Syskey
Syskey is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit RC4 encryption key that, by default, is stored in the Windows registry. Syskey can optionally be configured to require the user to enter the key at boot time as a startup password or load it on removeable storage media (e.g. USB flash drive).
Syskey was introduced with Windows NT 4.0 SP3. It was meant to protect against offline password cracking attacks by preventing the possessor of an unauthorised copy of the SAM from extracting useful information from it. However, these days the feature is being misused by scammers to lock naïve victims out of their own computers and so coerce them into paying a ransom.
Early vulnerability
In December 1999, a security team from BindView found a security hole in Syskey that indicated that a certain form of offline cryptanalytic attack is possible, making a brute force attack appear to be possible. Microsoft later collaborated with BindView to issue a fix for the problem (dubbed the 'Syskey Bug') which appears[to whom?] to have been settled; syskey was declared secure enough to resist brute force attack. According to Todd Sabin of the BindView team RAZOR, the pre-RC3 versions of Windows 2000 were also affected.
Malicious use
In what has been called the technical support scam, scammers typically claiming to represent Microsoft, Windows, Google, the FBI etc. attempt to extort money from unsophisticated computer users, usually over the telephone. Using various social engineering techniques and pretexts (e.g. claiming that the victims' computers are infected with a virus, contain pornographic content, or are about to fail due to "serious" errors that are in fact normal), scammers often try to fool naive victims into believing that their computers are in need of support/maintenance which the caller will provide on payment by credit card. If the direct approach fails, victims may instead be convinced to run the obscure syskey utility and configure a startup password, thereby locking them out of their own computers at boot time [1] There are several ways to recover from this, apart from simply paying the ransom and hoping that the scammers are kind (not a good idea):
- Revert to a previous System Restore Point.
- On old versions prior to Windows 7, use the free Offline NT Password & Registry Editor by following these instructions.
- Use commercial software to recover the startup password.
See also
References
- This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.
External links
- How to use the SysKey utility to secure the Windows Security Accounts Manager database
- Enable Syskey To Protect Windows Against Local Password Cracking
<templatestyles src="Asbox/styles.css"></templatestyles>
 |
This security software article is a stub. You can help Wikipedia by expanding it. |
