You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Oops - MS security issue
Register User       Forum List       Calendar       FAQ
Page 1 of 1 1
Topic Options
#98537 - 2003-02-18 11:22 AM Oops - MS security issue
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
http://briansbuzz.com/w/030213/

[Eek!]

I normally refrain myself from commenting things like this, but this is indeed a serious issue.

[ 18. February 2003, 11:22: Message edited by: masken ]
_________________________
The tart is out there

Top
#98538 - 2003-02-18 11:24 AM Re: Oops - MS security issue
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Rofl !!!

Good Job MS [Roll Eyes]
_________________________



Top
#98539 - 2003-02-18 03:02 PM Re: Oops - MS security issue
MCA Offline
KiX Supporter
*****

Registered: 2000-04-28
Posts: 5152
Loc: Netherlands, EU
Dear,

To prevent the lost of this information we make a copy of it

--------------------------------------------------------------------------------
FEB. 13, 2003 - Issue 1

Thanks for signing up to receive the information in Brian's Buzz on Windows.
This monthly newsletter is one of the two new projects I mentioned recently
in InfoWorld. The other is WinFind, which is described below in my Windows
Gizmos section.

XP passwords rendered useless

By Brian Livingston

Windows XP, which has been marketed by Microsoft as "the most secure version ever,"
has been found to have a flaw so bone-headed that it renders passwords ineffective
as a means of keeping people out of your PC.

Reader Tony DeMartino alerted me to the problem, which all administrators of Windows
XP machines should immediately take to heart:
  • Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows
    2000 Recovery Console, a troubleshooting program.
  • Windows XP then allows the visitor to operate as Administrator without a password,
    even if the Administrator account has a strong password.
  • The visitor can also operate in any of the other user accounts that may be present
    on the XP machine, even if those accounts have passwords.
  • Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other
    removable media - something even an Administrator is normally prevented from doing when
    using the Recovery Console.
This problem is unrelated to a feature of XP that allows an Administrator to set up auto-
matic logon when the Recovery Console is used. Even without the Registry entry that enables
this, XP is vulnerable. (For info on that feature, see support.microsoft.com/?scid=kb;en-us;312149.)
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive with-
out a password, if one previously existed.

I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an
official response. There's no Knowledge Base article about it, and there may not even be a
good solution to the problem.

When I've spoken with Microsoft security pros about similar problems in the past, they've
referred me to a company policy that says, "If a bad guy has unrestricted physical access
to your computer, it's not your computer anymore."

That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with
an old CD to get password-free access, and Windows XP does.

My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door
or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one
more thing for the good guys to protect against.
--------------------------------------------------------------------------------

greetings.

[ 20. February 2003, 04:03: Message edited by: MCA ]
_________________________
email scripting@wanadoo.nl homepage scripting@wanadoo.nl | Links | Summary of Site Site KiXforms FAQ kixtart.org library collection mirror MCA | FAQ & UDF help file UDF kixtart.org library collection mirror MCA | mirror USA | mirror europe UDF scriptlogic library collection UDFs | mirror MCA

Top
#98540 - 2003-02-18 11:29 PM Re: Oops - MS security issue
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
Not sure what the fuss is all about. Similar ways to access an NTFS filesystem have been around for years. The only secure way is an encrypted fielsystem. I am pretty sure that I can also access Linux/Unix filesystems with the right tool in the same way, namely with a filesystem driver that doesn't really care about the filesystem security.
_________________________
There are two types of vessels, submarines and targets.

Top
#98541 - 2003-02-18 11:49 PM Re: Oops - MS security issue
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
That's true Jens but the seller of the Linux system will not sell to everyone the key to open the system they just sold. Unfortunately, I believe MS is myopic about security. I believe their primary definition of security is if the user is using MS software trust them but if they are using anyone else’s software don’t trust them.

Also, MS has over-hyped the security of their systems. Yes it is not any worse than Linux or Unix but it isn’t much better either.

