HEADDESK   Leave a comment

Here’s a blatantly stupid piece of advice: “Set a Blank Password in Windows XP to Protect the Computer from Internet Attacks“.

The reasoning goes like this: Windows doesn’t allow accounts without a password to log in remotely. Ergo, no password is better than a weak password because the account can’t be used to log in remotely. Hey, Microsoft recommends it!

Okay, the level of idiocy here qualifies as Epic Fail. First of all, this statement is untrue: “You have to be physically in front of the computer in order to get in.”

No, you don’t. You just need to get someone who is physically at the computer to open some file that will execute as another user (by, say, sending them a word document with an embedded macro that will attempt to run as Administrator, with no password). This is a pretty trivial social engineering attack, millions of people fall for similar tricks all the time. Drop a USB key with an autorun macro that will run as Administrator, someone will pick it up and stick it in their machine. Free USB stick!

I could go on, but I’m too busy pounding my head against my desk.

Advertisements

Posted March 6, 2008 by padraic2112 in security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: