Hacking Easy on Un-patched Windows XP with SP1
A security professional in London took just six minutes to hack a system running Windows XP that had Service Pack 1 loaded but was devoid of subsequent patches. Officers at an event named Get Safe Online on November 12, 2007, in attempts to increase computer security awareness among small and medium businesses connected a Windows XP system with Service Pack 1 to a wireless network that was not secured.
The Windows PC neither had anti-spyware software, anti-virus software, nor a firewall deployed. The challenge involved connecting to a local server and retrieving a word file containing passwords. The planned attack took just 6 minutes to happen and 11 minutes to download the password file.
The e-crime specialist officers of the Serious Organized Crime Agency said the demonstration purely tried to show that a system that is un-patched is relatively easy to hack. It would therefore be intelligent to have the system loaded with SP2 and also the current patches installed and to run it on a wireless network that is secured.
During the event, Head of platform strategy, Nick McGrath for Microsoft, said the demonstration was both frightening and enlightening that showed how easy it was to attack a Windows PC. But this PC had freshly arrived that was neither updated nor patched, McGrath said. Macobserver published McGrath's statement on November 13, 2007.
In the demonstration, one officer named Mick performed the hacking operation as he connected his computer to the unsecured wireless network and broke into his fellow officer's computer that did not have patches installed. Mick employed an open-source exploit tracking device that he obtained as an Internet download.
Using another attack device, Mick prepared a report that presented the details of the security flaws affecting the system. He then tried demonstrating the exploitation of one of the flaws. Armed with the attack device, Mick developed a malicious code in MS-DOS, and inserted a payload so that the resultant malware exploited the vulnerability in just two minutes.
The demonstration sends a message to users that they should install the patches on Windows and Macs as soon as they are published.
Related article: Hacking Attacks Are Increasing to Haunt Banks
» SPAMfighter News - 26-11-2007