Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

New Tool Reveals Internet Passwords
Security Week ^

Posted on 07/01/2010 2:02:19 PM PDT by Gomez

A Russian software company today released a password cracking tool that instantly reveals cached passwords to Web sites in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail.

Moscow based ElcomSoft, developer of the new password recovery tool, “Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics, criminal investigators, security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC.

With a price tag of just $49, it doesn’t seem as though investigators and government authorities are the real target market. These types of programs are by no means new, but this latest commercial software offering shows just how easily it is to gain access to such tools, even for non-technical users.

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

New features in Internet Explorer 7 and 8 include enhanced security for storing cached password information. The browsers encrypt the information with the URL of a Web site, making it impossible to access stored information without knowing the exact Web address of a resource. Elcomsoft Internet Password Breaker claims to work around this new security model by analyzing cached URL history and identifying Web sites last visited in order to retrieve login and password information stored for those Web sites.

The password cracking tool reveals passwords protecting access to email accounts, identities and Microsoft Outlook PST files. Supporting all versions of Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail, Elcomsoft Internet Password Breaker can retrieve the original plain-text passwords protecting access to mail accounts, POP3, IMAP, SMTP and NNTP news passwords. In addition, Elcomsoft Internet Password Breaker reveals Microsoft Passport passwords stored by Windows Live Mail, user identity passwords, and passwords protecting PST files created by Microsoft Outlook up to version 2010.

Elcomsoft Internet Password Breaker automatically identifies all supported products and user identities, locates all available accounts and PST files, and reveals stored password information.

With tools like these available to the masses, individuals and enterprises need to further consider full disk encryption solutions and additional security measures.


TOPICS: Computers/Internet
KEYWORDS: computersecurity; computertheft; elcomsoft; internet; microsofttax; password; passwords; russia; russians
Navigation: use the links below to view more comments.
first 1-5051-73 next last

1 posted on 07/01/2010 2:02:24 PM PDT by Gomez
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

for 50 dollars, all your passwords are belong to us ping


2 posted on 07/01/2010 2:04:15 PM PDT by Gomez (killer of threads)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez

Moscow could have kept those 11 spies at home and just spent the $49 to get this software /s


3 posted on 07/01/2010 2:05:54 PM PDT by camerongood210
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez

Time to encrypt your hard drives.

Choose either a hardware or software encryption technique, but encrypt at your next chance.


4 posted on 07/01/2010 2:06:11 PM PDT by ConservativeMind (Hypocrisy: "Animal rightists" who eat meat & pen up pets while accusing hog farmers of cruelty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez

So, what happens if you always delete/clear your cache?

And/or use a different browser, like say....Firefox?


5 posted on 07/01/2010 2:06:13 PM PDT by Lucky9teen (I'll just say the 2nd amendment to the Constitution is there for a reason!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez

Wonder how long the WH has had it?.


6 posted on 07/01/2010 2:13:58 PM PDT by Vaduz
[ Post Reply | Private Reply | To 1 | View Replies]

To: camerongood210

“Moscow could have kept those 11 spies at home and just spent the $49 to get this software”

The US has GM.
Russia has excess spies.
They are both primarily job programs.


7 posted on 07/01/2010 2:17:23 PM PDT by devere
[ Post Reply | Private Reply | To 3 | View Replies]

To: Lucky9teen

If you use Firefox they don’t need to crack it, your passwords can be seen in clear text (Tools- options, security, stored passwords, show passwords). More fun still your passwords and other stored text (like say your CC numbers) are stored somewhere in your profile stuff, so anybody on the machine just has to copy the Mozilla folder from your Application Data and they’ve got all your magic conveniences.

I like FF a lot, but they actually have a pretty massive security hole.


8 posted on 07/01/2010 2:23:08 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 5 | View Replies]

To: discostu

And everyone told me I was paranoid! I have never used the internet for any on-line transactions. But then again, I have never used an ATM!


9 posted on 07/01/2010 2:27:49 PM PDT by ScoopAmma (We are led by the Resident -in Chief; aka part-time member of Webelo Troop 44)
[ Post Reply | Private Reply | To 8 | View Replies]

To: ScoopAmma

The FF problem isn’t an issue with the internet per se, somebody would have to access your machine. But it’s worth keeping in mind if you’re doing anything on a machine that isn’t yours (like at work).


10 posted on 07/01/2010 2:29:50 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 9 | View Replies]

To: ScoopAmma

>> And everyone told me I was paranoid! I have never used the internet for any on-line transactions.

Personally. I get around it by staying broke.

No money to spend, no money to steal... :-)


11 posted on 07/01/2010 2:37:54 PM PDT by Nervous Tick (Eat more spinach! Make Green Jobs for America!)
[ Post Reply | Private Reply | To 9 | View Replies]

To: discostu

bfl


12 posted on 07/01/2010 2:39:44 PM PDT by Oshkalaboomboom
[ Post Reply | Private Reply | To 8 | View Replies]

To: Gomez

Great!


13 posted on 07/01/2010 2:44:30 PM PDT by diamond6 (Pray the Rosary to defeat communism and Obamacare!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez; All

For those who are interested, there are two basic ways to encrypt your hard drive. The fastest, but more expensive, is through hardware encryption. This is most practically done with the purchase of a hard drive. Companies like Hitachi have encrypted hard drives for portable computers, but others make such drives that work in desktop systems, too. Examples of these are:

http://www.datalockerdrive.com/
http://www.seagate.com/www/en-us/products/self-encrypting-drives/

However, for most people, two basic options are available for quick, cheap use, but they slow down your system a bit. These hard drive software encryption options are TrueCrypt (an open source, well-respected, free for all package) and Microsoft’s Bitlocker (free with Vista and Windows 7 Ultimate).

Bitlocker would be the most transparent and likely easiest to implement, but only if you already have and Ultimate on your system (you could upgrade, of course, too). However, the vast majority of people think that TrueCrypt has the best, most thorough implementation for users, and it’s completely free.

More on these here:

TrueCrypt
http://www.truecrypt.org/

Microsoft’s Bitlocker
http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx


14 posted on 07/01/2010 2:45:38 PM PDT by ConservativeMind (Hypocrisy: "Animal rightists" who eat meat & pen up pets while accusing hog farmers of cruelty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Oshkalaboomboom

Better not be calling me a liar. You can verify it yourself, make a new login on your machine, copy your Mozilla over from Application Data (which is a hidden folder by default, but we should all know about Windows’ “hidden” folders) to the new account, login to the machine with the new account, come to FR, and check out how you’re logged in just like it was your old Windows login.

We were getting a network shuffle at work, so everybody was getting new machine accounts, when I copied the folder I figured all I’d get was my bookmark list and various UI/ usability tweaks. I was pretty surprised to find it moved the keys to my FF universe, convenient so long as I’m the only one on the machine, scary if somebody else get’s in there.


15 posted on 07/01/2010 2:45:52 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Gomez
for 50 dollars, all your passwords are belong to us ping

How can that be if I store none on the computer? Second,, my online banking is done on a small laptop that is ONLY used for banking, even then, only as guest, not administrator. Never used for surfing or email,

16 posted on 07/01/2010 2:46:05 PM PDT by MrPiper
[ Post Reply | Private Reply | To 2 | View Replies]

To: discostu

i use ff and believe it or not my ebay acct was hacked
how do i fix this massive security hole in FF
any suggestions? changeing passwords is obviously not the answer


17 posted on 07/01/2010 2:47:00 PM PDT by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Gomez

What are the odds that after loading this program, the only passwords lost are those of the users.


18 posted on 07/01/2010 2:49:49 PM PDT by dangerdoc
[ Post Reply | Private Reply | To 1 | View Replies]

To: MissDairyGoodnessVT

This probably isn’t how your e-bay got hacked, unless your e-bay info is on a machine somebody else can access. You can’t fix this hole though, short of not using FF, this is a basic design flaw in the product, all your stored data is somewhere in that folder and it’s not keyed to your Windows login so if it gets copied to another login (or machine, I’ve used this for machine and OS changes too, really it’s kind of handy in a scary way) then all the info goes across.


19 posted on 07/01/2010 2:51:16 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Gomez

This is what you get when you pollute your computer with feeble Microsoft crapware. I’m happily 100% Microsoft-free.


20 posted on 07/01/2010 2:58:13 PM PDT by ccmay (Too much Law; not enough Order.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: discostu
bfl

Better not be calling me a liar.

Oh, please. Surely, you can't be enough of a noob not to know the "bfl" means Bump For Later.

21 posted on 07/01/2010 3:00:10 PM PDT by Bob
[ Post Reply | Private Reply | To 15 | View Replies]

To: MissDairyGoodnessVT; All

This may help with Firefox:

http://www.firefoxtutor.com/61/securing-firefox-passwords/


22 posted on 07/01/2010 3:05:12 PM PDT by Rio (Plug the hole, Daddy!)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Bob

Is it? Too many three letter acronyms, in some chunks of the net it’s Big F#$%ing Liar. Don’t know which he meant, hopefully yours and not mine, I tried err to caution.


