Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

New Tool Reveals Internet Passwords
Security Week ^

Posted on 07/01/2010 2:02:19 PM PDT by Gomez

A Russian software company today released a password cracking tool that instantly reveals cached passwords to Web sites in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail.

Moscow based ElcomSoft, developer of the new password recovery tool, “Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics, criminal investigators, security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC.

With a price tag of just $49, it doesn’t seem as though investigators and government authorities are the real target market. These types of programs are by no means new, but this latest commercial software offering shows just how easily it is to gain access to such tools, even for non-technical users.

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

New features in Internet Explorer 7 and 8 include enhanced security for storing cached password information. The browsers encrypt the information with the URL of a Web site, making it impossible to access stored information without knowing the exact Web address of a resource. Elcomsoft Internet Password Breaker claims to work around this new security model by analyzing cached URL history and identifying Web sites last visited in order to retrieve login and password information stored for those Web sites.

The password cracking tool reveals passwords protecting access to email accounts, identities and Microsoft Outlook PST files. Supporting all versions of Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail, Elcomsoft Internet Password Breaker can retrieve the original plain-text passwords protecting access to mail accounts, POP3, IMAP, SMTP and NNTP news passwords. In addition, Elcomsoft Internet Password Breaker reveals Microsoft Passport passwords stored by Windows Live Mail, user identity passwords, and passwords protecting PST files created by Microsoft Outlook up to version 2010.

Elcomsoft Internet Password Breaker automatically identifies all supported products and user identities, locates all available accounts and PST files, and reveals stored password information.

With tools like these available to the masses, individuals and enterprises need to further consider full disk encryption solutions and additional security measures.


TOPICS: Computers/Internet
KEYWORDS: computersecurity; computertheft; elcomsoft; internet; microsofttax; password; passwords; russia; russians
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last
To: discostu
GFY.

.

.

Good For You!

41 posted on 07/01/2010 6:25:55 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: discostu

Sorry about the last post, but I was laughing at your recent exchanges, and I got caught by that one a while back.


42 posted on 07/01/2010 6:28:09 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Richard Kimball

Glad to know I’m not the only one that get’s caught.


43 posted on 07/01/2010 6:46:41 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Gomez

Yikes!


44 posted on 07/01/2010 6:51:35 PM PDT by apocalypto
[ Post Reply | Private Reply | To 1 | View Replies]

To: discostu
If you use Firefox they don’t need to crack it, your passwords can be seen in clear text (Tools- options, security, stored passwords, show passwords). More fun still your passwords and other stored text (like say your CC numbers) are stored somewhere in your profile stuff, so anybody on the machine just has to copy the Mozilla folder from your Application Data and they’ve got all your magic conveniences.

Which is easily remedied by supplying a master password. Duh.

45 posted on 07/01/2010 7:22:22 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 8 | View Replies]

To: MissDairyGoodnessVT; discostu

Most likely the “hack” that discostu was talking about was not how your ebay account was compromised. There are lots of scams out there for ebay. Your ebay password should be one of your stronger ones - something like J$us#lz4E1. You’d be suprised at the number of ebay passwords that are simply brute-forced because they suck so badly. As I mentioned in an earlier post, all you have to do to make it so that any schlub who logs on to your computer can’t see your password is to use the ‘master password’ feature of firefox. I stronly recommend that this password be a really good one (mine is 20+ characters). You’ll have to enter it at least once per session, which sounds like a hassle, and it is, but you’ll be suprised at how fast you will get at typing it after entering it a bunch. I think you’ll also have to enter it if you want to see the passwords in the FF password tool. It’s fairly simple, and it is hardly Mozilla’s fault if people don’t avail themselves of the options they provide to protect your security.


46 posted on 07/01/2010 7:40:46 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 17 | View Replies]

To: zeugma
Followup to my last post: From Mozillazine -  Master Passwords
47 posted on 07/01/2010 8:04:38 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 46 | View Replies]

To: discostu
YCJCYAQFTJB




One of my favorites.
A small sign on the wall of the first bar I patronized in my youth. Oh so many years ago.
Draft beer was $0.15 a glass...Cold & Golden Hudepohl!
48 posted on 07/01/2010 8:51:54 PM PDT by Tainan (Cogito, ergo conservatus)
[ Post Reply | Private Reply | To 43 | View Replies]

To: kevkrom
I wouldn’t be too worried about this software - it still requires access to the machine. If you’ve lost that battle, you’ve already lost the war.

