Posted on 03/05/2008 8:07:51 PM PST by Swordmaker
"A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password," Asher Moses reports for The Sydney Morning Herald.
"Adam Boileau first demonstrated the hack, which affects Windows XP computers but has not yet been tested with Windows Vista, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix," Moses reports.
...
Moses continues, "Interviewed in ITRadio's Risky Business podcast, Boileau said the tool, released to the public today, could 'unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command.'"
"Boileau, a consultant with Immunity Inc., said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble,'" Moses reports. "But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website.
Looks like this could cause a bit of a problem to those who use their credit card to make online purchases, or pay their bills or do their banking online.
Are we pretending this doesn’t affect Apple, Linux, and every machine with an IEEE 1394 port (it is, after all, built into the standard)?
Also, are we pretending this isn’t old news?
Do you often do online banking with a hacker standing next to you with his Firewire plugged into your machine?
Flint, I’m so computer challenged, I belong in remedial classes. ;-)
Is this new?
The only thing new I see is an automated script.
The script was already public.
http://www.it.iitb.ac.in/~sudhir/Hacking/Win_XP_Hack.html
Saved me a major headache while repairing a pc about a year ago.
Programs like Crack have been around a long time. Don’t let strangers in your house while your gone. Often the easiest method of obtaining a password is to look under the keyboard.
OK, well to summarize:
This attack was originally published in 2005. Any machine with an IEEE 1394 (Firewire) port is vulnerable provided the hacker has a Linux machine ready (or, in one case, a malicious iPod) and physical access to your machine. The real kicker is that with physical access to a machine, other attacks are possible. It’s of very little concern (if any) to the average user, especially since not that many computers have Firewire connections.
It also has next to nothing to do with companies who design and build operating systems (regardless of whether it’s Apple or Windows) because it’s part of the Firewire standard.
Nope. In fact it's physical access to a computer that makes it vulnerable to exploits such as this. With a Mac, if you want more secure your data, encrypt your hard drive. . . and don't let malicious people get access to your computer... regardless of what OS it is running. This is probably Windows FUD...
The first thing I try is "password"... works about 20% of the time...
Now I know why I didn’t want a Firewire port when I bought my new ‘puter, LOL ...
ping...
No way. Most require a number so it is passw0rd.
ping
The thing I don’t get about articles like this is that they don’t make much sense. If you have a machine with sensitive data on it, are you going to allow unknown people unsupervised access to your machine? Chances are you have some form of security already in place to prevent that.
In the home environment, these two levels of security might not differ by much, if you trust your guests to either be honest enough, or incompetent enough, and if those whom you are guarding against are far away, over the internet.
In business environments, where all sorts of people come and go frequently, this is a substantial difference.
Huh? If the machine will boot from a cd drive, all you have to do is boot any linux live distro, and all the computers files are there for the taking.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.