Comments on: Microsoft exec calls XP hack 'frightening'

In a matter of minutes, e-crime experts hack into a Windows XP computer that is unprotected and connected to an unsecured wireless network.

[Penguinisto]

We've known this for years.

An unpatched Windows box has a very short lifespan when
connected live.

And yet it takes how long to get updates from Windows, on-line,
when you first build one?

(clue: if you can manually hunt down all the "net distribution"
versions of those patches and download those beforehand to
another computer before building your Windows box, you stand
a better chance of survival. Good luck finding them all if you're a
typical user, though...)

/P

[rcrusoe]

That's the problem

Unpack your new Dell (or whatever) hook it to your cable
modem, and immediately run Windows Update, while you
download ZoneAlarm, etc. and you still have an excellent chance
of being compromised / infected before you can secure your PC.

Until manufacturers start selling fully secured Windows boxes,
the average buyer is screwed, which means:

the average buyer is screwed.

[Vegaman_Dan]

Absolutely right on the mark

Even the testers suggested it was more responsible to install XP SP2. I can imagine trying to attack an OS that isn't even available for sale and hasn't been for years would be easier to do.

It's a good article to show that no system should be left unpatched and unprotected, but... yeah, using outdated and obsolete versions isn't very sensible for testing. It would be like using OS 9 and then not applying any patches at all to it from the OEM, then claiming it's unsecure. Well... DUH?

Thankfully this test isn't realistic since SP1 isn't even available for sale and hasn't been for years.

Let's try that same test today with fully patched versions of Vista, OS X, and Ubuntu. Somehow I don't think it will as easy.

I also love the idea of a file with the passwords on the system being made known to the attacker in advance so they knew exactly what file to go for, where it was located, and that it was unprotected. That's like advertising on Craigslist that the keys to your Porsche are sitting in the sugar jar on the kitchen table, the doors are unlocked and you're out on vacation for a week.

Realistic test? No. Entertaining? Sure. :)

[Freezeman32]

Ridiculous Story

This is a really silly story. What new information does it provide?
How is the fact that a non-firewalled, non-updated, non-protected
Windows machine on an insecure network can be hacked a real
story?

In this situation, you should include all kinds of machines. They
are all pretty "hackable" given these constraints.

[herkamur]

not so silly

Actually, it's not that silly considering how many people don't keep their systems up to date. This relates to any operating system as you indicate. If this story manages to open a few eyes then it's done its job.

[ColdMast]

the equvalent of leaving your doors open with keys in

...while it is the middle of night and your on vacation.

this is a stupid story and should only concern people who don't know what a power button is.

[IMGvideos]

Agreed...this is retarded!

The truly funny part of this is that the so-called "experts" took a full ELEVEN MINUTES to hack into a completely unprotected system.

As a matter of clarity, I have seen and participated in white hat demonstrations with REAL experts who hacked into PROTECTED systems in around 2 to 3 minutes, without the use of "script-kiddie" tools.

Now, add in the fact that these idiots probably don't even know what a command prompt is used for (a big clue is the fact that they had to get their current IP address for the wireless connection manager applet; what the....? Are you freakin' KIDDING me? No serious hacker would relegate himself to that unless none of the many other methods at his disposal were available, the greatest tool still being the command prompt).

At any rate, this is yet ANOTHER "soft news" story from Cnet, who is steadily losing credibility every single day that they allow this type of half-assed misinformation "reporting" to populate their website.

PLEASE, folks....get REAL writers who know how to discriminate between the fluff / lies and truthful hard information.

[MSSlayer]

Firewall

The built in firewall in XP offers next to no protection.

[Kings X Rocks!]

You're right...silly

Fodder to spark the anti-MS postings is all it is intended for.

[zunipus]

Multi-Machine Showdown

"In this situation, you should include all kinds of machines. They are all pretty "hackable" given these constraints."

I totally agree with the first sentence. Toss in boxes with basic installations of a variety of operating systems.

However, living in the world of hearsay I cannot imagine that very many operating system are as hackable as Windows XP or previous versions of Windows. Until Vista Microsoft did an infamously bad job with security.

Comparing a basic Windows XP box to a basic Mac box I would have to say that Mac would win hands down, typically. There are of course tools to read unencrypted data streaming to and from any computer using WiFi and potentially any computer on the Internet. But to actually hack into a Mac has proven to require an 'inside job' to get it to work. That is, unless of course the hacker knows or can easily guess the ID and password of the Mac being hacked. (Please don't get over-sensitive about this point. I am not interjecting a computer warz comment, just information).

[john55440]

VERY unrealistic demo - VERY stupid

"a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software and contained a sample target file of passwords to be stolen."

Microsoft doesn't even support SP1 any more. To get security updates, you have to have SP2 installed. I bought my computer way back in 2002, and am running SP2.

Anyone who runs WinXP with "no antivirus, firewall, or anti-spyware software" is a complete idiot.

And no, I don't store my passwords on my computer in a convenient, non-pasword-protected file, called herearemypasswords.txt -grin

If you build a house with no doors you might get robbed - frightening!

[FellowConspirator]

Antivirus and Antispyware

The use of antivirus software and antispyware software is likely
moot since most of the sorts of tools here wouldn't register with
either. Firewall software is far more likely to be useful (certainly
it's much more likely to trip up the intruder).

That said, while SP2 is much better, it's still susceptible to a
reasonably well-informed attacker with similar results. Someone
with skill in the art wouldn't take so long to crack into the box
as most of the steps would be automated.

I've seen SP2 machines cracked in less than 1/2 the time
demonstrated here.

[`WarpKat]

Look in the Mirror When You Say That

"To get security updates, you have to have SP2 installed. I bought my computer way back in 2002, and am running SP2. Anyone who runs WinXP with "no antivirus, firewall, or anti-spyware software" is a complete idiot."

Yes - you and I and about 1/4 of the world knows this, however, Ma and Pa don't. Little Billy doesn't. 3/4 of the world knows very little about vulnerabilities or security.

My machines are up-to-date. But I would care to say a majority of the machines I've worked on had to be updated from their original installs.

To me, this is a very realistic demo since Microsoft and hardware vendors have tried to make what was originally intended for intelligent people into an "Everybody Can Do It" concept.

As for the passwords in an unprotected text file, you'd be surprised and you're even MORE of an idiot if you think everyone behaves as you do, to say nothing of the thinking part of it - which isn't something you're obviously good at, either.

Don't hurt yourself in the process.

[shane--2008]

you keep using that word....

i don't think it means....

"unrealistic"

yeah, cause NOBODY would be running XP without SP2 right?

oh wait, i am sitting behind 2 windows users on laptops with XP
right now, let me take an informal poll.....

....well, turns out you are 50% so far. wanna try again? let me
look around the cafe and get back to you.

[JoeF2]

On the contrary

"To get security updates, you have to have SP2 installed."

Actually, no. Only if you use Windows Update...

And besides, a lot of people don't update their systems. You may call them "idiots", and I actually agree, but fact is that most people don't understand the technology, and don't even know that they can update their system.

The only issue I have with the story is that 6 minutes to break into a Windows box is too long. Real experts can do that in as little as 2 minutes.

[satayboy]

gasp!

Gasp! I guess we had all better upgrade to Vista right away!

[tagno25]

upgrade

no, you need to upgrade to Linux, Max OSX, AT&T Unix, or Windows 3.1

LOL on the last two

[Neo Con]

Even more frightening...

The security experts then came to my house and demonstrated that if I leave my front door wide open with no alarm on and a wallet full of money on the table by the door, they could reach in and swipe it in a matter of seconds! Scary.

[PortVista-19095313035016904102]

Duh!

How can a Microsoft executive be surprised by this? Old version of windows, no security software, unsecured network. Duh. If any one of these were fixed the hack would not work.

[roger.d.miller]

Another Dopey Story Out of London

CNet needs to beef up its London Bureau.

[Andy kaufman]

Don't be a dummy

don't have an unsecured wireless network, use at least WEP if not WPA.

Install the latest service packs and updates.

Always run your antivirus, firewall, and antispyware software.

Turn off your computer when not in use.

[willdryden]

You don't have to turn it off..

just pull the network plug. My computer runs 24/7 but is only connected when I am using it on the web.

[shane--2008]

and most important

don't run windows.

seriously, how can people STILL not get this.....

[AdamsAdams]

just a promo

This impels you to think that Vista should be better, but the reality is that it is still insecure but with the huge added discomfort of not actually being able to control your computer to your liking. Vista sucks BIG time, and in my experience is more unstable than Millennium. Better stick to XP SP2 until something better comes, if you are lucky to find a PC whose manufacturers have not been intimidated to discontinue XP support...

[jscott418]

Hardly proves anything

All this proves is that idiots who don't run any kind of security
run a high risks of data theft. No kidding! Really! Wow I would
not have known that. If your that stupid then even if someone
proves to you that it can be done. Those people probably don't
know how to activate the security anyway. I am sure the same
can be done for Vista and probably OS 10 and Linux if given
enough time. Let's have them try it with a fully secure system
and see what happens.
If they can break a fully secure system then I will consider it a
problem.

[real_bgiel]

Vista Anybody?

Guess MS recommends upgrading to Vista, of course, the Windows ME of the 21st century.

[pfrabott]

I disagree

I disagree with Vista being like ME. I have been using vist both at home and at work since Febuary and have not seen any problems with it. To be honest, it's been most stable then XP SP2 and XP wasn't all that bad. I've talked to alot of people that have been complaining about Vista but I fail to see what the problem is. At work there were a few internal processes and custom applications we had to tweak to work with Vista (because of the UAC) but other then that we haven't seen any problems. Anyone want to enlighten me to why everyone is complaining? (I am just curious since I cannot figure it out).

[cross platform]

Once Again About Vista

I'm using Vista right now on my 4 year old P4 3.2 Ghz. It runs fine. So when I read things like this I just have to shake my head. The negative stuff I've read about Vista is way overblown. It has some rough spots yes but the more updates I apply the more it straightens out. I like it better than I liked XP which is just like it looks. Something that was designed in the last century. I waited until about a month ago to upgrade and yes it took some doing but in the end it was just a matter of updating the drivers and software. Sorry but that's just the way it is.

[akuehnemund]

The problem is...

... that MOST people will not patch their systems or will pay for an
antivirus software subscription or know how to install a free
alternative like freeav.
We all pay the price for that. Knwoing that MOST people won't keep
their computer updated and secure, it's the OS manufacturer's
responsibility to create a safe and secure operating system that
requires little if any additional actions from the user. That's where
Microsoft fails miserably.

[AndrewRich]

The undisclosed attack tool

is almost certainly the Metasploit Framework. From the description of the tool and its use, I doubt it's anything else.

[pfrabott]

You'd be surprised

You'd be surprised how many people do not patch their computers. My business provides several technical services including consumer technical support. In my experience I have found about 60% of the customers I work on are not using updated versions of the OS. They believe that having updated anti-virus, firewall and anti-spyware is enough. They do not understand how OS updates can impact a a system. Furthermore, I have a few customers that argue with me over it. It's sad but, you would be very surprised at the numbers. Now that this article is out I will be able to refer them to it for more research. (thanks CNet)

[Jim Harmon]

This article won't convince them.

[i]They believe that having updated anti-virus, firewall and anti-spyware is enough. They do not understand how OS updates can impact a a system. [/i]

In this test:

1) An unsecured wireless router was used;
2) No anti-virus programs;
3) No Firewall;
4) No anti-spyware programs.

Under these conditions, XPSP2 could have been attacked just as easily.

IMHO... they might as well have left the keyboard on the sidewalk.

[pfrabott]

Fast

I think they were surprised at how fast it was.

[wolivere]

I'm surprise it took that long

Come on pre sp2 box unsecure network? Same IP range? There are automated tools that would have done this in far less time.

[Phillep_H]

Informal surveys needed?

Like, someone with a bit of know how checking this out where they are and getting back to us?

I don't mean actually cracking the computers, just rattling the door knobs. Or, is that illegal in it's self?

[pfrabott]

Depends

If you own the system or have prior arrangments then you can run security scans. If you don't own the system and the owner does not agree to let you do it then it's considered illegal. Most businesses run internal scans of thousands of systems a week for security issues.

[pfrabott]

Pre-SP2

I think that Microsoft (pre-SP2) didn't realize how many people would not turn automatic updates on be default. When they realized this they forced it on as default in SP2. Vista is pre-installed with it on (unless OEM vendors specifically choose not to have it on). Microsoft got it right eventually IMO. Your right though, they didn't get it at first.

[duggerdm]

MS Media Plant - CNET accomplice.

Let's see - if I had spent years and a train load to develop a new program - we could call it something totally innocuous like say... Vista - and if it was so user abusive that most businesses continue to use an older existing programs let's for the sake of discussion call that one say... XP - that wasn't great, but less abusive than my new one - wouldn't it be logical to promote fear stories of the older program to try to drive people to the new program? Even if the story scenario was lame to start with - XP with no patches and no protective software. The only real news here is that CNET is so gullible - or so biased that they carried the "story" at all.

[Thomas, David]

That's not hacking

Accessing an unsecured wireless network isn't hacking. It's
walking in the front door.

Now I'm not sure of what I should be more wary of, the "hack", or
the executives proclaimed fears. Or is this a yellow flag banner for
people to move over to Vista?

[Toulinwoek]

Just Plain Silly

And the Microsoft exec calls this stupid "test" enlightening? Frightening?
I can remember when Microsoft at least TRIED to hire folks with more "on the ball" than an inflation valve!
I mean, given the criteria for this laughable demonstration, I'd expect my wristwatch to be hacked in a few seconds!