New Tool Reveals Internet Passwords

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."

Prettier Tool, Old Exploit

[eldavojohn]

This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView, Google Chrome Pass, Messanger Key for instant messengers and even Password Fox.

When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

Re:Prettier Tool, Old Exploit

[Spad]

Which is why I like Seamonkey's ability to secure the password store with a password of its own so that you're not simply relying on security through obscurity.

Re:Prettier Tool, Old Exploit

[AlexiaDeath]

msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...

Re:Prettier Tool, Old Exploit

Problem solved

Re:Prettier Tool, Old Exploit

[stonewallred]

WTF!!! How did you find out my master password??!!?!?!

Re:Prettier Tool, Old Exploit

[Cryacin]

What? That's the same combination as my luggage.

Re:Prettier Tool, Old Exploit

[Voulnet]

Damn, I didn't know Kevin Mitnick started posting on Slashdot after his interview here.

Re:Prettier Tool, Old Exploit

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Re:Prettier Tool, Old Exploit

Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

Re:Prettier Tool, Old Exploit

[TheSpoom]

Firefox doesn't even attempt to hide it: Preferences -> Security -> Saved Passwords -> Show Passwords.

Re:Prettier Tool, Old Exploit

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Is that supposed to be PRAISING that boneheaded scheme?

Re:Prettier Tool, Old Exploit

Perhaps this needs a rethink on filesystem security?

I'm thinking a desktop OS wherein each application is assigned a directory/folder on installation, and is only able to access its own folder a per user generic 'documents' folder, and a per user, application specific configuration folder. There'd be some costs to that - developers would have to compile against APIs and libraries rather than importing them in from the system at runtime. This would make individual programs larger and increase maintenance requirements - but at the same time it would mean that you that a developer would know exactly what version of said resources were in use, and at the same harden the system against malware. Documents would still be at risk, but applications, passwords and configuration data would be protected from interference.

The system would have to have some very strict driver models and memory management - possibly a valid use for tpm? - but in theory at least it should be workable.

Whether anyone's got the stomach for the attempt is another matter though. :S

Re:Prettier Tool, Old Exploit

[ehrichweiss]

If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

Re:Prettier Tool, Old Exploit

[L4t3r4lu5]

Don't worry, it changes for everyone who reads it. Only you see your master password, because it's your master password.

If I enter mine, all you'll get is asterisks. Watch: *******

Re:Prettier Tool, Old Exploit

You password is ******?
Slashdot hides your passwords, everybody else sees it as ******, or your password really is ****** ?

Re:Prettier Tool, Old Exploit

[TheRaven64]

On OS X, the keychain is stored encrypted. When you log in, the keychain daemon runs and, if your keychain password matches your login password, decrypts the store into RAM. Individual passwords can only be accessed by other apps via RPC to this daemon. This RPC uses Mach ports, which allow the process on the other end to be identified. Access to individual passwords must be specifically granted (on a one-off or permanent basis) to apps, although any app can access all passwords that it created. If the app binary changes, you are required to re-grant permission to it.

You don't need a new FS design for this to work, just existing IPC mechanisms.

Re:Prettier Tool, Old Exploit

[Vahokif]

My master password is ********.

Re:Prettier Tool, Old Exploit

[Yvan256]

http://bash.org/?244321.

Re:Prettier Tool, Old Exploit

Firefox's scheme only protects your passwords from malicious software if you never use them. Remind me again how it's better than the Windows scheme.

Re:Prettier Tool, Old Exploit

[Yvanhoe]

"remember my password" can be secured by a master password. Type it once in a session to be able to login to many website. Honestly, nowadays, with 20+ websites asking silly registrations, it is either that, or use the same login/password everywhere.

Re:Prettier Tool, Old Exploit

[BrettJB]

Not redundant mods - Cryacin is one of the (apparently few) commenters who got the Spaceballs reference.

I swear, kids these days... no respect for geek traditions and culture... Bah, now get off my lawn! (-- note to the younglings: this is NOT a Gran Torino reference!)

Re:Prettier Tool, Old Exploit

[natehoy]

Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The only difference is that in the Microsoft case, you're always logged in. In the Seamonkey/Firefox case, you're only logged in after you've entered the password to access the password store, which is probably "only" 99% of the time you surf the Web, but at least the password store is pretty secure if you're not running your browser at all, or haven't used the password store yet for that session.