23 posted on 07/01/2010 3:06:43 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Rio

TY !


24 posted on 07/01/2010 3:13:21 PM PDT by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 22 | View Replies]

To: discostu

the weirdest thing about my ebay acct getting hacked is that the password was so weird,so strange it wasn’t guessable i don’t share a comp & no one else has access-ebay sent me a notice because their system recognizes IP addresses and somehow they picked up that it wasn’t my IP address that was using my acct/that’s what they told me anyway.


25 posted on 07/01/2010 3:16:06 PM PDT by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 19 | View Replies]

To: MissDairyGoodnessVT

Somebody out there is doing some packet sniffing. I got a similar warning from Facebook last week that my account had been accessed from Turkey, and another friend of mine on FB got a similar warning, when FB thinks you got hacked they ask you some weird questions to prove you’re really you, it’s almost worth getting hacked.


26 posted on 07/01/2010 3:22:06 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 25 | View Replies]

To: discostu
Is it?

Most people use 'bflr' meaning Bump For Later Reading.

Too many three letter acronyms, in some chunks of the net it’s Big F#$%ing Liar.

Way too many acronyms. On FR, though, 'bump' is used fairly often. I guess I just don't hang out in those chunks of the net where it means something else.

Don’t know which he meant, hopefully yours and not mine, I tried err to caution.

In the absence of any other indications, I'd say it was probably just a bump. If I were calling someone a liar, I'd certainly say why I thought so. I think that most people would.

27 posted on 07/01/2010 3:25:47 PM PDT by Bob
[ Post Reply | Private Reply | To 23 | View Replies]

To: Bob

I’ve seen bump for later, if I’ve seen bfl for that I don’t remember it, that’s why I googled it. I google a lot of TLAs, my brain hit TLA capacity a couple of years ago, with military parents, a career in software, and a lifetime of hating the government I’ve just seen too many, can’t keep track anymore.

I’ve seen people jump in, declare everything a person said to be wrong, and jump out again with no explanations or re-visit. You’re probably right, he probably did mean bump for later, but if he meant the other one it wouldn’t be the weirdest least explicable reply I’ve gotten on FR.


28 posted on 07/01/2010 3:37:41 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 27 | View Replies]

To: Bob

DYGI?
your being a little terse there,... when bfl is actually sent to someone instead of having a ‘none’ recipienent , then it is actually pretty rude to include someone else as the recipient for your reminders and to-do list.

BFL


29 posted on 07/01/2010 3:41:02 PM PDT by Sporaticus
[ Post Reply | Private Reply | To 21 | View Replies]

To: discostu

i guess i could look up the term but in laymen’s terms what is packet sniffing?


30 posted on 07/01/2010 3:57:23 PM PDT by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 26 | View Replies]

To: Sporaticus

While I agree that it’s rude to address a ‘bfl’ to someone, I’d suspect that it’s a case of the person neglecting/forgetting to clear the ‘to’ box.

I usually don’t assume malice without some basis for it.


31 posted on 07/01/2010 4:14:28 PM PDT by Bob
[ Post Reply | Private Reply | To 29 | View Replies]

To: MissDairyGoodnessVT
i guess i could look up the term but in laymen’s terms what is packet sniffing?

'Packet sniffing' refers to snooping on someone else's traffic between them and their network or access point. An Ethernet card on a hard-wired network set to 'promiscuous' mode will see all of the packets going across the network. I believe that a wireless card can do the same for traffic between a user and his access point.

32 posted on 07/01/2010 4:19:52 PM PDT by Bob
[ Post Reply | Private Reply | To 30 | View Replies]

To: MissDairyGoodnessVT

Packet sniffing is when somebody has a piece of software on the internet between you and your destination that is copying the data packets going back and forth and storing them for deciphering later. They’re usually looking for login data or better yet banking and credit card info. About the only way around it is encrypted data flow, and even that’s not proof positive.


33 posted on 07/01/2010 4:47:18 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 30 | View Replies]

To: discostu

ty for this info! :)


34 posted on 07/01/2010 4:55:58 PM PDT by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Bob

ty for this information :)


35 posted on 07/01/2010 4:57:09 PM PDT by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 32 | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

36 posted on 07/01/2010 5:31:02 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bob; Sporaticus

I didn’t read it as a bump, either.

I think that for me, it was the lowercase that threw me off, since I don’t usually misread that.


37 posted on 07/01/2010 5:47:04 PM PDT by Gondring (Paul Revere would have been flamed as a naysayer troll and told to go back to Boston.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Gomez

I wouldn’t be too worried about this software - it still requires access to the machine. If you’ve lost that battle, you’ve already lost the war.


38 posted on 07/01/2010 5:54:17 PM PDT by kevkrom (De-fund Obamacare in 2011, repeal in 2013!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeMind

Truecrypt is my favorite.


39 posted on 07/01/2010 6:14:43 PM PDT by expat_panama
[ Post Reply | Private Reply | To 14 | View Replies]

To: Nervous Tick

No kidding. I was a victim of identity theft. My credit rating went up.


40 posted on 07/01/2010 6:21:14 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: discostu
GFY.

.

.

Good For You!

41 posted on 07/01/2010 6:25:55 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: discostu

Sorry about the last post, but I was laughing at your recent exchanges, and I got caught by that one a while back.


42 posted on 07/01/2010 6:28:09 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Richard Kimball

Glad to know I’m not the only one that get’s caught.


43 posted on 07/01/2010 6:46:41 PM PDT by discostu (like a dog being shown a card trick)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Gomez

Yikes!


44 posted on 07/01/2010 6:51:35 PM PDT by apocalypto
[ Post Reply | Private Reply | To 1 | View Replies]

To: discostu
If you use Firefox they don’t need to crack it, your passwords can be seen in clear text (Tools- options, security, stored passwords, show passwords). More fun still your passwords and other stored text (like say your CC numbers) are stored somewhere in your profile stuff, so anybody on the machine just has to copy the Mozilla folder from your Application Data and they’ve got all your magic conveniences.

Which is easily remedied by supplying a master password. Duh.

45 posted on 07/01/2010 7:22:22 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 8 | View Replies]

To: MissDairyGoodnessVT; discostu

Most likely the “hack” that discostu was talking about was not how your ebay account was compromised. There are lots of scams out there for ebay. Your ebay password should be one of your stronger ones - something like J$us#lz4E1. You’d be suprised at the number of ebay passwords that are simply brute-forced because they suck so badly. As I mentioned in an earlier post, all you have to do to make it so that any schlub who logs on to your computer can’t see your password is to use the ‘master password’ feature of firefox. I stronly recommend that this password be a really good one (mine is 20+ characters). You’ll have to enter it at least once per session, which sounds like a hassle, and it is, but you’ll be suprised at how fast you will get at typing it after entering it a bunch. I think you’ll also have to enter it if you want to see the passwords in the FF password tool. It’s fairly simple, and it is hardly Mozilla’s fault if people don’t avail themselves of the options they provide to protect your security.


46 posted on 07/01/2010 7:40:46 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 17 | View Replies]

To: zeugma
Followup to my last post: From Mozillazine -  Master Passwords
47 posted on 07/01/2010 8:04:38 PM PDT by zeugma (Ad Majorem Dei Gloriam)
[ Post Reply | Private Reply | To 46 | View Replies]

To: discostu
YCJCYAQFTJB




One of my favorites.
A small sign on the wall of the first bar I patronized in my youth. Oh so many years ago.
Draft beer was $0.15 a glass...Cold & Golden Hudepohl!
48 posted on 07/01/2010 8:51:54 PM PDT by Tainan (Cogito, ergo conservatus)
[ Post Reply | Private Reply | To 43 | View Replies]

To: kevkrom
I wouldn’t be too worried about this software - it still requires access to the machine. If you’ve lost that battle, you’ve already lost the war.

For wireless internet access, though, no physical access to your machine is necessary. All a person with the right equipment needs to do is to be in the vicinity of your transmissions going to/from the access point. If your data is being sent 'in the clear' (unencrypted) between your computer and the access point you're using, there is a risk that it all can be captured.

49 posted on 07/01/2010 9:20:19 PM PDT by Bob
[ Post Reply | Private Reply | To 38 | View Replies]

To: zeugma
> Which is easily remedied by supplying a master password. Duh.

Amazing, ain't it?

Had a friend some years back who "discovered" a huge security hole in Windows -- it could be set so that it just logged you in when it booted ... OMG ONOEZ!

"Hey Doc, it hurts when I do this."

"Don't do that."

50 posted on 07/01/2010 10:11:27 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 45 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson