Microsoft 'frightened' by police XP hack

Microsoft 'frightened' by police XP hack

Summary: At a Get Safe Online event, Serious Organised Crime Agency officers have demonstrated how easy it is to crack into Microsoft's OS

SHARE:
TOPICS: Security
7

Microsoft has described the ease with which two officers from the UK's Serious Organised Crime Agency managed to hack into Windows XP as both "enlightening and frightening".

At a Get Safe Online event on Monday aimed at heightening security awareness among small businesses, officers connected a machine running Windows XP Service Pack 1 (SP1) to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware, and contained a sample target file of passwords to be stolen.

The Serious Organised Crime Agency (SOCA) officers, who are e-crime specialists, wished to remain anonymous. A SOCA spokesperson explained that to make covert operations easier "all SOCA officers below a certain level are anonymous, as it is not helpful to have our identities known".

One of the officers, "Mick", remained behind a screen while connecting to the unsecured wireless network and carrying out the hack into the unpatched computer of fellow officer "Andy".

"It's easy to connect to an unsecured wireless network," said Mick. "You could equate Andy with being in his bedroom, while I'm scanning for networks outside in my car. If I ordered or viewed illegal materials, it would come back to Andy."

Mick used a common, open-source exploit-finding tool he had downloaded from the internet. SOCA asked ZDNet.co.uk not to divulge the name of the tool.

"You can download attack tools from the internet, and even script kiddies can use this one," said Mick.

Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialogue box. He deduced the IP address of Andy's computer by typing different numerically adjacent addresses in that IP range into the attack tool, then scanning the addresses to see if they belonged to a vulnerable machine.

Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them, CVE-2003-0533. This is a stack-based buffer overflow vulnerability in active directory functions which affects Microsoft Windows NT 4.0 SP6, 2000 SP2 to SP4, XP SP1, Server 2003, and NetMeeting, as well as Windows 98 and Windows Me.

Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload which would exploit the flaw within a couple of minutes. SOCA requested ZDNet.co.uk give no more details than this about how the exploit was constructed. Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy's unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

"If you were in [a cafe with Wi-Fi access], your coffee wouldn't even have cooled down yet," said Sharon Lemon, deputy director of SOCA's e-crime unit.

Mick then went into the My Documents folder and, using a trivial transfer protocol, transferred the document containing passwords to his own computer. The whole process took 11 minutes.

A SOCA spokesperson said that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it". While SOCA stopped short of recommending small businesses move to Vista in order to ensure security, a spokesperson for the organisation said that applying SP2 to XP, with all the patches applied, and running a secured wireless network is "a perfectly sensible way to do it".

Nick McGrath, head of platform strategy for Microsoft UK, said that the demonstration had been "frightening".

"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the [Windows] computer," said McGrath. "But the computer was new, not updated, and not patched."

McGrath said that having anti-spyware installed was not as important as having that software updated. McGrath denied that Microsoft's anti-piracy tool, Windows Genuine Advantage (WGA), which prevents non-critical updates from being downloaded from Windows Update without WGA validation, was a security issue.

Read this

Feature

Feature: Ten tips for securing borderless networks

With companies facing increasing deperimeterisation in today's world of online collaboration and remote working, protecting corporate networks can be a challenge...

Read more

"We provide critical [updates] out to the customer," McGrath told ZDNet.co.uk. "We're absolutely determined to treat security as a baseline. For live threats, we will provide updates to genuine customers who have purchased a legal copy of Windows. We need to make sure they are genuine customers, [given] genuine support."

Windows Genuine Advantage for Vista is more stringent than for Windows XP. In addition to frequent notification through pop-up dialogue boxes, and the disabling of non-critical updates, WGA on Vista also disables Windows Aero, Defender, and ReadyBoost. The user is then given a period to validate Vista, after which a good part of the operating system is disabled, and Windows reverts to "reduced functionality mode".

McGrath added that Microsoft works closely with original equipment manufacturers to encourage the pre-loading of antivirus and anti-spyware, on a 30-day trial basis. McGrath also said that SP2 for XP had a firewall, and that Vista was not as "accessible to the average hacker" due to "operating system components".

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • SOCA's XP hack

    While it may be harder to hack XP with SP2, it is still the easiest OS to break into. Average time to compromise a Windows based system is under 20 minutes, wireless or wired. Neither MAC or Linux is unhackable, but it takes longer and you can't get into everything on the unit, because they are not integrated.
    ator1940
  • Sometimes it takes a crowbar to convince the Microsofties

    I guess the MS salesman hasn't a clue that he's peddling damaged goods. If Microsoft was really serious about security, they'd offer for a small fee to people running only SP1, illegal or not, to upgrade to SP2. Call it an amnesty program for the illegals. Even though the boxes are running SP1, they still call home. Send a packet back to the transmitter and offer the amnesty or the link to the SP2 feed. Get them clean.

    When the deadline passes, send the "packet of death" to kill the IP stack and the networking software on the pirate computer when it comes up on the Internet if it hasn't updated its security. The existence of the "stealth" updates and the WGA crap tells me contrary to the PR, Microsoft CAN kill the box remotely if they want. I know using XP Embedded I can do it to our licensed XPE machines if necessary when they get stolen and no I won't tell you how to do it.

    The reality is that if Microsoft wanted to they could kill the pirates stolen boxes each time one of them decided to call home. If the hackers figure out how to protect their boxes from being hijacked and zombied then the problem has fixed itself. If they haven't and they won't upgrade to SP2, the "packet of death" can stop the botnets, box by box.

    To enforce it, use WGA in a way that makes sense. Have it respond to an encrypted string with yet another so that a "MS certified" seal or token can be stored on the system that shows the packet of death to pass by. Kind of like sheep's blood on the door lintel. They could call it Microsoft Operating System Encrypted Security, or MOSES. BillyBoy could have a Charleton Heston moment. Sorry I couldn't resist.

    Seriously, the token can use enough bits and a tight enough means of encryption to make the token reasonably secure. Enough so it will cost more to break it than its worth to the botnet master.
    Xwindowsjunkie-e92c6
  • Not all unlicensed windows copies are used by people with eye patches

    My first reaction is if you are using pirated software than you should expect to be putting yourself at risk -
    1) from the source of the pirated software as they could have embedded a nasty in there and
    2) because you can't get updates/patches

    However, I had a friend that legitimately bought a PC from an independant store (and paid way over the odds for the shoddy hardware they gave her) and the version of windows wasn't valid and so she couldn't do windows updates because of WGA. Within weeks she was riddled with spyware etc. and it ran like a dog. I cleaned it up with free tools as best I could but advised she needs to have windows updates especially service pack 2. I told her to call the store and ask them to sort it out because they shouldn't be distributing pirate copies or unlicensed windows boxes.

    She went to the store and they told her she had to pay for a legitimate copy of windows. They sold her Windows XP pro despite windows xp home and vista being available and charged her full RRP. They didn't even offer to install it for her.

    In this case the WGA caused untold problems for a novice user who hadn't deliberately used a unlicensed version of windows. However, the real baddies here are the store that sold the dodgy system. If Microsoft had done as Xwindowsjunkie said if they bricked/killed unlicensed versions of windows then it would stop stores putting them out their on unsuspecting novice users. However, this would mean that a lot of illegal users may choose to jump ship to an open source os like linux and Microsoft would much rather they continue to use a pirate copy of xp than increase the linux install base.
    david@...
  • Name and shame the store

    Thats terrible to hear that happened to someone who was completely innocent. I think you should name and shame them David.
    chrishocking@...
  • name and shame

    Wish I could. I told the friend to report them to Microsoft as they offer a reward for reporting things like this but she wouldn't and didn't give me the name of the store.

    They are obviously cowboys taking advantage of the unsuspecting. It's one of the things I hope vista will help solve -
    1) by making it harder to put a unlicensed copy on a users system and
    2) The vista experience score will expose companies that put a high speed single core processor in and then rubbish components and then just pitch the "3GHZ + processor" and make it sound like a great deal. When the vista score shows a 2.0 or below then even the novice user can see that their system isn't as powerful as the store claimed.
    david@...
  • She really needs to hammer them. She got cheated.

    The story really was relating to a system that as far as I know was totally legit. At least it wasn't a physical assault but if she can get over her own shame at being taken for a fool, she can strike a blow for all of the future victims of the store sharks. That's the only way to fix the brick and mortar pirates.

    Yes everybody in the US sues everybody else but she should take the store to small claims court at least or whatever is its equivalent in that jurisdiction. In the Houston area, filling a claim costs around $50 bucks. The Justice of the Peace usually will rule in her favor if the store sharks don't show in court or don't send a legal representative.

    Be sure that you have your facts clearly defined and simple. They sold her a computer with an illegal copy of Microsoft software and have refused to give her a rebate, or make it right. The computer doesn't work right and it cost her $XXX. Explain that because the computer operating system is pirated, Microsoft will not update the software and make it more secure from virus and worm infestations and because of that it doesn't work right. That's it. The JP doesn't give a rats a__ about copyright law but if you tell him that they sold her a computer with an illegal copy of Microsoft software that will be enough. You'll need to have a receipt from the store showing its name. Be prepared because he'll only want to spend 5 minutes on the case or even less. He may have already had a case or two connected with these scum. If the store sharks don't show, be prepared to wait and be prepared to NOT get any money back.

    Assuming you get a judgment against them, that can be reported to credit agencies and the Better Business Bureau. It can also be reported to Microsoft. They might be willing to give her a clean copy BUT don't count on it. It also gives you ammunition to protest in front of the store in the option listed below.

    If you can find other victims, you might be able to file a limited class action suit or pool resources and nail the pirates for multiple claims and get Microsoft know what's going on. They love situations like this. They put 15 to 20 stores here in Houston out of business for doing EXACTLY the same thing they did to her. Offer to send a cloned copy of the drive (on a DVD) to them and let them know where and who the store owners and/or managers are.

    In the US the BSA offers up to a $1US million (which now might only be worth a couple of Euros!) which from everything I can tell has never been awarded. However if you go in with her and scare the SOB's maybe they'll at least cough up a full refund. Just make sure that the hard drive goes back wiped so none of her private data can get tagged as evidence. Even better, replace the drive with an new identical copy of the drive but leave it blank and leave it disconnected to power and tell them why you did.

    The simplest (and cheapest) way is to protest how they treated her. If walking around with a sign complaining about how she got taken is possible, that will prevent her from having to walk back inside the pirate's den. It will also make them come out and try to get her to stop. She needs to make them come outside the store to deal with her. Do not go back inside the store. DO NOT ENTER THE STORE. This is REALLY important. Depending on local laws, if you enter the store with no intention to shop, you can be charged with trespassing. Stay off the store property.

    If they intend to stay in business, they will be very worried about people walking around telling other potential customers how she got cheated. If they don't come out to talk to her or the group, they may already know they are in trouble.

    Have 3 or 4 friends there with her and with signs to back her up. Everybody stays off the property. You might not get anything refunded BUT if you do it enough they will either capitulate or close up shop. If you can get them to close their doors for 3 or 4 days they've probably lost more mon
    Xwindowsjunkie-e92c6
  • watchdog needed

    I had the same reaction as you. In this country (UK) laws are different but I am sure there is something similar that could have been done and at very least kicked up a stink.

    Unfortunately, she hates confrontation and gave up. Despite ipgrasing ths graphics card, ram and re-installing legit windows it still ran like something frim the 80s. She decided to cut her losses and gave the sysrem away. She since bought a laptop from elsewhere.

    What makes me want to cry is for the price she paid for that junk and the upgrades she could of had a Dell XPS with legit windows and proper support.

    I'm all for protesting when stores sting the innocent and would love to see a IT watchdog people could go to when they are not brave enough to face confrontation.

    If Microsoft bricked the pirate systems maybe she would have been more inclined to have complained.
    david@...