Slashdot Mirror
Passwords Can Sit on Hard Disks for Years
CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "
My favorite MacGyver episodes were the ones where he used fingerprinting dust to read the numbers on a keypad. Of course, anyone using the keypad for a password is only going to press the keys involved in the password.
The most dangerous thing to security is people. Why go routing around on a hard drive when you can just ask someone what the password is, and they'll probably tell you anyways?
stuff |
Just put your swap on another partition and zero it every so often (any way to do this automatically during shutdown, after VM is suspended?) - that takes care of your passwords in memory. As for programs that store them on disk, they better be encrypted, ala Apple's Keychain.
I don't know what kind of crack I was on, but I suspect it was decaf.
and I did RTFA, and realize they're talking about the swap file... ...but I have 1.5GB of RAM, and I have a 20MB swap file that's overwritten each time I reboot my PC.
:)
Most Windows systems use the default setting for virtual memory, which is "windows managed" -- which means it's overwritten each time the system is rebooted. What's the big deal?
Has anyone here actually hex edited a swap file before? How is the data actually stored? For the reasons mentioned in the article, I imagine it would at least... not store data transmitted via SSL in plain text (why the heck would form data stick around in RAM anyway?)
Sounds like a neat project for after work today.
[an error occured while processing this directive]
That was my thought too...
Back in the Win3.1x era, when the typical swapfile was still small enough to peruse with a hex editor, I cruised through my permanent swapfile with LIST, just to see what was being dumped out of RAM. I found data in there that was identifiably over 3 years old. And therein, I also found some passwords archived -- as plaintext.
Not to mention logfiles; I have some that stretch back several years, and I'm sure I'm not alone.
So I don't find this exactly "news" either. Then again, I could turn this into a rant on the "expertise" of the typical tech journalist... (one of my PC maintenance clients is one. Regular exposure has given me a complete lack of respect for the breed.)
~REZ~ #43301. Who'd fake being me anyway?
You'd be amazed what you can find on Kazaa when you search for documents with password or resume or account as the keyword. People don't realize that you don't need to be a hacker to break into your machine - just someone with access to the folder you share on and P2P network...which, if it happens to be your My Documents folder....look out.
There are 01 types of people in this world. Those that understand binary, and me.
OpenBSD encrypts the swap space by default, specifically to avoid these problems. I would hazard a guess somebody has hacked Linux to do the same, but I haven't seen it.
Of course, if you have so much RAM that you never swap, this is less of an issue.
Of course there is a guarantee...
Just buy a boatload of ram and disable virtual memory. Problem solved.
Of course, you could always use Knoppix or something similar whenever buying on-line. This would also solve the problem for the truly paranoid.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
Some basic tips that not enough people know, in no particular order:
1. Make sure you have a firewall configured to allow incoming connections from only ports you need open. You might be able to do just fine with no incoming connections allowed at all.
2. Have an updated virus checker.. Norton or Mcafee. By updated, I mean having it auto-update for you. Have it check every file accessed on media accessed by the computer, and email. At the very least, all the incoming media and email should be scanned on the fly, but outgoing is a good idea too.
3. Use Spybot or Ad Aware at least once a month to scan for spyware. Also keep these updated. I forget if they auto-update, but just be sure it checks for updates before you run them.
4. Only use credit cards that keep you free of liability for any fraud.
5. Buy a separate unnetworked little organizer with a keyboard to store hints to remember your passwords. Don't store the actual password.
6. Cancel credit cards you don't use.
7. Photocopy the backs and fronts of all the credit/debit cards you use and whatever else you keep in your wallet. Write in the customer service phone numbers if they're not clear.
8. Have Windows auto-update and auto-install all critical patches, or keep your Linux distro updated.
9. Don't open email attachments that you have no reason to trust, and certainly not until you have antivirus software checking incoming emails.
Go download Eraser. It will erase empty space and swap files using DoD mil quality and even higher. It will erase empty space on your drive while you sleeping swiping it clean of bits 32 times over. On shutdown it will erase the swap file with the same quality. You can also get the source code and make it better if you want.
I have mine run once a week. I'm more concerned of my hard drive failing having to returning it under warranty and someone else receiving that drive they could then retrieve my data.
I have a computer services company, and a client of ours, a lawyer, never ever lets his computer out of his office. All repairs, no matter what, are done in his office, under his scrutiny. He has no problems paying for it, he says he is required by law (we are in Spain) to be sure that his clients' data is safe at all times. There just isn't another option.
"If God created us in his own image we have more than reciprocated." - Voltaire
Nah, reinstalling is just a sign of incompetence at dealing with Windows. And I mean that seriously. On average it takes Win32 about 3 years of average-user neglect and outright abuse to get to the point where it's nonfunctional, and even then it's recoverable with simple maintenance procedures.
:)
As a SOHO tech, my job is not just to get the machine working, but also to get it to the state the client expects it to be in -- with all his apps and data intact (whether he has a good backup or not). I've only had to reinstall Windows *once*, and that was due to AOL5 FUBAR'ing both DUN and the entire WinEx/IE setup -- on a system that had gone five years with a PEBKAC owner and ZERO maintenance. I find it is faster and easier to resurrect the system than to hope to find all the body parts (apps, data, passwords, settings, CD keys, etc, etc.) and reinstall them where someone else expects them to be.
Of course, this is why my clients won't let anyone else touch their PCs, either
My own everyday setups date back to 1998 (Win95), 2001 (Win98), 1999 (WinME -- hasn't crashed since Sept.99, and this is a test box!!), 2002 (XP Pro). Plus I have a couple part-time-use Win95 machines that date back to '95 and '96. And my Win16 setup (1994) was finally retired at 7 years old. All are original installs and all work their asses off. -- I hadn't looked in WFWG's swapfile in some time, but it's a safe bet that if I inspect the CD where it's archived, I'll find data in the perserved swapfile that is now over 10 years old.
~REZ~ #43301. Who'd fake being me anyway?
Maybe a removable hard drive would be much easier on the wallet. Keep the programs/OS on the computer's hard drive, but all client data can be kept on an external firewire/USB hard drive. You can even buy two and copy one to the other once a week or so for backup. All for under $100 (if you shop around).
"-1 Troll" is the apparently the same as "-1 I disagree with you."
No, I'm not a M$ fanboy. You'll see me bitch about their business practices, and sometimes about their software, as often as anyone here -- you want to see software flamed to a crisp, get me started on M$Office! and just wait til I catch up with the idiot who thought "browser as your desktop" was such a great idea, or the moron who didn't fully test the .MSI installer on Win98. And as to M$ getting in bed with DRM/media... that's why I keep hoping for a *NIX desktop I can next-gen my clients to, but so far it hasn't happened.
/. article about the router! talk about a field where they should know better!!)
But in my experience, whining about *Windows* instability is based more in ignorance, and failing to consider the influence of bad hardware, than in objective reality. Considering all the random shit hardware people use, the ill-mannered software that abounds these days (most no longer bothers to clean up after itself, but rather expects Windows to do it for 'em), and the ignorance of average users, Windows gracefully absorbs a helluva lot of abuse. Yeah, it's possible to mangle the registry, but that's actually pretty rare; I've not seen it happen in years. And yeah, there are security holes and stupid default settings, but that's hardly unique to Windows (see the concurrent
I also have a Mandrake box, and while I generally like it well enough (tho I view BSD as more mature than linux), I do find it a whole lot easier to confuse or crash. Lordy, the lockup I get if I accidentally feed it a bad CDR!! Have to power down to get the CDROM drive back.
~REZ~ #43301. Who'd fake being me anyway?