Of course, the alternative is use the password just long enough to perform the requested operation, then forget it. That means, though, that you'd have to ask for the security password every time a site wants to retrieve a password from the store or the user wants to add or update a password in the store. Then people would just remove the password, because that would be a pain. Think Vista/7 UAC popups that each need a password, or sudo/su in Linux, but every time you want to use a stored password in your browser. Most people would tolerate that for about as long as it takes to remove the password.

And, if you don't bother putting a password on it (Firefox leaves the password off by default, and I don't know anyone else who actually uses it), then Firefox is just as vulnerable as the Microsoft exploit.

Yes, the tool is AVAILABLE, but the benefits it offers are somewhat marginal and it's not the default setting.

If you want passwords stored and entered automatically, then the passwords are no longer under your control to enter manually and there's going to be a way for them to be read once you make them conveniently available. By all means, use the password store (and the password that protects it, please!) for things like your Slashdot account, etc. Just for the love of [insert deity of choice] DON'T use it for passwords like your bank account or credit cards.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Well, the Windows scheme only protects your password from malicious software if you never log in at all; once you're logged in any program can pull the passwords, even if you never load the browser. Firefox can only give up master password protected passwords if you launch the browser and provide the master password. And an extension exists to configure the Firefox password manager to "forget" the master password (which is never actually stored, but you know what I mean) after a few minutes, limiting the window of vulnerability further.

Beyond that, if you've got truly malicious software actively running on your computer at all times (not just some website that gets brief read access through an exploit), you're hosed no matter what. Even if you never use a password manager, they can read the password as you type it into the browser; it might take more time than decrypting a password store and forwarding the data in bulk, but it's just as effective over the long haul. It's a trade off between window of vulnerability, scale of breach, and hassle. No manager at all is a hassle (to remember all usernames and passwords), but it's the most secure, since you can only lose one password at a time, with narrow windows of vulnerability. Password managers mean the scale of breach potential increases (you can lose them all at once). Firefox with a master password narrows the window of vulnerability relative to IE, and the extension that re-locks the store narrows it further, at the cost of needing to remember and type the password store password.

I consider it a reasonable trade-off, given that I'm not going to remember the user name and password for every site I visit. Even if I wanted to use the same one everywhere (and I don't, because then one site breach means I lose everything), differing username and password requirements make that impossible, and frankly, my memory isn't good enough to track login info for fifty odd websites, including a dozen I visit only once or twice a year.

Re:Prettier Tool, Old Exploit

Everyone got it. They just didn't think it was funny the billionth time around.

Re:Prettier Tool, Old Exploit

The encryption is only useful if Eve can gain access to the file wherein the passwords are stored. Unless OS X is a lot less secure than I think it is, this means physical access in all cases. If someone has physical access, it is possible to change operating system binaries, install software or hardware key loggers, and so on and so forth, so it is often said that physical access means all security flies out of the window. But I think encryption can at least save your passwords in the case your laptop gets stolen, as long as you remember to use a strong password and maintain a backup of the file so it cannot be held for ransom or something. On the other hand, if it were really that file that Eve were after, she would probably rather subtly modify your computer and then wait for you to provide her with the information.

Re:Prettier Tool, Old Exploit

How about recovering remembered Skype password?

Re:Prettier Tool, Old Exploit

Funny, she doesn't look Druish.

Re:Prettier Tool, Old Exploit

[sconeu]

WTF? I have the same password on my atmosphere shield!

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...

Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)

Re:Prettier Tool, Old Exploit

[Mister+Whirly]

You must be new here.

Re:Prettier Tool, Old Exploit

[hedwards]

Yes, but it would be nice if they didn't default to saving form information and asking you if you want to save password on every single site.

Re:Prettier Tool, Old Exploit

[Cato]

You could also look at LastPass - http://lastpass.com/ - which works very well across Windows/Mac/Linux, Firefox, Chrome, Safari, etc, and on many mobile phones as well. Quite well designed and mature, and can be used offline though it's a browser addon, and syncs your password data to/from the cloud automatically, but also supports export to various formats if the cloud goes away. Now has a feature to manage non-browser passwords as well.

Re:Prettier Tool, Old Exploit

[BrettJB]

Wow, you must be a real hit at parties...

