lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 14 May 2009 12:25:57 -0400
From: Michael Scheidell <scheidell@...nap.net>
To: bugtraq@...urityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Asus notebook



Susan Bradley wrote:
> I don't mean to be rude but you do realize that all XP OEMs ship in 
> this manner?  So rather than asking everyone to help you investigate, 
> just list all OEM vendors that still ship XP builds and it might be 
> more efficient for you.
>
> Otherwise this is very much not anything different then when someone 
> else years and years ago said that IBM laptops or Dell computers were 
> shipped in this manner and a basic law of computer security.
im the years and years ago..  maybe.

Dell's response was to ask me for my serial number.
IBM fixed it.

my biggest compliant was that XP pro (non OEM) asked you to set a 
password.  XP pro (OEM) didn't.
In fact, if you were smart enough to figure out how to set the local 
admin password, it would in fact warn you NOT to, telling you that if 
you did you were likely to lose data.


www.secnap.com/press-room/first-alerts/ibm-windows-xp.html
www.secnap.com/press-room/first-alerts/vulnerability-in-dell-oem-xp-install.html


but, as you said, most XP OEM's do ship this way, for whatever reason.

network access to them is restricted, as you said, and once you do get 
physical access, password or not, the guy trying to install a keystroke 
logger when you are on a biobreak just needs a linux password reset boot 
disk.

Its easy enough to fix (IBM did it) but seems IBM was the only company 
that saw this very easy fix something they wanted to do.

(its a flag in the sysinstall ini files.. its just a flag that needs to 
be set)


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