[ 18. February 2003, 23:52: Message edited by: Jack Lothian ]
_________________________
Jack

Top
#98542 - 2003-02-19 01:47 AM Re: Oops - MS security issue
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
lol, oh boys.

try to crack my linux system when at physical access like you can do with wintosh... no way.

this is problem of M$ indeed and shows that my policy to unsupport XP at all is correct.
shit is shit.
_________________________
!

download KiXnet

Top
#98543 - 2003-02-19 02:20 AM Re: Oops - MS security issue
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
with out physical security.....

a cisco router is the same way (most of time, unless you really want to take the chance of turning it into a dinner tray).
Top
#98544 - 2003-02-19 02:32 AM Re: Oops - MS security issue
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
does this include files that have been encrypted using the ciper command?
Top
#98545 - 2003-02-19 02:35 AM Re: Oops - MS security issue
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Well a Cisco router is expected to be in a secure location. Not so for a laptop.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#98546 - 2003-02-20 04:03 AM Re: Oops - MS security issue
MCA Offline
KiX Supporter
*****

Registered: 2000-04-28
Posts: 5152
Loc: Netherlands, EU
Dear,

The big differences with other windows NTFS version was you need to buy
a third party to manipulate those NTFS partition.
Also it doesn't mean you get always full access.

The way it can be done in above description is very suprising. Surpri-
that MS doesn't verify how their NTFS filesystem can be hacked with
known products at that moment. More suprising it is when it can be
done with one of their own products.

Of course all kind of tools are circulating on the internet. Legal or
illegal.
Of course it isn't very nice when someone is hacking your computer.
Of course in a lot of countries it is making punishable by law.
Of course people makes it sometimes very easy. f.e. easy to guess
user/password, or in worse case a simple note on the computer about
that combination.

More important is: any computer contains in one or other way personal
information and you doesn't like at all that someone is reading that
data without your knowledge or your permission.

We suggest everybody to install some software like f.e. PGP to make
your data nearly unbreakable fot others. Encryption/Decryption can
be done with some of those tools transparantly.
Another suggestion is to keep very very personal data on floppy or CD
and store them on another place.

We agree with Lonkero, that supporting XP can be a hard thing.
Not because normal usage, but because bad security.
Of course it doesn't mean other operating systems are more secure.
Other systems aren't very common at home.
You see the same problems between f.e. Outlook and other mailsystems.
Outlook is the biggest distributor of virus infected files.
greetings.
_________________________
email scripting@wanadoo.nl homepage scripting@wanadoo.nl | Links | Summary of Site Site KiXforms FAQ kixtart.org library collection mirror MCA | FAQ & UDF help file UDF kixtart.org library collection mirror MCA | mirror USA | mirror europe UDF scriptlogic library collection UDFs | mirror MCA

Top
#98547 - 2003-02-20 06:40 AM Re: Oops - MS security issue
Jack Lothian Offline
MM club member
*****

Registered: 1999-10-22
Posts: 1169
Loc: Ottawa,Ontario, Canada
MCA,

With NT you don't need a third party utility. All you need is any NT CD, even an evaluation copy will do plus you can use a workstation CD to break into a server. Just use the CD to install an independent second version of NT. This second version can access, change, overwite, or whatever the original version. You can even edit the registry of the orginal version from the secondary version. Using this registry editing technique you can force the execution of a system job on the original version that resets the admin password for you. At the end of the process you totally control the original NT machine.

Cracking an NT machine is a joke. Even a very inexperience hacker can do it if they have physical possession of the machine for 15 minutes or more.

As I said before, MS sells the keys to break into your system to everyone.

Another thought for you. Outlook is dangerous because many other types of MS software trust it. It is my belief that things like VBA & COM & other cross linking of MS software are inherently more dangerous than interactions between two independent systems. Once you get your hooks into any MS app there tends to be doors into other MS apps. I think we have only seen the tip of the iceberg concerning MS security lapses.

[ 20. February 2003, 06:58: Message edited by: Jack Lothian ]
_________________________
Jack

Top
#98548 - 2003-02-21 01:33 PM Re: Oops - MS security issue
Ruud van Velsen Moderator Offline
Developer
*****

Registered: 1999-05-06
Posts: 391
Loc: Amsterdam, The Netherlands
This really gets down to the infamous "Ten Immutable Laws of Security":
(http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp)

And of course:

"The Ten Immutable Laws of Security Administration"
(http://www.microsoft.com/technet/columns/security/essays/10salaws.asp)

Note that these laws were not invented by or for a specific vendor or product, and have been in effect since the beginning of time. Well, computer-time at least.

Also note this article:

"XP Hole Plagues All Similar Apps"
(http://www.wired.com/news/infostructure/0,1377,57739,00.html)

Ruud
Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 271 anonymous users online.
details
Newest Members
Sir_Barrington, batdk82, StuTheCoder, M_Moore, BeeEm
17886 Registered Users
My Cookies · Mark all read Powered by UBB.threads™ Contact Us · KiXtart.org website · Top

Generated in 0.064 seconds in which 0.026 seconds were spent on a total of 12 queries. Zlib compression enabled.
Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org