Lighten up, Francis.

Re:Prettier Tool, Old Exploit

[bheerssen]

12345? That's amazing! I've got the same combination on my luggage...

Re:Prettier Tool, Old Exploit

Ideally, it would be nice if cellphones would have the ability to be plugged into the computer and authenticate on the phone itself. This way, a keylogger couldn't get the master passwords, and the user has the option, ZTIC style, to be prompted on the phone to allow or deny passwords being read from the phone. For example, if someone is wanting to log onto slashdot, the phone will prompt them that the Web browser wants to access the password, and to allow or deny the request.

Of course, malware can easily MITM and grab the password anyway, but another advantage of storing passwords on a phone is that one can carry around the list and use it on multiple machines.

I just wish more Web browsers had the option to encrypt their password stores like Firefox does. This at least puts a barrier there, so if someone hops on an unattended, but logged on PC, they won't be able to access the FF passwords (assuming FF isn't logged in at the same time either.)

Re:Prettier Tool, Old Exploit

[macshome]

Apple offers the Keychain APIs for secure storage of identity items as well.

Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

Re:Prettier Tool, Old Exploit

[Sulphur]

Thank you for pressing the self destruct button.

Re:Prettier Tool, Old Exploit

http://www.nirsoft.net/password_recovery_tools.html

cached password viewer for Firefox, IE, Chrome etc. I think they have one for Opera too! oh, and they are all freeware!

Re:Prettier Tool, Old Exploit

Too bad stupid fucking chair throwing shit keeps getting sent up to +5 Funny.

Re:Prettier Tool, Old Exploit

[PincushionMan]

All I see is hunter2

Re:Prettier Tool, Old Exploit

Just go to LastPass, and let it do all that--I encourage all "my" users to use it, as it makes it EASY to use a different (fairly random) password for all their web based applications. Or you can let them all keep using "123456" or "prezidintscr00b" on everything....

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Eh. Defaulting to a more usable but less secure state is standard practice for anyone that wants to sell software to consumer. If you care about it, it's trivial to fix:

• Tools->Options->Privacy->Select "Use custom settings for history"->Uncheck "Remember Search and Form History"
• Tools->Options->Security->Uncheck "Remember passwords for sites"

My girlfriend does it first thing after installing Firefox on every machine she's ever owned (and she's not particularly computer savvy; she's a science nerd, not a computer geek). Of course, she makes up for the added security of not saving those fields by using the same password everywhere, so it's not exactly an improvement.

Re:Prettier Tool, Old Exploit

[JustOK]

Mr. Balmer?

Re:Prettier Tool, Old Exploit

[JustOK]

You keep going on and on about people going on and on about something. That's funny.

Re:Prettier Tool, Old Exploit

Actually, it's better than that - there's a system API to get at stored passwords. That's how Firefox gets at them (okay, I cheated, I got the link by reading the Firefox source). Oh, yeah - Firefox is a perfectly functioning IE password reader too :D

Re:Prettier Tool, Old Exploit

The same "hack" could be done easily for tools such as Filezilla...

Re:Prettier Tool, Old Exploit

[wkcole]

Apple offers the Keychain APIs for secure storage of identity items as well. Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

And we all know that with the excellent security synergy between users and application developers, the result of having freely tweakable security settings that default to moderate strength inevitably tends towards most users finding their own optimal balance of security and convenience that never leaves anyone at significant risk.

What, you haven't noticed that? I'm SHOCKED!

Snark aside: YES, Apple provides a strong toolkit and default behaviors (in Safari and elsewhere) that set a reasonably secure norm for MacOS apps. However, it is important to keep in mind that legitimate users are ultimately the weak point in any security model that involves them. Apple has done well with the MacOS Keychain and securityd, but in a reality-based context, "doing well" means that they have chosen a default compromise between convenience and security that is neither trivially weak (the MS problem) or strong enough that most users effectively switch it off (the Mozilla problem.) Any generally tolerable password/identity/authentication management system that addresses the multiple-password problem is a security compromise per se. The real trick is not making it tweakable, but making it discourage/resist user and developer tweaking that turns "compromise" into "gaping open hole." One can make the Keychain and securityd a gaping open hole or an infuriating nuisance, but it isn't particularly easy to do either.

Re:Prettier Tool, Old Exploit

Actually, if you have physical access to OSX (as this took requires for access to Windows), I can do a LOT morew damage in a few minutes than this tool can. By simply booting the Mac into single-user mode, I can gain root, add users, change system settings, install rootkits, and pretty much do whatever - including the pinching of your browser hostory and KeyChain.

The OSX KeyChain is still just an obfuscated list of usernames and passwords that can be cracked by a tool of this nature. Yes, this particular tool is designed for Windows, but it would be trivial to do this for an Apple product as well.

A final note: The main users of Windows (in large numbers) are corporates and education, and these systems usually run integrated authentication via the domain - which this tool cannot get access to. I gues you *could* do the same for a Mac (bind to AD), that that relies on Apple not breaking the binding with updates, kerberos issues, and generally flakey support.

Re:Prettier Tool, Old Exploit

[shnull]

dam' refinement of technology ... in meeehehey days, tools wudnt that darn complicated and specific, they just revealed all windows passwords ...

Re:Prettier Tool, Old Exploit

[turnkey-web]

This is nothing new with Microsoft! People will hack their code at every opportunity and they know it. This gives them an excuse to release an even more secure program year after year! Am i the only one who thinks this? Mobile phone lasts 2 years max... why? because they want you to buy a new one! Windows gets so hacked and unusable within 2 years... again why? so they can bring out a new version.. just about every product on the market is like this because if not they have no repeat business which means no business at all. rant over! good luck in securing your data, i expect this task is impossible. If someone really wants to trawl through your emails sifting through the thousands of spam we all receive they are going to do it no matter how much money or time you invest in trying to secure it.

How is this news exactly

[sopssa]

These password recovery tools have been available as long as there have been passwords in use.

There isn't much you can do about it. They are cached passwords so the applications need to be able to get them back exactly as they were saved (website logins, email logins and so on). You cannot do md5 or other hashing methods on them and since you have the binaries, the encryption/decryption algorithms and keys or the logic is right there available for anyone to disassembly and debug.

Slashvertisment if EVER I saw one.

[richy+freeway]

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

Check out http://www.nirsoft.net/utils/#password_utils for password recovery tools, for free, that have been available for ages.

Re:Slashvertisment if EVER I saw one.

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

And this was even posted by the almighty Taco. Seriously, if /. is ever going to catch up to the other news aggregators out there they need the drop the decade old "LOL ANOTHER MS EXPLOTZ0RZOMGLOL!!!" mentality.

Re:Slashvertisment if EVER I saw one.

[Xacid]

Or even Cain

Re:Slashvertisment if EVER I saw one.

[Samhain]

The tools you link to are run locally on the computer.

This exploit reveals your passwords to a website that you visit (although I have not RTFA), which is a bit different.

So really your point is irrelevant.

Re:Slashvertisment if EVER I saw one.

The Slashdot you're talking about died a long time ago.

Just recently KDE 4.0beta1 got an article while KDE 4.0beta2 was already out for days.

That was impossible on the Slashdot you remember. Today Slashdot is the FOX News of bullshit and that is all that is left to it.

Re:Slashvertisment if EVER I saw one.

[richy+freeway]

And you run this tool from the article where? On your cellphone?

My point is valid and still stands. The tools I linked to are EXACTLY the same.

Re:Slashvertisment if EVER I saw one.

Then maybe you ought to RTFA. This exploit has nothing to do with revealing passwords to websites that you visit. It's just a piece of software that you run on your PC to recover passwords.

Re:Slashvertisment if EVER I saw one.

[ehrichweiss]

You definitely didn't RTFA, or understand the summary. It's a locally run program that reveals passwords for the sites you visit to the person who runs the program.

Re:Slashvertisment if EVER I saw one.

[olderchurch]

Nowhere in TFA it says anything about an expoit that reveals your password to a website you visit. It mentions that it reveals passwords that are cached. From the FTA:

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

Re:Slashvertisment if EVER I saw one.

LOL.

Nothing is funnier than being "corrected" by an ignorant person who doesn't have a clue what they are talking about.

Re:Slashvertisment if EVER I saw one.

[richy+freeway]

Explain to me what you think TFA is on about then. From what I've seen so far, you've missed the point completely. What do you think cached passwords are?

Re:Slashvertisment if EVER I saw one.

[Stunning+Tard]

This exploit reveals your passwords to a website that you visit (although I have not RTFA), which is a bit different.

The slashvertized tool does not send passwords to a website. It reveals passwords to you when you run the tool locally. This is not news.

At the risk of putting this company out of business here's a 'cracker' for passwords stored by most browsers.

Re:Slashvertisment if EVER I saw one.

[ZyBex]

The OP is actually agreeing with you, dude. Read again.

I agree, this is nothing new. Nirsoft tools are great, I've been using them for ages. Time to make a donation.

New? I don't think so.

[jack2000]

This isn't new by any foxnews stretch of the word.

Re:New? I don't think so.

You must be new here.

[Pun intended, or not.]

vs OS X keychain?

[AHuxley]

How safe is OS X and its keychain tech?
Is it also $49 safe? Thanks

Re:vs OS X keychain?

It's essentially the same technology as any browser uses. The only question is whether you always require a passphrase to unlock your keychain or not. If you do, then the key to your keychain isn't being stored in plaintext; if you don't, then it is.

Re:vs OS X keychain?

My understanding is that the OS X keychain uses your login credentials (or some other password you must enter separately) as the encryption key, so the key is NOT stored on your hard drive for a tool such as this to read. So in that respect, it is more secure.

Re:vs OS X keychain?

[kybred]

From Wikipedia Apple Keychain

The default keychain file is the login keychain, typically opened on login by the user's login password (although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience).

...

The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Only the password is encrypted and it is encrypted with Triple DES.

Title is Inaccurate

[Cytlid]

It should read "New Tool Reveals Windows Passwords".

Re:Title is Inaccurate

[AHuxley]

Yes it seems if you use Linux or Mac, your MS web mail should be safe.

Re:Title is Inaccurate

[dyingtolive]

Oh god, I'm so relieved. For a moment I was afraid someone got the password to the internet!

Actually, to be honest, when I first saw the headline, I thought to myself, "When asked to stop revealing people's passwords, the tool put his oakleys on, popped his collar, and then nah "Nah, bro," before walking away.

Bah...

[PmanAce]

I am invincible, I use Chrome...

Re:Bah...

[wkeri11a]

LOL..nice but you're comment makes a good point - this little article mentions only IE. Does that mean browsers like Firefox (my choice), Chrome, Safari are immune. All of them have remember my password functionality but somehow does it better/different? I assume this since no one so far has written, "Sweet Jesus we're DOOMED!", that IE is the only exploited platform with this software?

Re:Bah...

[Spad]

No. Your saved browser passwords are only secure if the browser provides (properly implemented) password protection for the saved passwords.

i.e. The passwords are encrypted with a key, which is encrypted with a password that the browser requires you to enter before it will allow access to your saved passwords.

Heh

[Pojut]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

Ah, memories...

Re:Heh

wtf? I almost have the exact same story...

Re:Heh

[ninja59]

right, your Angelfire web site in the middle of the night. (a light fappish sound in background)

Re:Heh

[6Yankee]

My mother went for the low-tech solution to keeping my brother and I off the internet when she wasn't around - taking the power cord to the PC with her.

Suffice to say, they don't call them kettle cords for nothing ;)

Re:Heh

[hellop2]

You mean Snadboy's Revelation http://www.snadboy.com/

Re:Heh

[PacketShaper]

A pubescent youth gets the keys to the internet and he spends his time late at night....working on an Angelfire webpage?

What kind of mutant alien monster are you??

Re:Heh

[Pojut]

The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

Re:Heh

[Pojut]

It's been a long time, but I'm 99.9% sure that was it!

Re:Heh

[Thuktun]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

In that version of Windows, a password edit control just had a password style set on it and you could effectively disable that with some simple Windows API calls. Worse, you could just WM_GETTEXT and get the password out in plaintext without changing the style.

Re:Heh

[glwtta]

working on my Angelfire web page

That's an odd way to misspell "masturbating furiously".

Re:Heh

[Bing+Tsher+E]

Years ago I once lost the password for my dial-up internet, and it was easier to make a 'modem tap' to recover it than it was to dig into the binaries and extract the encrypted password from the dialup networking glop I used back then. I just soldered on a third 'listen only' tap connector on my modem cable and intercepted the password as it was sent out to the modem.

Re:Heh

[b4dc0d3r]

It's specific to versioned windows, you have to update the address of USER32.ValidateHwnd, and it probably does not work with ASLR type protection. But it worked with XP.
<code>

#include "stdafx.h"

int ReadOtherProcess (HWND hwnd, void *address, void *buf, unsigned len)
{
unsigned long pid;
HANDLE process;

GetWindowThreadProcessId ( hwnd, &pid );
process = OpenProcess (PROCESS_VM_OPERATION|PROCESS_VM_READ|
PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, pid);

DWORD dwread;

ReadProcessMemory ( process, address, buf, len, &dwread);

CloseHandle(process);

return dwread;
}

int WriteOtherProcess (HWND hwnd, void *address, void *buf, unsigned len)
{
unsigned long pid;
HANDLE process;

GetWindowThreadProcessId ( hwnd, &pid );
process = OpenProcess (PROCESS_VM_OPERATION|PROCESS_VM_READ|
PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, pid);

DWORD dwread;

WriteProcessMemory ( process, address, buf, len, &dwread);

CloseHandle(process);

return dwread;
}

FARPROC GetValidateHwnd(void)
{
// Since ValidateHwnd() is not an export, we have to hard-code some stuff here
static FARPROC ret = NULL;

if (ret == NULL)
{
HMODULE user32 = GetModuleHandle("user32.dll");
if (user32)
{
// TranslateMessageEx and DefWindowProcA are on either side of ValidateHwnd()
FARPROC tmex = GetProcAddress (user32, "TranslateMessageEx");
FARPROC dwpa = GetProcAddress (user32, "DefWindowProcA");

// W2k SP4 ver 5.0.2195.7017 // (380,688 bytes)
if (tmex == (FARPROC) 0x77E14000 && dwpa == (FARPROC) 0x77E14754)
ret = (FARPROC) 0x77E14301;
}
}

if (ret == NULL)
{
// TODO: crib the address from other procs (see XREF for calls from ProcName+4)
// most proces which take HWND as first param use a mov ECX and call ValidateHwnd
// mov ECX will always be the same opcodes, call will be E8 + offset to ValidateHwnd
// GetProcAddress, make sure *ADDR = 0x04244c8b, next byte is E8,
// and add the next offset to ADDR
/*
.text:77E14754 public DefWindowProcA
.text:77E14754 mov ecx, [esp+hWnd]
.text:77E14758 call ValidateHwnd

.text:77E15ABC ; BOOL __stdcall UpdateWindow(HWND hWnd)
.text:77E15ABC mov ecx, [esp+hWnd]
.text:77E15AC0 call ValidateHwnd

.text:77E15B7A ; BOOL __stdcall GetClientRect(HWND hWnd,LPRECT lpRect)
.text:77E15B7A mov

The new tool

grep

Sigh.

[Spyware23]

This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

Re:Sigh.

[Hijacked+Public]

Tip: A large number of stories on Slashdot are product placement. It has been this way since, to my recollection, the series of stories on They Might be Giants. It was probably going on before that and I just didn't recognize. Those seemed like the first slashvertisements that made no real effort to disguise themselves.

Slashdot is good for its user submitted content. There are still some really good, really informative discussions going on involving people who really know the subjects, that can't be found anywhere else. If slashvertising like this is necessary to subsidize those discussions I think it is worth the trouble.

Re:Sigh.

Posted by CmdrTaco on Thursday July 01, @09:18AM
from the change-early-change-often dept.

If it was any other editor, you would be calling them out by name. Why does CmdrTaco get a free pass?

Re:Sigh.

It's not so much news as it is a reminder of how easy it is even for "non-hackers" to get these types of tools and how accessible they are to anyone with basic computer skills. Bottom line - clear cache often, use encryption and don't be an idiot! :)

Re:Sigh.

[The+Car]

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

In their defense, the core logic is written in C#.

Re:Sigh.

[interval1066]

Yeah, this really isn't anything new or newsworthy; that some Russian web site is charging $50 to give you already existing tools in a nice package; now that's news!

Re:Sigh.

[hedwards]

No it's not, what's news is that they then take your credit information and completely empty the bank accounts associated with it.

Re:Sigh.

[hadesan]

It's a CmdrTaco post - did you expect anything less (or actually more)?

Passwords

[Rik+Sweeney]

And it's for this reason that I write all my passwords down on the back of my hand.

