Unpatched Windows XP with SP1 Hacked in 6 Minutes
Unpatched Windows XP with SP1 Hacked in 6 Minutes
by , 1:50 PM EST, November 13th, 2007
A Windows XP system with Service Pack 1 installed, but with no subsequent patches applied, was hacked in six minutes by a security expert in London, according to C|Net on Tuesday. A Microsoft executive who watched the demonstration found himself both enlightened and fightened.
The Windows computer was not running a firewall or other anti-virus or anti-spyware software. The challenge was to connect, on a local network, and retrieve a text file of passwords. The attack was successful in six minutes and the password file downloaded in 11 minutes.
"If you were in (a cafe with Wi-Fi access), your coffee wouldn't even have cooled down yet," said Sharon Lemon, deputy director of SOCA's e-crime unit at the event sponsored by the UK's Get Safe Online. SOCA is the Serious Organized Crime Agency, a UK government intelligence group.
Another SOCA representative pointed out that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it." It's sensible, he added, to have SP2 applied, with all the current patches applied, and be running on a secure wireless network.
"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said Nick McGrath, head of platform strategy for Microsoft. "But the computer was new, not updated, and not patched."
He also siad that Vista is not as "accessible to the average hacker" due to "operating system components."
TMO notes that there are likely many XP computers (and Macs) out there that users have failed to update because they haven't understood the importance or haven't gotten around to it. This demonstration is lesson for all Windows and Mac users; when the vendor publishes a patch, install it.
Observer Comments
Tue Nov 13, 2007 3:24 pm Subject: Seriously flawed research
Contrary to what this so-called expert says, since most coffee shops no longer use styrofoam, a cup of coffee can cool significant in the 11 minutes it takes to retrieve the list of passwords. Even in 5 minutes, the temperature will drop by several degrees. Frankly, I think this glaring error takes credibility from this supposed research.
If you have a new, or reinstalled, Windows installation, you *cannot* connect to the internet, or you'll be dead within minutes due to remote exploits of the default network services. Your only chance is to connect (wired!) to a NAT box or other firewall (e.g. a Mac running internet sharing) in order to run Windows Update or Microsoft Update.
You probably won't be dead in the water with Mac OS X, but it's not a bad idea to be cautious.
Tue Nov 13, 2007 4:13 pm Subject: Don't connect an unpatched system to the network!
For a new Windows installation (e.g. Boot Camp, Parallels, VMware, etc.), it's a good idea to download all of the patches (e.g. security patch rollups, etc.) in OS X *before* you install Windows. Then you can *disconnect from the network* (make sure you don't have a wired or wireless network that Windows can connect to) install Windows, and install all of the patches (e.g. from a burned CD or a flash drive) before you're dead.
It's still a good idea to run Windows Update behind a firewall, NAT box, or internet sharing, however.
I don't find this surprising at all. This was XP SP1. SP2 fixed a LOT of things. Where I used to work we didn't even deploy XP until SP2 was available. Actually I'm surprised that it took them 6 minutes. For those planning on putting XP on our Macs, however you plan on doing it, it isn't quite this bad because any XP disk you get now will be at least SP2 and often SP2 plus some patches.
That said though the idea of downloading as many patches as you can off line and installing them before you take your XP on the web is a good one. Either that or have your system behind really tight firewall.
Quotejimothy wrote:
Contrary to what this so-called expert says, since most coffee shops no longer use styrofoam, a cup of coffee can cool significant in the 11 minutes it takes to retrieve the list of passwords. Even in 5 minutes, the temperature will drop by several degrees. Frankly, I think this glaring error takes credibility from this supposed research.
Actually it depends if the coffee is black or creamed. Coffee with a creamer cools at a much slower rate according to a scientific study I saw in the "Journal of Irreproducible Results"...
QuoteGuest wrote:Quotejimothy wrote:
Contrary to what this so-called expert says, since most coffee shops no longer use styrofoam, a cup of coffee can cool significant in the 11 minutes it takes to retrieve the list of passwords. Even in 5 minutes, the temperature will drop by several degrees. Frankly, I think this glaring error takes credibility from this supposed research.
Actually it depends if the coffee is black or creamed. Coffee with a creamer cools at a much slower rate according to a scientific study I saw in the "Journal of Irreproducible Results"...
My opinion would be to try this on a Mac... by the time you finished beating your head against the table in failure your coffee would be ICE cold... and I like iced coffee best.
Mon Nov 19, 2007 6:42 pm Subject: Try updating XP without connecting to the Internet
Just how many people are going to have to reinstall XP off CD from SP1 or before, lots by my count. Almost noone is going to go out and buy new XP CD's when they have one in hand.
Some people I know have to go to the coffee shop just to get fast enough Internet to download the patches, their DSL is just not fast enough, especially after a clean install.
As far as downloading XP patches offline, great idea, but try to do it in practice, not many people can manage that task, even among the bunch of highly skilled technical people I deal with. The word was you had to install the patches in the precise order or very bad things happened.
Comments are currently closed. Please email the author instead.
Recent Headlines - Updated November 9th
- Sun, 11:59 AM
- Mac Geek Gab Podcast - MGG 226: Magic Mouse, Apple Battery Secrets, Q&A
- Sat, 7:58 PM
- News - Apple TV 3.0.1 Update Fixes Missing Content Bug
- Fri, 7:45 PM
- Rumor - Taiwan Leak Shows Verizon UTMS/CDMA iPhone for Q3 2010
- 6:40 PM
- News - iPhone Moves Into RadioShack
- 6:30 PM
- News - Apple to Open Stunning Paris Apple Store in Le Louvre on Saturday
- 5:43 PM
- Free on iTunes - Dictionary, Dictionary, Dictionary, And More
- 4:09 PM
- John Martellaro's Blog - Particle Debris (week ending 11/6) Failure IS an Option
- 3:32 PM
- Games - The Latest App Store Games: Gravity Sling, RocketBird, Ground Effect, Checkers!
- 2:25 PM
- Games - Star Soccer 2010 for Mac Puts Gamers in Role of Up-and-Coming Player
- 2:15 PM
- How-To - The Mysteries of Rosetta Housekeeping
- 1:33 PM
- News - iPhone Game Developer Sued for Collecting User’s Cell Numbers
- 1:17 PM
- Games - Warhammer Online Expands Trial Play Option
The Mac Observer Reader Specials
- TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Get the Right Memory / Ram for your Mac. Top Quality, Competitive Prices, Lifetime Warranty. Expert Support and Video Installation Guidies too! 4.0GB Matched Sets from $87.99, Options up to 32GB. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
