Monday, January 21, 2008

How long Vista's defence could last? - 5 min

Yes, If you need to break into Windows Vista, all you need are 5 minutes. That's how long it took me to manipulate vista user accounts and set their passwords to blank, from outside windows vista. No, I am not a hacker, neither do I have an IQ level equal to Einstein and indeed that's a most surprising part, a kid with some expertise on searching Google can easily do this.

what if you forget your vista password?

Last weekend my friend contacted me for some help. His son changed his windows vista password and forgot that. He asked me if there is some way to restore that. My flat answer was 'No' and that if there were really some way to hack then it was going to be a climbing mount everest for a non-hacker.
I was confident that 'there must be no easy way' because I know how much noise now Microsoft makes when it comes to security. I told him now Microsoft is real serious about security and they must have implemented some rock solid security (at lease for some to-be-hacker). But my friend insisted if I could try something and I agreed and took his laptop for some weekend exploration (something that I had abandoned for some time, fixing friends/relatives machines).

Microsoft is Serious about security,hmmm, really?

To be honest whatever happened on the weekend left me scratching my head ' Is Microsoft really serious about security?'. I am not going to explain what exactly I did to break into vista (so that this blog should not be a first step guide for to-be-hackers) but will describe briefly.

so what did I do exactly ?

In order to break into vista, an external program (found from google with step by step guide and not at some hackers heaven) that knows how to access NTFS system can easily give you access to all windows accounts and let you set all the properties that you could set through windows GUI. So not only I managed to reset the user accounts' passwords but also I enabled the Administrator account with blank password (which is by default disabled in windows). The whole process completed within 5 minutes and then when I restarted the laptop I had access to all windows accounts, right in front of me with blank passwords.

implications,

Without going into debate of how it was possible, I am more interested in thinking what could that mean. I am really concerned about the security of personal data in PCs, particularly laptops. As others do, my own laptop is full of personal data, from credit card details to ebay accounts.
Now I can't rely on windows userid/pwd security anymore. A hacker with such a program on a disk, that I used, can easily break any windows security (even windows 2003) within minutes. Now either I use some specialised software to protect my data or explore what other advanced options are available with in windows (hard to trust now).

So if I am right in my conclusions, you better watch your back when it comes to PC security.