Microsoft exec calls XP hack 'frightening'

A Microsoft executive calls the ease with which two British e-crime specialists managed to hack into a Windows XP computer as both "enlightening and frightening."

The demonstration took place Monday at an event sponsored by Get Safe Online--a joint initiative of the U.K. government and industry. At the event, which was aimed at heightening security awareness among small businesses, two members of the U.K. government intelligence group Serious Organized Crime Agency connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software and contained a sample target file of passwords to be stolen.

The SOCA officials wished to remain anonymous. One of them, "Mick," remained behind a screen while carrying out the hack into the unpatched computer of a fellow officer, "Andy."

"It's easy to connect to an unsecured wireless network," said Mick. "You could equate Andy with being in his bedroom, while I'm scanning for networks outside in my car. If I ordered or viewed illegal materials, it would come back to Andy."

Mick used a common, open-source exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK not to divulge the name of the tool.

"You can download attack tools from the Internet, and even script kiddies can use this one," said Mick.

Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box. He deduced the IP address of Andy's computer by typing different numerically adjacent addresses in that IP range into the attack tool, then scanning the addresses to see if they belonged to a vulnerable machine.

Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them. Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes.

Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy's unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

"If you were in (a cafe with Wi-Fi access), your coffee wouldn't even have cooled down yet," said Sharon Lemon, deputy director of SOCA's e-crime unit.

Mick then went into the My Documents folder and, using a trivial transfer protocol, transferred the document containing passwords to his own computer. The whole process took 11 minutes.

A SOCA representative said that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it." SOCA stopped short of recommending small businesses move to Vista; a SOCA representative said that applying Service Pack 2 to XP, with all the patches applied, and running a secured wireless network is "perfectly sensible way to do it."

Nick McGrath, head of platform strategy for Microsoft U.K., was surprised by the incident.

"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said McGrath. "But the computer was new, not updated, and not patched."

McGrath said that having anti-spyware installed was not as important as having the software updated. He added that Microsoft works closely with original equipment manufacturers to encourage the preloading of antivirus and anti-spyware on a 30-day trial basis. McGrath also said that Service Pack 2 for XP had a firewall and that Vista was not as "accessible to the average hacker" due to "operating system components."

Tom Espiner of ZDNet UK reported from London.

[Penguinisto]

We've known this for years.

An unpatched Windows box has a very short lifespan when
connected live.

And yet it takes how long to get updates from Windows, on-line,
when you first build one?

(clue: if you can manually hunt down all the "net distribution"
versions of those patches and download those beforehand to
another computer before building your Windows box, you stand
a better chance of survival. Good luck finding them all if you're a
typical user, though...)

/P

[Freezeman32]

Ridiculous Story

This is a really silly story. What new information does it provide?
How is the fact that a non-firewalled, non-updated, non-protected
Windows machine on an insecure network can be hacked a real
story?

In this situation, you should include all kinds of machines. They
are all pretty "hackable" given these constraints.

[john55440]

VERY unrealistic demo - VERY stupid

"a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software and contained a sample target file of passwords to be stolen."

Microsoft doesn't even support SP1 any more. To get security updates, you have to have SP2 installed. I bought my computer way back in 2002, and am running SP2.

Anyone who runs WinXP with "no antivirus, firewall, or anti-spyware software" is a complete idiot.

And no, I don't store my passwords on my computer in a convenient, non-pasword-protected file, called herearemypasswords.txt -grin

If you build a house with no doors you might get robbed - frightening!

[satayboy]

gasp!

Gasp! I guess we had all better upgrade to Vista right away!

[Neo Con]

Even more frightening...

The security experts then came to my house and demonstrated that if I leave my front door wide open with no alarm on and a wallet full of money on the table by the door, they could reach in and swipe it in a matter of seconds! Scary.

[PortVista]

Duh!

How can a Microsoft executive be surprised by this? Old version of windows, no security software, unsecured network. Duh. If any one of these were fixed the hack would not work.

