP hack 'frightening'

A Microsoft executive calls the ease with which two British e-crime specialists managed to hack into a Windows XP computer as both "enlightening and frightening."

The demonstration took place Monday at an event sponsored by Get Safe Online--a joint initiative of the U.K. government and industry. At the event, which was aimed at heightening security awareness among small businesses, two members of the U.K. government intelligence group Serious Organized Crime Agency connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software and contained a sample target file of passwords to be stolen.

The SOCA officials wished to remain anonymous. One of them, "Mick," remained behind a screen while carrying out the hack into the unpatched computer of a fellow officer, "Andy."

"It's easy to connect to an unsecured wireless network," said Mick. "You could equate Andy with being in his bedroom, while I'm scanning for networks outside in my car. If I ordered or viewed illegal materials, it would come back to Andy."

Mick used a common, open-source exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK not to divulge the name of the tool.

"You can download attack tools from the Internet, and even script kiddies can use this one," said Mick.

Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box. He deduced the IP address of Andy's computer by typing different numerically adjacent addresses in that IP range into the attack tool, then scanning the addresses to see if they belonged to a vulnerable machine.

Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them. Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes.

Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy's unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

"If you were in (a cafe with Wi-Fi access), your coffee wouldn't even have cooled down yet," said Sharon Lemon, deputy director of SOCA's e-crime unit.

Mick then went into the My Documents folder and, using a trivial transfer protocol, transferred the document containing passwords to his own computer. The whole process took 11 minutes.

A SOCA representative said that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it." SOCA stopped short of recommending small businesses move to Vista; a SOCA representative said that applying Service Pack 2 to XP, with all the patches applied, and running a secured wireless network is "perfectly sensible way to do it."

Nick McGrath, head of platform strategy for Microsoft U.K., was surprised by the incident.

"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said McGrath. "But the computer was new, not updated, and not patched."

McGrath said that having anti-spyware installed was not as important as having the software updated. He added that Microsoft works closely with original equipment manufacturers to encourage the preloading of antivirus and anti-spyware on a 30-day trial basis. McGrath also said that Service Pack 2 for XP had a firewall and that Vista was not as "accessible to the average hacker" due to "operating system components."

Tom Espiner of ZDNet UK reported from London.

[Penguinisto]

We've known this for years.

An unpatched Windows box has a very short lifespan when
connected live.

And yet it takes how long to get updates from Windows, on-line,
when you first build one?

(clue: if you can manually hunt down all the "net distribution"
versions of those patches and download those beforehand to
another computer before building your Windows box, you stand
a better chance of survival. Good luck finding them all if you're a
typical user, though...)

/P

[rcrusoe]

That's the problem

Unpack your new Dell (or whatever) hook it to your cable
modem, and immediately run Windows Update, while you
download ZoneAlarm, etc. and you still have an excellent chance
of being compromised / infected before you can secure your PC.

Until manufacturers start selling fully secured Windows boxes,
the average buyer is screwed, which means:

the average buyer is screwed.

[Vegaman_Dan]

Absolutely right on the mark

Even the testers suggested it was more responsible to install XP SP2. I can imagine trying to attack an OS that isn't even available for sale and hasn't been for years would be easier to do.

It's a good article to show that no system should be left unpatched and unprotected, but... yeah, using outdated and obsolete versions isn't very sensible for testing. It would be like using OS 9 and then not applying any patches at all to it from the OEM, then claiming it's unsecure. Well... DUH?

Thankfully this test isn't realistic since SP1 isn't even available for sale and hasn't been for years.

Let's try that same test today with fully patched versions of Vista, OS X, and Ubuntu. Somehow I don't think it will as easy.

I also love the idea of a file with the passwords on the system being made known to the attacker in advance so they knew exactly what file to go for, where it was located, and that it was unprotected. That's like advertising on Craigslist that the keys to your Porsche are sitting in the sugar jar on the kitchen table, the doors are unlocked and you're out on vacation for a week.

Realistic test? No. Entertaining? Sure. :)

[Freezeman32]

Ridiculous Story

This is a really silly story. What new information does it provide?
How is the fact that a non-firewalled, non-updated, non-protected
Windows machine on an insecure network can be hacked a real
story?

In this situation, you should include all kinds of machines. They
are all pretty "hackable" given these constraints.

[herkamur]

not so silly

Actually, it's not that silly considering how many people don't keep their systems up to date. This relates to any operating system as you indicate. If this story manages to open a few eyes then it's done its job.

[ColdMast]

the equvalent of leaving your doors open with keys in

...while it is the middle of night and your on vacation.

this is a stupid story and should only concern people who don't know what a power button is.

[IMGvideos]

Agreed...this is retarded!

The truly funny part of this is that the so-called "experts" took a full ELEVEN MINUTES to hack into a completely unprotected system.

As a matter of clarity, I have seen and participated in white hat demonstrations with REAL experts who hacked into PROTECTED systems in around 2 to 3 minutes, without the use of "script-kiddie" tools.

Now, add in the fact that these idiots probably don't even know what a command prompt is used for (a big clue is the fact that they had to get their current IP address for the wireless connection manager applet; what the....? Are you freakin' KIDDING me? No serious hacker would relegate himself to that unless none of the many other methods at his disposal were available, the greatest tool still being the command prompt).

At any rate, this is yet ANOTHER "soft news" story from Cnet, who is steadily losing credibility every single day that they allow this type of half-assed misinformation "reporting" to populate their website.

PLEASE, folks....get REAL writers who know how to discriminate between the fluff / lies and truthful hard information.

[MSSlayer]

Firewall

The built in firewall in XP offers next to no protection.

[Kings X Rocks!]

You're right...silly

Fodder to spark the anti-MS postings is all it is intended for.

[zunipus]

Multi-Machine Showdown

"In this situation, you should include all kinds of machines. They are all pretty "hackable" given these constraints."

I totally agree with the first sentence. Toss in boxes with basic installations of a variety of operating systems.

However, living in the world of hearsay I cannot imagine that very many operating system are as hackable as Windows XP or previous versions of Windows. Until Vista Microsoft did an infamously bad job with security.

Comparing a basic Windows XP box to a basic Mac box I would have to say that Mac would win hands down, typically. There are of course tools to read unencrypted data streaming to and from any computer using WiFi and potentially any computer on the Internet. But to actually hack into a Mac has proven to require an 'inside job' to get it to work. That is, unless of course the hacker knows or can easily guess the ID and password of the Mac being hacked. (Please don't get over-sensitive about this point. I am not interjecting a computer warz comment, just information).

[john55440]

VERY unrealistic demo - VERY stupid

"a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software and contained a sample target file of passwords to be stolen."

Microsoft doesn't even support SP1 any more. To get security updates, you have to have SP2 installed. I bought my computer way back in 2002, and am running SP2.

Anyone who runs WinXP with "no antivirus, firewall, or anti-spyware software" is a complete idiot.

And no, I don't store my passwords on my computer in a convenient, non-pasword-protected file, called herearemypasswords.txt -grin

If you build a house with no doors you might get robbed - frightening!

[FellowConspirator]

Antivirus and Antispyware

The use of antivirus software and antispyware software is likely
moot since most of the sorts of tools here wouldn't register with
either. Firewall software is far more likely to be useful (certainly
it's much more likely to trip up the intruder).

That said, while SP2 is much better, it's still susceptible to a
reasonably well-informed attacker with similar results. Someone
with skill in the art wouldn't take so long to crack into the box
as most of the steps would be automated.

I've seen SP2 machines cracked in less than 1/2 the time
demonstrated here.

[`WarpKat]

Look in the Mirror When You Say That

"To get security updates, you have to have SP2 installed. I bought my computer way back in 2002, and am running SP2. Anyone who runs WinXP with "no antivirus, firewall, or anti-spyware software" is a complete idiot."

Yes - you and I and about 1/4 of the world knows this, however, Ma and Pa don't. Little Billy doesn't. 3/4 of the world knows very little about vulnerabilities or security.

