Posted on 07/01/2010 2:02:19 PM PDT by Gomez
A Russian software company today released a password cracking tool that instantly reveals cached passwords to Web sites in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail.
Moscow based ElcomSoft, developer of the new password recovery tool, “Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics, criminal investigators, security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC.
With a price tag of just $49, it doesn’t seem as though investigators and government authorities are the real target market. These types of programs are by no means new, but this latest commercial software offering shows just how easily it is to gain access to such tools, even for non-technical users.
The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.
New features in Internet Explorer 7 and 8 include enhanced security for storing cached password information. The browsers encrypt the information with the URL of a Web site, making it impossible to access stored information without knowing the exact Web address of a resource. Elcomsoft Internet Password Breaker claims to work around this new security model by analyzing cached URL history and identifying Web sites last visited in order to retrieve login and password information stored for those Web sites.
The password cracking tool reveals passwords protecting access to email accounts, identities and Microsoft Outlook PST files. Supporting all versions of Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail, Elcomsoft Internet Password Breaker can retrieve the original plain-text passwords protecting access to mail accounts, POP3, IMAP, SMTP and NNTP news passwords. In addition, Elcomsoft Internet Password Breaker reveals Microsoft Passport passwords stored by Windows Live Mail, user identity passwords, and passwords protecting PST files created by Microsoft Outlook up to version 2010.
Elcomsoft Internet Password Breaker automatically identifies all supported products and user identities, locates all available accounts and PST files, and reveals stored password information.
With tools like these available to the masses, individuals and enterprises need to further consider full disk encryption solutions and additional security measures.
.
.
Good For You!
Sorry about the last post, but I was laughing at your recent exchanges, and I got caught by that one a while back.
Glad to know I’m not the only one that get’s caught.
Yikes!
Which is easily remedied by supplying a master password. Duh.
Most likely the “hack” that discostu was talking about was not how your ebay account was compromised. There are lots of scams out there for ebay. Your ebay password should be one of your stronger ones - something like J$us#lz4E1. You’d be suprised at the number of ebay passwords that are simply brute-forced because they suck so badly. As I mentioned in an earlier post, all you have to do to make it so that any schlub who logs on to your computer can’t see your password is to use the ‘master password’ feature of firefox. I stronly recommend that this password be a really good one (mine is 20+ characters). You’ll have to enter it at least once per session, which sounds like a hassle, and it is, but you’ll be suprised at how fast you will get at typing it after entering it a bunch. I think you’ll also have to enter it if you want to see the passwords in the FF password tool. It’s fairly simple, and it is hardly Mozilla’s fault if people don’t avail themselves of the options they provide to protect your security.
For wireless internet access, though, no physical access to your machine is necessary. All a person with the right equipment needs to do is to be in the vicinity of your transmissions going to/from the access point. If your data is being sent 'in the clear' (unencrypted) between your computer and the access point you're using, there is a risk that it all can be captured.
Amazing, ain't it?
Had a friend some years back who "discovered" a huge security hole in Windows -- it could be set so that it just logged you in when it booted ... OMG ONOEZ!
"Hey Doc, it hurts when I do this."
"Don't do that."
Even funnier, was the 'trick' of just hitting esc. at the password prompt, and bypassing the login altogether.
That does work. I moved my entire FF install when my old machine died unexpectedly and by moving all of its folders to the right places on the new machine, it continued like there had been no interruption...all passwords, history, prefs, everything.
BTTT
“bfl” has been “bump for later” around here for at least 12 years.
Which is easily defeated:
http://lifehacker.com/5350375/how-to-recover-your-firefox-master-password
It’s kind of a convenient “feature” up until you start thinking about the implications. Of course most convenient features are like that, making it easier on legit users always makes it easier for bad guys, and making it harder on bad guys always make it harder on legit users.
Kinda like those windows passwords being discussed in the article.
I tried this at home last night. Very not cool. "Massive security hole" just doesn't seem adequate. Thanks for posting this.
FUD fail.
The difference here being hack one password (if the person even used the master password) get the rest. And I’m betting you don’t even need the whole folder, I grabbed it because I wanted my bookmarks, extensions, and settings, I got my passwords for free. Now the real question comes in is if you grab just the files with the login/password info (no idea which those are) and drop them in a new profile will they still be “protected” by the master password.
And understand, I’m posting this in FF I’m not spreading FUD or anything, just pointing out a feature (it really is convenient if you’re buying a new machine or similar stuff)/ hazard out there for people to be aware of. It’s a hazardous world, especially at the office where we don’t have sole access to “our” computers. People don’t think through the consequences of what they do on the internet these days, there was just a thread earlier this week about divorce lawyers trolling Facebook because people post statuses they don’t think through. Well here’s something else to think through, if your credit card info is in your Firefox at work you better hope your IT department are on the level.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.