[roger.d.miller]

Another Dopey Story Out of London

CNet needs to beef up its London Bureau.

[Andy kaufman]

Don't be a dummy

don't have an unsecured wireless network, use at least WEP if not WPA.

Install the latest service packs and updates.

Always run your antivirus, firewall, and antispyware software.

Turn off your computer when not in use.

[AdamsAdams]

just a promo

This impels you to think that Vista should be better, but the reality is that it is still insecure but with the huge added discomfort of not actually being able to control your computer to your liking. Vista sucks BIG time, and in my experience is more unstable than Millennium. Better stick to XP SP2 until something better comes, if you are lucky to find a PC whose manufacturers have not been intimidated to discontinue XP support...

[jscott418]

Hardly proves anything

All this proves is that idiots who don't run any kind of security
run a high risks of data theft. No kidding! Really! Wow I would
not have known that. If your that stupid then even if someone
proves to you that it can be done. Those people probably don't
know how to activate the security anyway. I am sure the same
can be done for Vista and probably OS 10 and Linux if given
enough time. Let's have them try it with a fully secure system
and see what happens.
If they can break a fully secure system then I will consider it a
problem.

[real_bgiel]

Vista Anybody?

Guess MS recommends upgrading to Vista, of course, the Windows ME of the 21st century.

[akuehnemund]

The problem is...

... that MOST people will not patch their systems or will pay for an
antivirus software subscription or know how to install a free
alternative like freeav.
We all pay the price for that. Knwoing that MOST people won't keep
their computer updated and secure, it's the OS manufacturer's
responsibility to create a safe and secure operating system that
requires little if any additional actions from the user. That's where
Microsoft fails miserably.

[AndrewRich]

The undisclosed attack tool

is almost certainly the Metasploit Framework. From the description of the tool and its use, I doubt it's anything else.

[pfrabott]

You'd be surprised

You'd be surprised how many people do not patch their computers. My business provides several technical services including consumer technical support. In my experience I have found about 60% of the customers I work on are not using updated versions of the OS. They believe that having updated anti-virus, firewall and anti-spyware is enough. They do not understand how OS updates can impact a a system. Furthermore, I have a few customers that argue with me over it. It's sad but, you would be very surprised at the numbers. Now that this article is out I will be able to refer them to it for more research. (thanks CNet)

[pfrabott]

Fast

I think they were surprised at how fast it was.

[Phillep_H]

Informal surveys needed?

Like, someone with a bit of know how checking this out where they are and getting back to us?

I don't mean actually cracking the computers, just rattling the door knobs. Or, is that illegal in it's self?

[pfrabott]

Pre-SP2

I think that Microsoft (pre-SP2) didn't realize how many people would not turn automatic updates on be default. When they realized this they forced it on as default in SP2. Vista is pre-installed with it on (unless OEM vendors specifically choose not to have it on). Microsoft got it right eventually IMO. Your right though, they didn't get it at first.

[duggerdm]

MS Media Plant - CNET accomplice.

Let's see - if I had spent years and a train load to develop a new program - we could call it something totally innocuous like say... Vista - and if it was so user abusive that most businesses continue to use an older existing programs let's for the sake of discussion call that one say... XP - that wasn't great, but less abusive than my new one - wouldn't it be logical to promote fear stories of the older program to try to drive people to the new program? Even if the story scenario was lame to start with - XP with no patches and no protective software. The only real news here is that CNET is so gullible - or so biased that they carried the "story" at all.

[Thomas, David]

That's not hacking

Accessing an unsecured wireless network isn't hacking. It's
walking in the front door.

Now I'm not sure of what I should be more wary of, the "hack", or
the executives proclaimed fears. Or is this a yellow flag banner for
people to move over to Vista?

[Toulinwoek]

Just Plain Silly

And the Microsoft exec calls this stupid "test" enlightening? Frightening?
I can remember when Microsoft at least TRIED to hire folks with more "on the ball" than an inflation valve!
I mean, given the criteria for this laughable demonstration, I'd expect my wristwatch to be hacked in a few seconds!