Microsoft exec calls XP hack 'frightening'
By Tom Espiner
Special to CNET News.com
Published: November 13, 2007, 6:56 AM PST
A Microsoft executive calls the ease with
which two British e-crime specialists managed to hack into a Windows XP computer
as both "enlightening and frightening."
The demonstration took place Monday
at an event sponsored by Get Safe Online--a joint initiative of the U.K. government and
industry. At the event, which was aimed at heightening security awareness among
small businesses, two members of the U.K. government intelligence group Serious Organized Crime
Agency connected a machine running Windows XP with Service Pack 1 to
an unsecured wireless network. The machine was running no antivirus,
firewall, or anti-spyware software and contained a sample target
file of passwords to be stolen.
The SOCA officials wished to remain
anonymous. One of them, "Mick," remained behind a screen while
carrying out the hack into the unpatched computer of a fellow officer,
"Andy."
"It's easy to connect to an
unsecured wireless network," said Mick. "You could equate Andy with
being in his bedroom, while I'm scanning for networks outside in my car. If I
ordered or viewed illegal materials, it would come back to Andy."
Mick used a common, open-source
exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK
not to divulge the name of the tool.
"You can download attack tools
from the Internet, and even script kiddies can use this one," said Mick.
Mick found the IP address of his own
computer by using the XP Wireless Network Connection Status dialog box. He
deduced the IP address of Andy's computer by typing different numerically
adjacent addresses in that IP range into the attack tool, then scanning the
addresses to see if they belonged to a vulnerable machine.
Using a different attack tool, he
produced a security report detailing the vulnerabilities found on the system.
Mick decided to exploit one of them. Using the attack tool, Mick built a piece
of malware in MS-DOS, giving it a payload that would exploit the flaw within a
couple of minutes.
Getting onto the unsecured wireless
network, pinging possible IP addresses of other computers on the network,
finding Andy's unpatched computer, scanning open ports for vulnerabilities,
using the attack tool to build an exploit, and using the malware to get into
the XP command shell took six minutes.
"If you were in (a cafe with
Wi-Fi access), your coffee wouldn't even have cooled down yet," said
Sharon Lemon, deputy director of SOCA's e-crime unit.
Mick then went into the My Documents
folder and, using a trivial transfer protocol, transferred the document
containing passwords to his own computer. The whole process took 11 minutes.
A SOCA representative said that the
demonstration was "purely to point out that, if a system hasn't had
patches, it's a relatively simple matter to hack into it." SOCA stopped short of recommending small businesses move to Vista;
a SOCA representative said that applying Service Pack 2 to XP, with all the
patches applied, and running a secured wireless network is "perfectly
sensible way to do it."
Nick McGrath, head of platform
strategy for Microsoft U.K., was surprised by the incident.
"In the demonstration we saw, it
was both enlightening and frightening to witness the seeming ease of the attack
on the (Windows) computer," said McGrath. "But the computer was new,
not updated, and not patched."
McGrath said that having anti-spyware
installed was not as important as having the software updated. He added that
Microsoft works closely with original equipment manufacturers to encourage the
preloading of antivirus and anti-spyware on a 30-day trial basis. McGrath also
said that Service Pack 2 for XP had a firewall and that Vista was not as
"accessible to the average hacker" due to "operating system
components."
Tom Espiner of ZDNet UK
reported from London.