Hacking finds holes and itís an important activity against a system like Windows NT. One can find fame and even fortune by successfully breaking a target of this prominence. Hacks are inevitably over-hyped, but eventually a consensus develops on the various Internet based forums. If the claim is valid, Microsoft (whoís quite sensitive to security issues these days) invariably issues a prompt fix. This is a healthy process. Any commercial operating system the size and scope of Windows NT has security bugs Ė probably many of them. Hacking is one of the ways to exposed them. And itís such great fun!
Two recent examples illustrate this process. The "PW Crack" attack claimed to easily decode user passwords on Windows NT. Briefly, Windows NT one-way encrypts passwords, called hashing, then stores them locally. It uses two hashes. The first algorithm has always been public, the other only recently exposed. Even so, the hashed passwords are stored in the Registry where only highly privileged users and programs can read them. If one can read the hashed password, one can mount a brute force attack where one takes a long list of possible user passwords, and one-by-one hashes them and compares them to one of the captured, hashed passwords. When you get a match you know the password. Given that most user passwords are cryptographically quite short, this is a relatively easy task.
The downside of this claim is that one must get past the Registry ACLs to read the hashed passwords in the first place. No system including Windows NT can remain secure when its items are not properly protected. But the surprising value of this attack is that the community realized that certain copies of the hashed passwords Registry might easily become exposed to the general public. For example, when you build an Emergency Repair Disk, Windows NT may store a copy of these hashed passwords unprotected in the file tree and on the floppy disk. Forewarned with this potential, administrators can take appropriate precautions.
There is another security issue related to this attack. Although Windows NT does not encrypt networking traffic, it does not pass cleartext passwords across the network, instead using a "challenge-response" authentication protocol. However, it has two formats for this protocol. The older one (no longer necessary for Windows NT but required to support older systems like Windows) has some weaknesses that make it easier for a network eavesdropper to mount brute force attacks against user passwords. In short, if you need to keep the older mode active, users need longer passwords to afford the same protection as the newer format.
The more significant "Red Button" attack showed that one can create a remote logon session without knowing a name and password. This is in direct contradiction to the basic Windows NT authentication policy we described early in this article. The attack obtains "Everyone" unauthenticated access to remote Registries, and who knows what else. This clearly needed to be fixed, but better found now than later.
My advice here is to keep your ear to the ground. Microsoft vigorously tracks these hacks and monitoring their Web site serves you well (http://www.microsoft.com/security).
Internet FAQ top