For wireless internet access, though, no physical access to your machine is necessary. All a person with the right equipment needs to do is to be in the vicinity of your transmissions going to/from the access point. If your data is being sent 'in the clear' (unencrypted) between your computer and the access point you're using, there is a risk that it all can be captured.

49 posted on 07/01/2010 9:20:19 PM PDT by Bob
[ Post Reply | Private Reply | To 38 | View Replies]

To: zeugma
> Which is easily remedied by supplying a master password. Duh.

Amazing, ain't it?

Had a friend some years back who "discovered" a huge security hole in Windows -- it could be set so that it just logged you in when it booted ... OMG ONOEZ!

"Hey Doc, it hurts when I do this."

"Don't do that."

50 posted on 07/01/2010 10:11:27 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 45 | View Replies]

To: dayglored
Had a friend some years back who "discovered" a huge security hole in Windows -- it could be set so that it just logged you in when it booted ... OMG ONOEZ!

Even funnier, was the 'trick' of just hitting esc. at the password prompt, and bypassing the login altogether.

51 posted on 07/01/2010 10:23:55 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 50 | View Replies]

To: discostu

That does work. I moved my entire FF install when my old machine died unexpectedly and by moving all of its folders to the right places on the new machine, it continued like there had been no interruption...all passwords, history, prefs, everything.


52 posted on 07/01/2010 11:59:29 PM PDT by Fire_on_High (Trijicon, the scope of CRUSADERS!!)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Gomez

BTTT


53 posted on 07/02/2010 12:12:58 AM PDT by Smokin' Joe (How often God must weep at humans' folly. Stand fast. God knows what He is doing.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: discostu

“bfl” has been “bump for later” around here for at least 12 years.


54 posted on 07/02/2010 12:20:06 AM PDT by Lancey Howard
[ Post Reply | Private Reply | To 23 | View Replies]

To: zeugma

Which is easily defeated:
http://lifehacker.com/5350375/how-to-recover-your-firefox-master-password


55 posted on 07/02/2010 8:16:34 AM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Fire_on_High

It’s kind of a convenient “feature” up until you start thinking about the implications. Of course most convenient features are like that, making it easier on legit users always makes it easier for bad guys, and making it harder on bad guys always make it harder on legit users.


56 posted on 07/02/2010 8:19:19 AM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 52 | View Replies]

To: discostu

Kinda like those windows passwords being discussed in the article.


57 posted on 07/02/2010 8:23:11 AM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 55 | View Replies]

To: discostu
If you use Firefox they don’t need to crack it, your passwords can be seen in clear text (Tools- options, security, stored passwords, show passwords). More fun still your passwords and other stored text (like say your CC numbers) are stored somewhere in your profile stuff, so anybody on the machine just has to copy the Mozilla folder from your Application Data and they’ve got all your magic conveniences.

I tried this at home last night. Very not cool. "Massive security hole" just doesn't seem adequate. Thanks for posting this.

58 posted on 07/02/2010 8:24:57 AM PDT by RikaStrom (Pray for Obama - Psalm 109:8 "Let his days be few; and let another take his place of leadership.")
[ Post Reply | Private Reply | To 8 | View Replies]

To: discostu
OMG that's a brute-force cracker. Of course you can hack your password if it is 6 lower case alpha characters. Mine is more than 20 characters, mixed alpha-numeric and specials. Crack that.

FUD fail.

59 posted on 07/02/2010 8:29:18 AM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 55 | View Replies]

To: zeugma

The difference here being hack one password (if the person even used the master password) get the rest. And I’m betting you don’t even need the whole folder, I grabbed it because I wanted my bookmarks, extensions, and settings, I got my passwords for free. Now the real question comes in is if you grab just the files with the login/password info (no idea which those are) and drop them in a new profile will they still be “protected” by the master password.

And understand, I’m posting this in FF I’m not spreading FUD or anything, just pointing out a feature (it really is convenient if you’re buying a new machine or similar stuff)/ hazard out there for people to be aware of. It’s a hazardous world, especially at the office where we don’t have sole access to “our” computers. People don’t think through the consequences of what they do on the internet these days, there was just a thread earlier this week about divorce lawyers trolling Facebook because people post statuses they don’t think through. Well here’s something else to think through, if your credit card info is in your Firefox at work you better hope your IT department are on the level.


60 posted on 07/02/2010 8:34:06 AM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 57 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson