Channel

Windows recovery loophole lets hackers in

Who do want to own today?

John Leyden Tue 12 Jun 2007 // 17:56 UTC

Windows Vista may be Microsoft's most secure operating system to date, but researchers are still finding some glaring loopholes for hackers to exploit. Here is the latest: all you need is a Vista Install DVD to get admin level access to a hard drive.

The loophole arises because the Command Prompt tool in Vista's System Recovery Options fails to request user name or passwords before handing over access to PCs running the operating system. The hack, discovered by security researcher Kimmo Rousku, only works locally. Physical access to a target PC is a must. Even so, the potential for mischief (such as deleting directories or copying files on targeted PCs) is enormous. Hackers don't even necessarily need to run a DVD. "It’s easy to create a bootable USB flash memory that works in a similar way," Rousku notes.

He discovered the problem during a training workshop on Vista back in February and reported it to Microsoft at the time. Since then, Microsofti has sat on the problem, according to Rousku, so he has gone public. The hack also works on machines running other versions of Vista, providing the PCs are not protected by full disc encryption.

A write-up by Rousku explains the issue in detail and suggests workarounds.

Anti-virus firm F-Secure notes that getting into PCs running Windows XP Home is also straightforward, at least in default set-ups, using a different trick. "The Administrator account password for XP Home is blank by default and is hidden in Normal Mode. But if you select F8 during boot for Safe Mode, you can access the Administrator account and have complete access to the computer," F-Secure notes. ®

Similar topics

Microsoft

Broader topics

Bill Gates

Narrower topics

Corrections Send us news

Other stories you might like

Is a lack of standards holding immersion cooling back?

There are just so many ways to deep fry your chips these days

Tobias Mann Sat 2 Jul 2022 // 16:03 UTC

Comment Liquid and immersion cooling have undergone something of a renaissance in the datacenter in recent years as components have grown ever hotter.
This trend has only accelerated over the past few months as we’ve seen a fervor of innovation and development around everything from liquid-cooled servers and components for vendors that believe the only way to cool these systems long term is to drench them in a vat of refrigerants.
Liquid and immersion cooling are by no means new technologies. They’ve had a storied history in the high-performance computing space, in systems like HPE’s Apollo, Cray, and Lenovo’s Neptune to name just a handful.

Continue reading
The App Gap and supply chains: Purism CEO on what's ahead for the Librem 5 USA

Freedoms eroded, iOS-Android duopoly under fire, chip sources questioned – it's all an opportunity for this phone

Thomas Claburn in San Francisco Sat 2 Jul 2022 // 10:07 UTC

Interview In June, Purism began shipping a privacy-focused smartphone called Librem 5 USA that runs on a version of Linux called PureOS rather than Android or iOS. As the name suggests, it's made in America – all the electronics are assembled in its Carlsbad, California facility, using as many US-fabricated parts as possible.
While past privacy-focused phones, such as Silent Circle's Android-based Blackphone failed to win much market share, the political situation is different now than it was seven years ago.
Supply-chain provenance has become more important in recent years, thanks to concerns about the national security implications of foreign-made tech gear. The Librem 5 USA comes at a cost, starting at $1,999, though there are now US government agencies willing to pay that price for homegrown hardware they can trust – and evidently tech enthusiasts, too.

Continue reading
Google location tracking to forget you were ever at that medical clinic

Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

Brandon Vigliarolo Sat 2 Jul 2022 // 07:41 UTC

In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.
In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.
Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

Continue reading

TikTok: Yes, some staff in China can access US data

We thought you guys were into this whole information hoarding thing

Thomas Claburn in San Francisco Sat 2 Jul 2022 // 00:30 UTC

TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.
"100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."
That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

Continue reading
W3C overrules objections by Google, Mozilla to decentralized identifier spec

Oh no, he DIDn't

Thomas Claburn in San Francisco Fri 1 Jul 2022 // 21:50 UTC

The World Wide Web Consortium (W3C) has rejected Google's and Mozilla's objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month.
The two tech companies worry that the open-ended nature of the spec will promote chaos through a namespace land rush that encourages a proliferation of non-interoperable method specifications. They also have concerns about the ethics of relying on proof-of-work blockchains to handle DIDs.
The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple) as a verifying entity.

Continue reading
Cyberattack shuts down unemployment, labor websites across the US

Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

Jeff Burt Fri 1 Jul 2022 // 20:41 UTC

A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.
Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.
In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

Continue reading

One of the first RISC-V laptops may ship in September, has an NFT hook

A notebook with an RV SoC is cool enough. Did we really need the Web3 jargon?

Dylan Martin Fri 1 Jul 2022 // 19:59 UTC

It seems promoters of RISC-V weren't bluffing when they hinted a laptop using the open-source instruction set architecture would arrive this year.
Pre-orders opened Friday for Roma, the "industry's first native RISC-V development laptop," which is being built in Shenzen, China, by two companies called DeepComputing and Xcalibyte. And by pre-order, they really mean: register your interest.
No pricing is available right now, quantities are said to be limited, and information is sparse.

Continue reading
Crypto sleuths pin $100 million Harmony theft on Lazarus Group

Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

Jeff Burt Fri 1 Jul 2022 // 18:11 UTC

Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.
Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.
According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

Continue reading
2050 carbon emission goals need nuclear to succeed, says International Energy Agency

Without it, $500b more in investments is needed to reach C-neutrality

Brandon Vigliarolo Fri 1 Jul 2022 // 17:29 UTC

There's more than one path to net zero emissions by 2050, but the only practical one runs straight through nuclear power, according to the International Energy Agency.
In a report [PDF] released yesterday, the IEA said worldwide nuclear power output, currently at 413GW, would need to double to 812GW by 2050 to meet carbon neutrality goals and limit global warming to 1.5°C, per its own framework.
The IEA doesn't see nuclear power as the solution to net zero emissions, though, rather a part of the transition process to preferred forms of renewable energy like wind, solar, and hydroelectric. "Building sustainable and clean energy systems will be harder, riskier, and more expensive without nuclear," the IEA said. "Nuclear power has the potential to play a significant role in helping countries to securely transition to energy systems dominated by renewables."

Continue reading
Ubuntu Unity desktop back from the dead after several years' hiatus

Thanks to Linux wunderkind Rudra Saraswat, not Canonical, this time

Liam Proven in Prague Fri 1 Jul 2022 // 16:33 UTC

Good news for especially determined fans of Ubuntu's formerly in-house desktop: there's a new version.
Unity 7.6 just appeared, although there is a more complete list of changes in the earlier announcement that it was in testing.

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs