×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

140 comments

Prettier Tool, Old Exploit (5, Insightful)

eldavojohn (898314) | more than 3 years ago | (#32755930)

This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView [nirsoft.net], Google Chrome Pass [nirsoft.net], Messanger Key for instant messengers [msgshit.com] and even Password Fox [nirsoft.net].

When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

Re:Prettier Tool, Old Exploit (5, Informative)

ShadowRangerRIT (1301549) | more than 3 years ago | (#32756028)

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

Re:Prettier Tool, Old Exploit (4, Funny)

stonewallred (1465497) | more than 3 years ago | (#32756082)

WTF!!! How did you find out my master password??!!?!?!

Re:Prettier Tool, Old Exploit (5, Funny)

Cryacin (657549) | more than 3 years ago | (#32756118)

What? That's the same combination as my luggage.

Re:Prettier Tool, Old Exploit (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#32756900)

What? That's the same combination as my luggage.

It's about goddamn time these lame-ass repetitive older than hell jokes are starting to get the Redundant mods they deserve. If this happened more consistently I might even start browsing slashdot above -1.

In summary, screw you Cryacin for posting a repetitive meme that lowers the signal-to-noise ratio. If you want to attention whore, take estrogen pills, grow tits, and flash people with them.

Re:Prettier Tool, Old Exploit (0, Offtopic)

BrettJB (64947) | more than 3 years ago | (#32757328)

Not redundant mods - Cryacin is one of the (apparently few) commenters who got the Spaceballs reference.

I swear, kids these days... no respect for geek traditions and culture... Bah, now get off my lawn! (-- note to the younglings: this is NOT a Gran Torino reference!)

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32757462)

Everyone got it. They just didn't think it was funny the billionth time around.

Re:Prettier Tool, Old Exploit (5, Interesting)

ShadowRangerRIT (1301549) | more than 3 years ago | (#32757810)

Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...

Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)

Re:Prettier Tool, Old Exploit (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#32758164)

Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia

It did get a chuckle or a brief moment of pleasant nostalgia... when posted the first several thousand times to the first several hundred Slashdot stories. Its time has passed. It has now gotten old. It is no longer funny though it once was. Now it's just repetitive noise. Now that it has achieved that status, ANY repetition of it qualifies as "belaboring it". What part of this is so difficult to understand, exactly?

forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish.

Yeah because of people like you who don't understand this concept of "it's gotten old and is now just repetitive noise". The explanations are a possibly misguided attempt to get you to listen to reason, to try convincing you to abandon this strange idea of yours that a joke is immortal and never loses its ability to amuse despite the fact that its intended audience has already seen it literally thousands of times and furthermore, is able to predict which stories it will be posted in. Damned right that all traces of humor vanish when you do things this way.

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32757742)

Funny, she doesn't look Druish.

Re:Prettier Tool, Old Exploit (2, Funny)

Voulnet (1630793) | more than 3 years ago | (#32756126)

Damn, I didn't know Kevin Mitnick started posting on Slashdot after his interview here.

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32756546)

You password is ******?
Slashdot hides your passwords, everybody else sees it as ******, or your password really is ****** ?

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32756196)

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Re:Prettier Tool, Old Exploit (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32756322)

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Is that supposed to be PRAISING that boneheaded scheme?

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32756826)

Firefox's scheme only protects your passwords from malicious software if you never use them. Remind me again how it's better than the Windows scheme.

Re:Prettier Tool, Old Exploit (3, Interesting)

ShadowRangerRIT (1301549) | more than 3 years ago | (#32757432)

Well, the Windows scheme only protects your password from malicious software if you never log in at all; once you're logged in any program can pull the passwords, even if you never load the browser. Firefox can only give up master password protected passwords if you launch the browser and provide the master password. And an extension exists to configure the Firefox password manager to "forget" the master password (which is never actually stored, but you know what I mean) after a few minutes, limiting the window of vulnerability further.

Beyond that, if you've got truly malicious software actively running on your computer at all times (not just some website that gets brief read access through an exploit), you're hosed no matter what. Even if you never use a password manager, they can read the password as you type it into the browser; it might take more time than decrypting a password store and forwarding the data in bulk, but it's just as effective over the long haul. It's a trade off between window of vulnerability, scale of breach, and hassle. No manager at all is a hassle (to remember all usernames and passwords), but it's the most secure, since you can only lose one password at a time, with narrow windows of vulnerability. Password managers mean the scale of breach potential increases (you can lose them all at once). Firefox with a master password narrows the window of vulnerability relative to IE, and the extension that re-locks the store narrows it further, at the cost of needing to remember and type the password store password.

I consider it a reasonable trade-off, given that I'm not going to remember the user name and password for every site I visit. Even if I wanted to use the same one everywhere (and I don't, because then one site breach means I lose everything), differing username and password requirements make that impossible, and frankly, my memory isn't good enough to track login info for fifty odd websites, including a dozen I visit only once or twice a year.

Re:Prettier Tool, Old Exploit (1)

hedwards (940851) | more than 3 years ago | (#32757928)

Yes, but it would be nice if they didn't default to saving form information and asking you if you want to save password on every single site.

Re:Prettier Tool, Old Exploit (1)

Cato (8296) | more than 3 years ago | (#32758182)

You could also look at LastPass - http://lastpass.com/ [lastpass.com] - which works very well across Windows/Mac/Linux, Firefox, Chrome, Safari, etc, and on many mobile phones as well. Quite well designed and mature, and can be used offline though it's a browser addon, and syncs your password data to/from the cloud automatically, but also supports export to various formats if the cloud goes away. Now has a feature to manage non-browser passwords as well.

Re:Prettier Tool, Old Exploit (1)

Spad (470073) | more than 3 years ago | (#32756032)

Which is why I like Seamonkey's ability to secure the password store with a password of its own so that you're not simply relying on security through obscurity.

Re:Prettier Tool, Old Exploit (2, Informative)

natehoy (1608657) | more than 3 years ago | (#32757354)

Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The only difference is that in the Microsoft case, you're always logged in. In the Seamonkey/Firefox case, you're only logged in after you've entered the password to access the password store, which is probably "only" 99% of the time you surf the Web, but at least the password store is pretty secure if you're not running your browser at all, or haven't used the password store yet for that session.

Of course, the alternative is use the password just long enough to perform the requested operation, then forget it. That means, though, that you'd have to ask for the security password every time a site wants to retrieve a password from the store or the user wants to add or update a password in the store. Then people would just remove the password, because that would be a pain. Think Vista/7 UAC popups that each need a password, or sudo/su in Linux, but every time you want to use a stored password in your browser. Most people would tolerate that for about as long as it takes to remove the password.

And, if you don't bother putting a password on it (Firefox leaves the password off by default, and I don't know anyone else who actually uses it), then Firefox is just as vulnerable as the Microsoft exploit.

Yes, the tool is AVAILABLE, but the benefits it offers are somewhat marginal and it's not the default setting.

If you want passwords stored and entered automatically, then the passwords are no longer under your control to enter manually and there's going to be a way for them to be read once you make them conveniently available. By all means, use the password store (and the password that protects it, please!) for things like your Slashdot account, etc. Just for the love of [insert deity of choice] DON'T use it for passwords like your bank account or credit cards.

Re:Prettier Tool, Old Exploit (2, Informative)

AlexiaDeath (1616055) | more than 3 years ago | (#32756040)

msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...

Re:Prettier Tool, Old Exploit (2, Insightful)

Anonymous Coward | more than 3 years ago | (#32756202)

Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

Re:Prettier Tool, Old Exploit (1)

TheSpoom (715771) | more than 3 years ago | (#32756260)

Firefox doesn't even attempt to hide it: Preferences -> Security -> Saved Passwords -> Show Passwords.

Re:Prettier Tool, Old Exploit (2, Informative)

ehrichweiss (706417) | more than 3 years ago | (#32756396)

If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

Re:Prettier Tool, Old Exploit (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32756354)

Perhaps this needs a rethink on filesystem security?

I'm thinking a desktop OS wherein each application is assigned a directory/folder on installation, and is only able to access its own folder a per user generic 'documents' folder, and a per user, application specific configuration folder. There'd be some costs to that - developers would have to compile against APIs and libraries rather than importing them in from the system at runtime. This would make individual programs larger and increase maintenance requirements - but at the same time it would mean that you that a developer would know exactly what version of said resources were in use, and at the same harden the system against malware. Documents would still be at risk, but applications, passwords and configuration data would be protected from interference.

The system would have to have some very strict driver models and memory management - possibly a valid use for tpm? - but in theory at least it should be workable.

Whether anyone's got the stomach for the attempt is another matter though. :S

Re:Prettier Tool, Old Exploit (1)

TheRaven64 (641858) | more than 3 years ago | (#32756562)

On OS X, the keychain is stored encrypted. When you log in, the keychain daemon runs and, if your keychain password matches your login password, decrypts the store into RAM. Individual passwords can only be accessed by other apps via RPC to this daemon. This RPC uses Mach ports, which allow the process on the other end to be identified. Access to individual passwords must be specifically granted (on a one-off or permanent basis) to apps, although any app can access all passwords that it created. If the app binary changes, you are required to re-grant permission to it.

You don't need a new FS design for this to work, just existing IPC mechanisms.

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32757524)

The encryption is only useful if Eve can gain access to the file wherein the passwords are stored. Unless OS X is a lot less secure than I think it is, this means physical access in all cases. If someone has physical access, it is possible to change operating system binaries, install software or hardware key loggers, and so on and so forth, so it is often said that physical access means all security flies out of the window. But I think encryption can at least save your passwords in the case your laptop gets stolen, as long as you remember to use a strong password and maintain a backup of the file so it cannot be held for ransom or something. On the other hand, if it were really that file that Eve were after, she would probably rather subtly modify your computer and then wait for you to provide her with the information.

Re:Prettier Tool, Old Exploit (1)

Yvanhoe (564877) | more than 3 years ago | (#32757058)

"remember my password" can be secured by a master password. Type it once in a session to be able to login to many website. Honestly, nowadays, with 20+ websites asking silly registrations, it is either that, or use the same login/password everywhere.

Re:Prettier Tool, Old Exploit (0)

Anonymous Coward | more than 3 years ago | (#32757586)

How about recovering remembered Skype password?

How is this news exactly (2, Insightful)

sopssa (1498795) | more than 3 years ago | (#32755932)

These password recovery tools have been available as long as there have been passwords in use.

There isn't much you can do about it. They are cached passwords so the applications need to be able to get them back exactly as they were saved (website logins, email logins and so on). You cannot do md5 or other hashing methods on them and since you have the binaries, the encryption/decryption algorithms and keys or the logic is right there available for anyone to disassembly and debug.

Slashvertisment if EVER I saw one. (5, Interesting)

richy freeway (623503) | more than 3 years ago | (#32755936)

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

Check out http://www.nirsoft.net/utils/#password_utils [nirsoft.net] for password recovery tools, for free, that have been available for ages.

Re:Slashvertisment if EVER I saw one. (0)

Anonymous Coward | more than 3 years ago | (#32756014)

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

And this was even posted by the almighty Taco. Seriously, if /. is ever going to catch up to the other news aggregators out there they need the drop the decade old "LOL ANOTHER MS EXPLOTZ0RZOMGLOL!!!" mentality.

Re:Slashvertisment if EVER I saw one. (0)

Samhain (6902) | more than 3 years ago | (#32756204)

The tools you link to are run locally on the computer.

This exploit reveals your passwords to a website that you visit (although I have not RTFA), which is a bit different.

So really your point is irrelevant.

Re:Slashvertisment if EVER I saw one. (1)

richy freeway (623503) | more than 3 years ago | (#32756312)

And you run this tool from the article where? On your cellphone?

My point is valid and still stands. The tools I linked to are EXACTLY the same.

Re:Slashvertisment if EVER I saw one. (0)

Anonymous Coward | more than 3 years ago | (#32756458)

Then maybe you ought to RTFA. This exploit has nothing to do with revealing passwords to websites that you visit. It's just a piece of software that you run on your PC to recover passwords.

Re:Slashvertisment if EVER I saw one. (1)

ehrichweiss (706417) | more than 3 years ago | (#32756552)

You definitely didn't RTFA, or understand the summary. It's a locally run program that reveals passwords for the sites you visit to the person who runs the program.

