NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0425 Unlock Windows Computers Without Password:
A security consultant based in New Zealand has released a tool that can unlock Windows
computers in seconds without the need for a password. Security consultant Adam Boileau
said the tool, released to the public on 4 March, could "unlock locked Windows machines
or login without a password ... merely by plugging in your Firewire cable and running a
command." The tool has been shown to work on computers running Windows XP but has not
yet been tested with Windows VISTA. To use the tool, hackers must connect a Linux-based
computer to a Firewire port on the target machine. The machine is then tricked into
allowing the attacking computer to have read and write access to its memory, which in turn
allows it to modify Windows' password protection code and render it ineffective.
Paul Ducklin, head of technology for security firm Sophos, said the
security hole was not a vulnerability in the traditional sense, because the ability
to use the Firewire port to access a computer's memory was actually a feature of
Firewire. "If you have a Firewire port, disable it when you aren't using
it," Ducklin said.
(www.smh.com.au 04MAR08)