http://www.wired.com/news/infostructure/0,1377,57739,00.html By Michelle Delio Feb. 20, 2003 A significant security flaw was discovered in Microsoft software this week, but this time Microsoft isn't to blame. Well, not completely. The most recent security problem uncovered in a Microsoft product is a genuine threat, security experts say, but it isn't a problem particular to the Windows XP operating system. The producers of Brian's Buzz on Windows newsletter discovered that booting an XP system off a Windows 2000 CD allows the user to start the Windows 2000 Recovery Console, a troubleshooting program. Once Recovery is active, the computer's uninvited guest has complete access to the contents of the computer without ever having to enter a password. The intruder can also gain access to any other user accounts present on the XP machine, again sans password, and can copy files from the hard drive onto removable media, an activity that is not allowed under Windows 2000, even when a presumably valid administrator is using the recovery console. But this same basic problem applies to many operating systems, including non-Microsoft systems. Once someone with bad intentions gets his hands on a computer, precious few technical safeguards will keep him from having his way with that machine. "People assume that logging in with a password protects the contents of their computer," said network security consultant Mike Sweeny of PacketAttack. "Good passwords are important, but they are not a complete defense, especially when someone can get his hands on your machine. An operating system password, at least on most systems, can be reset in about five minutes." Jim Cullinan, lead product manager for Microsoft Windows Desktop, agreed that the most technically guarded computer is at risk if a would-be attacker can physically tap its keyboard. "The problem (with the XP/2000 boot issue) is that an attacker has gained complete physical control of a machine, and then booted that machine using an operating system other than the one that is controlling access to the files on the system," Cullinan said. "In this case the attacker used a Windows 2000 recovery console disk, but the attack could as easily have been accomplished with a disk that contained another operating system. As long as the attacker has physical control of the machine, he or she has the power to launch any operating system of his or her choice." Still, said security experts, the access afforded to attackers or snoops who manage to boot up a Windows XP system with a Windows 2000 CD is troubling. "Any way you slice it, if you're smart enough and have physical access to the system you can bypass most types of security," said Ken Pfeil, a security consultant at Avaya. "But a slip-up like this just makes it all the more trivial to completely circumvent XP's existing security mechanisms." In addition to taking obvious physical security measures -- such as not leaving computers unsupervised or unprotected -- Microsoft's Cullinan recommended using BIOS passwords, which can prevent an unauthorized person from booting a system. Cullinan also suggested disabling the ability to boot from a CD or floppy at the BIOS level. But some systems administrators, faced with ever-dwindling staffs, are loath to take this step. Many rely on being able to quickly fix, or at least start up, ailing machines by booting off a system disk. "I just messenger over a boot disk to executives who have messed up their machines by downloading yet another cute desktop add-on," said Vince Puliafico, a systems manager for a Manhattan advertising firm. "Now that the word is out, I'll have to disable diskette boot, which sucks because it made my life easier." Cullinan also advised using Syskey (a Windows utility that encrypts stored passwords) with an offline password to prevent the Windows operating system from being launched by an unauthorized person. And XP's encrypting file system can prevent unauthorized access to file contents even if an attacker gains unrestricted access to the machine and disk drives, Cullinan said. But, Pfeil warned, "under the right circumstances even the encrypting file system won't help you." "If the system is a member of a workgroup and not a domain, you can just change the user's password that the file was encrypted under," Pfeil said. "Then you can log on as that user having access to the encrypted file." Pfeil said disabling a computer's ability to boot from other media and password-protecting the BIOS are the only ways to mitigate the problem. Sweeny also advised encoding the entire hard drive with a strong encryption utility. "My XP laptop has a 1,024-bit-level encryption," he said. "It's the very first thing that boots and requires a password to decrypt it on the fly. If you try to boot off a CD all you get is gibberish." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 05:18:10 PST