I've already addressed the problem of them washing off by using using permanent marker. And not bathing.

Re:Passwords

Ah, but as your epidermis skin cells die and fall off then it will fade and go away, a better option is to get them tatooed on you then the ink is down in the lower layers of the skin, you just have to do it yourself, or kill the tatoo artist so they can never reveal the secrets you have written on your body.

Re:Passwords

[robot256]

It's okay, because he changes his password every two weeks when the ink fades and writes the new one down on top of it. Right?

Which is this?

[tverbeek]

Is this an alert or an advert? ;)

Re:Which is this?

[Spad]

An Adlert?

Re:Which is this?

Ask your doctor if Adlert is right for you.

Re:Which is this?

[acoustix]

Ask your doctor if Adlert is right for you.

Nice. I appreciated that.

Well, ok

[HeckRuler]

in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail."

...But how does this effect me?

Re:Well, ok

[gardyloo]

That would be an interesting question, if you didn't actually mean affect.

Re:Well, ok

[prionic6]

I think it effected his post.

Ad = News = "swearing on slashdot" = ? = Profit

[ZeroNullVoid]

A better news than this ad for a tool that has existed in many free forms would be that Woot is owned by Amazon now and their first duty was to sell their ebook reader at a discounted price.

Solve the problem

[L4t3r4lu5]

Use Keypass

Re:Solve the problem

[L4t3r4lu5]

Further, "CmdrTaco! Look out! kdawson has stolen your password using this tool and is posting inflammatory and poorly researched crap using your account!"

Re: Interface

[TaoPhoenix]

I wanna see the Skeksi interface!

The Dark Crystal (1982)
http://www.imdb.com/title/tt0083791/plotsummary

Firefox password security

[bartwol]

Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

Here are some more details about how Firefox stores passwords.

many old tools do this

[zoomshorts]

Where have you been? Many tools reveal passwords. Wake up!!!

Site seems to be down

[__aavqan3009]

Site seems to be down

I'm glad they finally figured this out.

[hilather]

I was beginning to think IE cache was unbreakable...

Re:I'm glad they finally figured this out.

[caekys]

I was beginning to think IE cache was unbreakable...

How does one break something that is already broken? Naw, just kidding.

Shocked

[Zoxed]

I am shocked, shocked to find a security flaw in Microsoft Internet Explorer.

Useless

Big deal. Sites using SSL (HTTPS) do not cache passwords to begin with on any local FS, just in memory. That leaves this "new" tool to just find passwords from websites that use unencrypted communication anyway which can just as easily been nabbed from line sniffers or the other 200+ tools used to analyze internet cache.

Read this out loud with Russian accent

"Moscow based ElcomSoft, developer of the new password recovery tool, “Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics, criminal investigators, security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC."

Old News

Cain and Able has done this for years now...

New Tool Reveals Internet Passwords

[burgessms]

all your password belong to us

Old news

This "tool" has been present in the program called SIW (system info for windows) in the tools menu under the name Eureka!. It's been like that for years. Google it, it's free.

It's not an exploit. The program loads the cached passwords into the text field at runtime and masks them. Extremely stupid, but there are a number of ways to get this info since it's stored in ram.

I have not read the fucking article. Just read the descriptions.

I actually use the Eureka! tool all the time to get people's Outlook passwords for work. I do general IT support for a lot of companies, and they often do not know their Outlook passwords for their pop accounts and they want the account setup on another new computer or something.

What is going on?

I always assumed MS software uses the credential store for this sort of thing where key management is just punted to syskey. Does anyone know if the issue is just that syskey is operating in the default insecure mode (In which case this would be totally understandable) or are MS browsers and mail clients really not using the MS APIs available to them and storing credentials using an app specific "encryption" or "obfuscation" function leveraging secrets hardcoded in software?

All password managers have the same problem of how to protect data without generating proper keying materials. The only thing you can do is leverage the logged on users session context or ask for a master key or passphrase which would annoy many users.

PR

[internetdarwin]

This whole thing reads like a press release for a new product: "With a price tag of just $49..." As has already mentioned, this is not really newsworthy, old tech in a new box.

