I recently got my hands on three laptops (off-topic: including my own, that made it 4 in a room – was a real geek trip that I should have taken some pics of) and I managed to hack into every one but one without much of a pain. This is a short lesson on what you should do to protect your laptop from anybody prying non-seriously, and also some tricks to get into a secured-looking Windows notebook.
The first roadblock any hacker faces is access. Don’t leave your notebook lying around. If you do pass it to your friends, leave your sensitive data in a locked account and do not accord administrator privileges to your guests. In Windows, the protection mechanism revolves around user accounts. User accounts in Win XP can be “Limited” or “Full”. For any non-trivial use, the limited account is crap, because it doesn’t allow you to install programs or do fun stuff. Full translates into complete access – there’s no middle route. (Actually there are more user roles – though the problem remains – and anyways, configuring it is not easy for an average user.)
So when you do create a password, choose one not easily guessable and one which has numbers and weird letter combos. The really silly security hole that all new computer laptops seem to face is the blank “Administrator” password fiasco. There exists, in every Windows installation, a “super user” called Administrator. The friendly blue welcome screen in Win XP masks this user, so you won’t (usually) see that in there. Ironically, in almost all notebooks I’ve encountered – Acer, Compaq/HP, IBM… the default Administrator password is blank. By simply tapping del twice while holding Ctrl + Alt, I’m faced with the traditional login dialog box, where I simply type in “Administrator” at the username box and press enter. Wham! Full access. Some HP/Compaq notebooks lock the Administrator account in a normal Windows boot, but you can boot into Safe Mode (F8 at startup, select Safe Mode) and overcome that limitation.
The solution? Log in as Administrator using one of the methods above and create a password.
The one notebook I failed to even scratch had a BIOS password set. The clever lady who was the owner had stumbled on the perfecto mechanism for dissuading a casual hacker. If it were a physical PC of course, I’d have it’s BIOS cell battery shorted, but opening up a notebook is not casually undertaken. Besides, my friend wants into her good books. 😉
Say, you’ve gotten access using the above method. You want in to the files in the ‘My Documents’ folder in the other account. By going to the Control Panel, ‘User Accounts’ addin, you can remove the password on the other user, thereby removing any protection he has on those files. Win XP Professional users can also use the Microsoft Management Console’s User Accounts snap-in to do the same.
Hope all notebook users and would-be hacker-kiddies learnt a lesson.
Signing off (for hopefully a long time), Vishnu, the geek 🙂