My machines are up-to-date. But I would care to say a majority of the machines I've worked on had to be updated from their original installs.

To me, this is a very realistic demo since Microsoft and hardware vendors have tried to make what was originally intended for intelligent people into an "Everybody Can Do It" concept.

As for the passwords in an unprotected text file, you'd be surprised and you're even MORE of an idiot if you think everyone behaves as you do, to say nothing of the thinking part of it - which isn't something you're obviously good at, either.

Don't hurt yourself in the process.

[shane--2008]

you keep using that word....

i don't think it means....

"unrealistic"

yeah, cause NOBODY would be running XP without SP2 right?

oh wait, i am sitting behind 2 windows users on laptops with XP
right now, let me take an informal poll.....

....well, turns out you are 50% so far. wanna try again? let me
look around the cafe and get back to you.

[JoeF2]

On the contrary

"To get security updates, you have to have SP2 installed."

Actually, no. Only if you use Windows Update...

And besides, a lot of people don't update their systems. You may call them "idiots", and I actually agree, but fact is that most people don't understand the technology, and don't even know that they can update their system.

The only issue I have with the story is that 6 minutes to break into a Windows box is too long. Real experts can do that in as little as 2 minutes.

[satayboy]

gasp!

Gasp! I guess we had all better upgrade to Vista right away!

[tagno25]

upgrade

no, you need to upgrade to Linux, Max OSX, AT&T Unix, or Windows 3.1

LOL on the last two

[Neo Con]

Even more frightening...

The security experts then came to my house and demonstrated that if I leave my front door wide open with no alarm on and a wallet full of money on the table by the door, they could reach in and swipe it in a matter of seconds! Scary.

[PortVista-19095313035016904102]

Duh!

How can a Microsoft executive be surprised by this? Old version of windows, no security software, unsecured network. Duh. If any one of these were fixed the hack would not work.

[roger.d.miller]

Another Dopey Story Out of London

CNet needs to beef up its London Bureau.

[Andy kaufman]

Don't be a dummy

don't have an unsecured wireless network, use at least WEP if not WPA.

Install the latest service packs and updates.

Always run your antivirus, firewall, and antispyware software.

Turn off your computer when not in use.

[willdryden]

You don't have to turn it off..

just pull the network plug. My computer runs 24/7 but is only connected when I am using it on the web.

[shane--2008]

and most important

don't run windows.

seriously, how can people STILL not get this.....

[AdamsAdams]

just a promo

This impels you to think that Vista should be better, but the reality is that it is still insecure but with the huge added discomfort of not actually being able to control your computer to your liking. Vista sucks BIG time, and in my experience is more unstable than Millennium. Better stick to XP SP2 until something better comes, if you are lucky to find a PC whose manufacturers have not been intimidated to discontinue XP support...

[jscott418]

Hardly proves anything

All this proves is that idiots who don't run any kind of security
run a high risks of data theft. No kidding! Really! Wow I would
not have known that. If your that stupid then even if someone
proves to you that it can be done. Those people probably don't
know how to activate the security anyway. I am sure the same
can be done for Vista and probably OS 10 and Linux if given
enough time. Let's have them try it with a fully secure system
and see what happens.
If they can break a fully secure system then I will consider it a
problem.

[real_bgiel]

Vista Anybody?

Guess MS recommends upgrading to Vista, of course, the Windows ME of the 21st century.

[pfrabott]

I disagree

I disagree with Vista being like ME. I have been using vist both at home and at work since Febuary and have not seen any problems with it. To be honest, it's been most stable then XP SP2 and XP wasn't all that bad. I've talked to alot of people that have been complaining about Vista but I fail to see what the problem is. At work there were a few internal processes and custom applications we had to tweak to work with Vista (because of the UAC) but other then that we haven't seen any problems. Anyone want to enlighten me to why everyone is complaining? (I am just curious since I cannot figure it out).