75% old news

[ILuvRamen]

There's a password recovery program that works with all versions of Outlook that I've been using for over a year when people forget their password before upgrading to a new computer. I haven't heard about the IE one in the past so maybe that's new but the office exploits aren't at all. By the way, anyone who thinks, "Hmm, that sounds safe" about storing passwords locally on your computer using some cryptic, ambigous method that your Microsoft software suggests is pretty stupid whether a hack was written to unencrypt them or not.

and it doesnt work with LINUX?!?!?!

[Razgorov+Prikazka]

I am outraged! Why doesn't this work on Linux?
Its always the same... people think that FOSS is not that important blablabla...

</tong-in-cheek>

"Remember my password" is inherently insecure.

[efalk]

Any "remember my password" feature in any app is inherently insecure.

Whenever I write such a feature, I encrypt the saved password, but I understand that this will only defeat wannabe crackers whose level of sophistication is limited to running strings on cache files. Any cracker worth their salt will reverse-engineer the encryption used by the app.

It's for this reason that I never enable "remember my password" where important passwords are involved.

No that is incorrect

[Sycraft-fu]

Windows passwords are stored using non-reversible encryption be default. For Vista and 7, they are stored only using the HTLMv2 hash by default, which is extremely secure. For XP passwords under 14 characters it does store the LM has as well by default, which can generally be cracked with only a little effort as it is not secure.

What this tool does is reveal saved passwords in programs. That is not hard to do. Any password you save for a remote system must, by definition, be stored using some sort of reversible encryption. Doesn't matter what the software is, you can recover a saved password like that. It can be obfuscated, but not hidden. You can, of course, encrypt the entire password store with a password itself, but if you just have a password saved to auto log in to something with no user intervention, it must be saved using something that the program can reverse.

So sorry, this isn't some massive Windows flaw, much though you might want it to be.

Depends

[Sycraft-fu]

Anything that just stores passwords for automatic login, and doesn't require any user interaction, is not secure from something like this. Reason is if a program, like say Thunderbird, can get your e-mail password to hand off to the server, well then another program can too. It is stored in some easily reversible form. However, if the program itself needs a password to access the password store, then it should be secure provided a good password is used. The reason is that it uses that password to encrypt the other passwords with strong encryption. The only way to get at them is to find out the password that is encrypting them.

So if you want the convenience of entering no password, which it just remembers your stuff and never asks you, no, sorry, there is no way to make that secure from another program on your system. However if you have lots of passwords and can't remember all of them and just want to remember one, then a program that uses a master password to encrypt the others will keep them secure, if the master is a good password.

Steps to remove your passwords from IE.

To remove a stored password or other stored information in Internet Explorer 8:
From the Tools menu, select Internet Options.
On the General tab, under "Browsing history", click Delete... .
Check the item(s) you want to delete: Passwords
Click Delete.

If IE8 ever asks you to save a password again, say No.

Also, don't falsely believe that just because you use Chrome or Firefox that a program cannot be developed to steal your passwords on those browsers as well, always assume they can.

Also, be aware that if you don't store passwords, keyloggers become your next concern. Consider getting KeyScrambler by Qfx, it encrypts traffic between your keyboard and the application that receives them preventing third party applications from intercepting anything meaningful. I used to use it a long time ago and it worked great, it looks like they support all major browsers and applications now.

Now that people are releasing browser password crackers, I'm not going to store my passwords in the browser anymore. I have been doing it for awhile now out of sheer laziness and also to protect myself from keyloggers instead of using a keystroke encrypter, but now there's no point in saving passwords like that anymore. I'm going to go back to encrypting my keystrokes and typing my passwords in manually again. I have to admit I'm going to miss the ease of password storage, it made browsing the web convenient for once.

It is sort of exasperating to keep up with password (in)security we really need something to replace passwords, they don't protect us anymore and haven't for a long time.

I hope this helped someone.

1995 wants its news back

[ajv]

Yawn. LSA secrets aren't particularly.

Why not write stories about those who build things rather than give valuable Slashdot electrons to breaking stuff? Boring.

Re: Interface

Skeksis interface is Trial by Stone.

A new Tool?

A new tool???

Maybe you should look into NirSoft. (I am not affiliated with NirSoft in anyway, just a user)

http://www.nirsoft.net/password_recovery_tools.html

Oh Microsoft

[dogzdik]

Shonky software meets Universal Cracker.....

My wife needs a tool like this.

[s_p_oneil]

My wife needs a tool like this. She can never remember her passwords.