Archive for the 'Passwords' Category

Next Entries »

How to get a Hotmail password (VI): Sniffing

Published by
madelman
March 4, 2006 in Beginner, Passwords and Security. Comment

When connected to Internet, all data received and send is transmitted through some medium, be it a network cable, the air when you are using wireless or the telephone when using a modem. This medium is not always protected against eavesdropping, so if the data is transmitted without some kind of protection it can be seen by whoever is listening to it.

For example, in a typical network, like the one you can have at home or at work, it’s usually really easy to intercept all the communication. In the past, Ethernet LANS usually used hubs, a connector which retransmits the data to all computers attached to the network, so everyone could see all the data only by telling the network card to do it. In the present, hubs are quite rare and have been substituted by switches, which work in a similar way but don’t transmit the data to all computers, only to the destination one. But, some software exists which can be used to confuse the switch and make it behave like a hub, making it to transmit to everyone.

If using a wireless network it can be even easier to get this data, as the air is used to transmit it so everyone can read it. By switching our network card to a state called monitor mode all the signal received from the air can be recorded and analized.

We need to get some protection against this kind of attack and the best way to do it is to use Secure HTTP, a protocol which encrypts the data send and received in a way only the original server and the client can read it. We can recognise if we are using this kind of protocol by looking at the URL of the page, which should begin with https:// instead of the usual http://. For example, in Yahoo! Mail you can choose to use one of the two modes: Normal and Secure. Always choose Secure, especially if you are connecting from an unknown network, like in an Internet café or from work.

How to get a Hotmail password (V): Passwords stored at ISP

Published by
madelman
March 3, 2006 in Beginner, Passwords and Security. Comment

As we explained in the the second technique, many people use the same password at different places so, if we can find one them it will be easy to try it in other sites.

Passwords stored at the ISP might be more easy to find than in other sites, depending on the ISP used. Some of them don’t care too much for security or have employees who can be tricked with social engineering. It’s a shame that people who should be really conscious about security are sometimes the least informed.

A lot of times a single telephone call can be used to retrieve the password. If this doesn’t work and we know some advanced security we can try to find some bugs at ISP’s site, which sometimes are not as secure as they should be.

For us, as users, it’s quite difficult to defend from this type of attacks, as we must trust the ISP and its security. The only thing we can do is try to get information about past security incidents at the ISP, although this can prove difficult, as they don’t usually publish this kind of information. Luckily, every day ISPs give more importance to security so it’s more difficult to accomplish this attacks.

Defeat the hardware keylogger

Published by
madelman
March 2, 2006 in Beginner and Passwords. Comments

Just as I finished posting the last article about keyboard logging I found a post explaining how to avoid getting our keys recorded by a hardware keylogger.

This can be done by using the on-screen keyboard facility provided by many operating systems. Windows XP has this integrated and can be easily activated as explained in the Microsoft accessibility site.

  • Point to All Programs.
  • Point to Accessories.
  • Point to Accessibility.
  • Select On–Screen Keyboard

Screenkeyboard

Take care as this only protects from hardware keyloggers and not software ones.

From | ITtoolbox

How to get a Hotmail password (IV): Keyboard logging

Published by
madelman
March 2, 2006 in Beginner, Passwords and Security. Comments

Keyboard logging is the name of the technique used to record all keys pressed by the user of a computer so we can know what he has been doing and all the text he has entered. Of course, if he has used that computer to log into his email account he will have entered the password so it will be recorded with the rest of the data.

There are two different types of keyloggers, software-based and hardware-based ones. The hardware based ones have to be connected between the keyboard and the computer, so you need to have physical access to it to install and to recover the data. On the other hand, these can not be detected with software so they can be hidden quite easily if the keyboard connector is not at plain sight.

Hardware keyboard loggers are not always a malign tool, they can also be used to keep a backup of text written in your computer. For example, Keyghost sells loggers with up to 1 megabyte of memory, where you can save lots of keypresses. If you are a writer or are writing something really important for you, as your thesis, it might be handy to have one of this in case something happens to your harddisk. Any way, this should be no substitute of correct and timely backups, but can be of great help.

The software based ones are simple programs which remain resident in the memory of the computer, monitoring all pressed keys and recording them to a file which can be later retrieved by the attacker. The most sophisticated ones are really stealthy and can even send the collected data by email, so the process is automated.

To protect against keyloggers the most important measure we can take is not to use critical passwords in computers not owned by us. So, don’t login into your bank or your email account in an Internet café, at university or from work, only do so from your home machine. If you must do it, then you better check the connection from the keyboard to the computer to see if there’s some strange gadget attached to it.

To protect against software keyloggers, we can use classical antivirus or antispyware but some keyloggers (mainly custom made ones) are not detected by these utilities, so we can use KL-Detector, a software that checks if any program is recording the keys to a file.

How to get a Hotmail password (III): Social engineering

Published by
madelman
March 1, 2006 in Beginner, Passwords and Security. Comments

One of the most used ways of getting information about someone is through social engineering. This is a technique consisting in abusing people’s trust to get the information you want. This usually has to be done in a very subtle way, as not to allow the other notice you are tricking him.

One of the most famous hackers using social engineering was Kevin Mitnick, usually getting all he wanted using only a phone. Phishing is another form of social engineering, where people are sent an email asking for bank account information to “confirm some settings”. People who don’t know very much about security or who are trustful send this information and their money is stolen from the bank.

So, how to get a password with social engineering? If the victim doesn’t know very much about computers an email sent to him with forged headers, simulating to be from Microsoft or Hotmail administration, asking for their password to confirm their identity can work very well.

If the victim is more knowledgeable, more subtle attacks have to be used. Sending malicious software to him is a commonly used one. This software can retrieve the password from the computer if it’s saved somewhere or can trick the user to enter this password. For example, there’s one software of this kind which simulates the MSN Messenger login screen but, in reality, sends this information to the attacker’s email.

To protect against this kind of attacks we must make sure not to trust anything arriving by email or by instant messaging if it hasn’t been requested previously. Even then, a good antivirus might detect malicious software and protect us from it. Also, don’t ever give your password to anyone, neither by phone or by email, even if it’s requested by a supposed administrator of the site, as they never need to know it.

How to get a Hotmail password (II): Trying passwords used in other sites

Published by
madelman
February 28, 2006 in Beginner, Passwords and Security. Comments

Following the same reasoning than the last post, we can conclude that if people can’t remember long or complicated passwords thay also aren’t able to remember more than one password at the same time.

What most people do is use the same password again and again, in different sites or even in his personal computer. So, if you want to get a password from a site where it’s quite difficult to do it, why not to try with another site which might be easier?

You can try to get the login password, the ISP password or any other one which is saved in the computer. If you have physical access to the computer there are some good ways to get them.

The first one is using ShowPassword. If you find a textbox where there are hidden passwords, which will be replaced with asterisks, these can be easily revealed with this program, only by executing it and moving the cursor over the textbox.

Another program from the same author is Protected Storage Viewer which extracts information from some hidden places in Windows. This can show saved passwords from Outlook, Internet Explorer and MSN Explorer.

We can see that it’s really important to have a good password policy and change it to something different in every place we need to create an account. One policy which can work is having a general password for some non-critical sites (as online forums) and custom passwords where security is more important (as in your bank).

How to get a Hotmail password (I): Trying basic passwords

Published by
madelman
February 28, 2006 in Beginner, Passwords and Security. Comments

Most people don’t have the capability to remember good passwords. A good password has, at least, eight characters and contains a mixture of letters in upper and lowercase, numbers and punctuation signs. But it is hard to remember all of this, so usually most of us use a really simple password which can be guessed in a few tries.

Here’s a list of the most common methods people use to choose a password:

  • birthdate
  • favourite sports team
  • name of some relative (girlfriend, son,…)
  • name of the pet
  • favourite movie
  • favourite band

OK, I think you can get the idea. This simple scheme which is used in a lot of movies to guess someone’s password works many times in reality, too. Luckily, it’s more difficult nowadays to use this kind of information to guess the password, as most webbased email providers block the account for a predefined time when there has been too many failed attempts to login (sometimes with three failed attempts the account is blocked).

So, if your password is any of this list or something similar which can be realted to you, you should be changing it for something more complicated or you risk someone guessing it. No, adding numbers to that simple password doesn’t really add too much to security.

How to get a Hotmail password (or any other web based email)

Published by
madelman
February 27, 2006 in Beginner, Passwords and Security. Comments

In most hacking forums, one of the most asked questions is how to get a Hotmail password. I said Hotmail but, in fact, almost all web-based e-mail providers work very similar. Almost always, the answer from more knowledgeable people is: “You can’t do that. Dont’ ask again!!”, sometimes accompanied with some rude words. It’s the natural answer to the fact of having to read the same question again and again.

But well, the real answer is not you can’t do that. It would be more like: “maybe, if you are intelligent and have a bit of luck, you could get the password”. So yes, there are multiple ways to get the Hotmail password of someone but they are not usually easy, you need a bit of luck and knowledge and they are always illegal. Keep in mind that there is no automated program where you write the email and it returns you the password. If you find something like this it’s surely a fake.

Anyway, I’m going to give you all this methods. No, I’m not crazy, I only want you to be conscious about it, so you don’t fall in the kind of tricks used by some people to steal the passwords from you.

I’ll give a list with ten different ways to do it and I’m going to explain each one of them in succesive posts.

From | NNLNews.

Next Entries »
Text Link Ads

About

Becoming paranoid is a weblog about computer security, privacy and staying safe online, specially dedicated to novices
If you want to know something more about us, visit our contact page.

If you enjoyed Becoming paranoid, you can have a look at the rest of our blogs:


Latest

RSS

Sponsored links


Search

Search in the Becoming paranoid Archive


Subscribe

Enter your email address:

Delivered by FeedBurner

Archives

Categories