[cross platform]

Once Again About Vista

I'm using Vista right now on my 4 year old P4 3.2 Ghz. It runs fine. So when I read things like this I just have to shake my head. The negative stuff I've read about Vista is way overblown. It has some rough spots yes but the more updates I apply the more it straightens out. I like it better than I liked XP which is just like it looks. Something that was designed in the last century. I waited until about a month ago to upgrade and yes it took some doing but in the end it was just a matter of updating the drivers and software. Sorry but that's just the way it is.

[akuehnemund]

The problem is...

... that MOST people will not patch their systems or will pay for an
antivirus software subscription or know how to install a free
alternative like freeav.
We all pay the price for that. Knwoing that MOST people won't keep
their computer updated and secure, it's the OS manufacturer's
responsibility to create a safe and secure operating system that
requires little if any additional actions from the user. That's where
Microsoft fails miserably.

[AndrewRich]

The undisclosed attack tool

is almost certainly the Metasploit Framework. From the description of the tool and its use, I doubt it's anything else.

[pfrabott]

You'd be surprised

You'd be surprised how many people do not patch their computers. My business provides several technical services including consumer technical support. In my experience I have found about 60% of the customers I work on are not using updated versions of the OS. They believe that having updated anti-virus, firewall and anti-spyware is enough. They do not understand how OS updates can impact a a system. Furthermore, I have a few customers that argue with me over it. It's sad but, you would be very surprised at the numbers. Now that this article is out I will be able to refer them to it for more research. (thanks CNet)

[Jim Harmon]

This article won't convince them.

[i]They believe that having updated anti-virus, firewall and anti-spyware is enough. They do not understand how OS updates can impact a a system. [/i]

In this test:

1) An unsecured wireless router was used;
2) No anti-virus programs;
3) No Firewall;
4) No anti-spyware programs.

Under these conditions, XPSP2 could have been attacked just as easily.

IMHO... they might as well have left the keyboard on the sidewalk.

[pfrabott]

Fast

I think they were surprised at how fast it was.

[wolivere]

I'm surprise it took that long

Come on pre sp2 box unsecure network? Same IP range? There are automated tools that would have done this in far less time.

[Phillep_H]

Informal surveys needed?

Like, someone with a bit of know how checking this out where they are and getting back to us?

I don't mean actually cracking the computers, just rattling the door knobs. Or, is that illegal in it's self?

[pfrabott]

Depends

If you own the system or have prior arrangments then you can run security scans. If you don't own the system and the owner does not agree to let you do it then it's considered illegal. Most businesses run internal scans of thousands of systems a week for security issues.

[pfrabott]

Pre-SP2

I think that Microsoft (pre-SP2) didn't realize how many people would not turn automatic updates on be default. When they realized this they forced it on as default in SP2. Vista is pre-installed with it on (unless OEM vendors specifically choose not to have it on). Microsoft got it right eventually IMO. Your right though, they didn't get it at first.

[duggerdm]

MS Media Plant - CNET accomplice.

Let's see - if I had spent years and a train load to develop a new program - we could call it something totally innocuous like say... Vista - and if it was so user abusive that most businesses continue to use an older existing programs let's for the sake of discussion call that one say... XP - that wasn't great, but less abusive than my new one - wouldn't it be logical to promote fear stories of the older program to try to drive people to the new program? Even if the story scenario was lame to start with - XP with no patches and no protective software. The only real news here is that CNET is so gullible - or so biased that they carried the "story" at all.

[Thomas, David]

That's not hacking

Accessing an unsecured wireless network isn't hacking. It's
walking in the front door.

Now I'm not sure of what I should be more wary of, the "hack", or
the executives proclaimed fears. Or is this a yellow flag banner for
people to move over to Vista?

[Toulinwoek]

Just Plain Silly

And the Microsoft exec calls this stupid "test" enlightening? Frightening?
I can remember when Microsoft at least TRIED to hire folks with more "on the ball" than an inflation valve!
I mean, given the criteria for this laughable demonstration, I'd expect my wristwatch to be hacked in a few seconds!