logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 308 days ago
Via: http://lists.jammed.com | Tags: isn hack windows pc password needed comments Discuss  


http://www.theage.com.au/news/security/hack-into-a-windows-pc-no-password-needed/2008/03/04/1204402423638.html



By Asher Moses

The Age

March 4, 2008



A security consultant based in New Zealand has released a tool that can

unlock Windows computers in seconds without the need for a password.



Adam Boileau first demonstrated the hack, which affects Windows XP

computers but has not yet been tested with Windows Vista, at a security

conference in Sydney in 2006, but Microsoft has yet to develop a fix.



Interviewed in ITRadio's Risky Business podcast, Boileau said the tool,

released to the public today, could "unlock locked Windows machines or

login without a password ... merely by plugging in your Firewire cable

and running a command".



Boileau, a consultant with Immunity Inc., said he did not release the

tool publicly in 2006 because "Microsoft was a little cagey about

exactly whether Firewire memory access was a real security issue or not

and we didn't want to cause any real trouble".



But now that a couple of years have passed and the issue has not

resolved, Boileau decided to release the tool on his website.



To use the tool, hackers must connect a Linux-based computer to a

Firewire port on the target machine. The machine is then tricked into

allowing the attacking computer to have read and write access to its

memory.



With full access to the memory, the tool can then modify Windows'

password protection code, which is stored there, and render it

ineffective.



Older desktop computers do not come equipped with Firewire ports, which

are needed for the hack to work, but many recent models do. Most laptops

made in the last few years include Firewire ports.



Paul Ducklin, head of technology for security firm Sophos, said the

security hole found by Boileau was not a vulnerability or bug in the

traditional sense, because the ability to use the Firewire port to

access a computer's memory was actually a feature of Firewire.



"If you have a Firewire port, disable it when you aren't using it,"

Ducklin said.



"That way, if someone does plug into your port unexpectedly, your side

of the Firewire link is dead, so they can't interact with your PC,

legitimately or otherwise."



Ducklin also advised people to be careful when giving others physical

access to their computer.



"I know people who'd think three times about asking passing strangers to

take their photo in front of the Opera House in case they did a runner

with the camera, yet who are much more casual with their laptop PC, as

long as it's software-locked, even though the hardware alone is worth

five times as much as the camera," he said.



Microsoft was unavailable for comment at the time of publication.





___________________________________________________

Subscribe to InfoSec News

http://www.infosecnews.org/mailman/listinfo/isn





addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security