Re:Slashvertisment if EVER I saw one. (1)

olderchurch (242469) | more than 3 years ago | (#32756566)

Nowhere in TFA it says anything about an expoit that reveals your password to a website you visit. It mentions that it reveals passwords that are cached. From the FTA:

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

Re:Slashvertisment if EVER I saw one. (1)

richy freeway (623503) | more than 3 years ago | (#32757544)

Explain to me what you think TFA is on about then. From what I've seen so far, you've missed the point completely. What do you think cached passwords are?

Re:Slashvertisment if EVER I saw one. (0)

Anonymous Coward | more than 3 years ago | (#32756640)

LOL.

Nothing is funnier than being "corrected" by an ignorant person who doesn't have a clue what they are talking about.

Re:Slashvertisment if EVER I saw one. (1)

Stunning Tard (653417) | more than 3 years ago | (#32758044)

This exploit reveals your passwords to a website that you visit (although I have not RTFA), which is a bit different.

The slashvertized tool does not send passwords to a website. It reveals passwords to you when you run the tool locally. This is not news.

At the risk of putting this company out of business here's a 'cracker' for passwords stored by most browsers [blogspot.com].

Re:Slashvertisment if EVER I saw one. (0)

Anonymous Coward | more than 3 years ago | (#32756222)

The Slashdot you're talking about died a long time ago.

Just recently KDE 4.0beta1 got an article while KDE 4.0beta2 was already out for days.

That was impossible on the Slashdot you remember. Today Slashdot is the FOX News of bullshit and that is all that is left to it.

New? I don't think so. (2, Funny)

jack2000 (1178961) | more than 3 years ago | (#32755956)

This isn't new by any foxnews stretch of the word.

Re:New? I don't think so. (0)

Anonymous Coward | more than 3 years ago | (#32756054)

You must be new here.

[Pun intended, or not.]

vs OS X keychain? (1)

AHuxley (892839) | more than 3 years ago | (#32755966)

How safe is OS X and its keychain tech?
Is it also $49 safe? Thanks

Re:vs OS X keychain? (0)

Anonymous Coward | more than 3 years ago | (#32756620)

It's essentially the same technology as any browser uses. The only question is whether you always require a passphrase to unlock your keychain or not. If you do, then the key to your keychain isn't being stored in plaintext; if you don't, then it is.

Bah... (1)

PmanAce (1679902) | more than 3 years ago | (#32755970)

I am invincible, I use Chrome...

Re:Bah... (1)

wkeri11a (963528) | more than 3 years ago | (#32756038)

LOL..nice but you're comment makes a good point - this little article mentions only IE. Does that mean browsers like Firefox (my choice), Chrome, Safari are immune. All of them have remember my password functionality but somehow does it better/different? I assume this since no one so far has written, "Sweet Jesus we're DOOMED!", that IE is the only exploited platform with this software?

Re:Bah... (1)

Spad (470073) | more than 3 years ago | (#32756120)

No. Your saved browser passwords are only secure if the browser provides (properly implemented) password protection for the saved passwords.

i.e. The passwords are encrypted with a key, which is encrypted with a password that the browser requires you to enter before it will allow access to your saved passwords.

Heh (5, Interesting)

Pojut (1027544) | more than 3 years ago | (#32755978)

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

Ah, memories...

Re:Heh (2, Funny)

Anonymous Coward | more than 3 years ago | (#32756268)

wtf? I almost have the exact same story...

Re:Heh (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32756704)

Only all you did in the middle of the night was downloading the blocky videos on http://japanesebeauties.net

Re:Heh (1)

6Yankee (597075) | more than 3 years ago | (#32756816)

My mother went for the low-tech solution to keeping my brother and I off the internet when she wasn't around - taking the power cord to the PC with her.

Suffice to say, they don't call them kettle cords for nothing ;)

Re:Heh (1)

PacketShaper (917017) | more than 3 years ago | (#32756982)

A pubescent youth gets the keys to the internet and he spends his time late at night....working on an Angelfire webpage?

What kind of mutant alien monster are you??

Re:Heh (2, Informative)

Pojut (1027544) | more than 3 years ago | (#32757012)

The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

Re:Heh (1)

Thuktun (221615) | more than 3 years ago | (#32758108)

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

In that version of Windows, a password edit control just had a password style set on it and you could effectively disable that with some simple Windows API calls. Worse, you could just WM_GETTEXT and get the password out in plaintext without changing the style.

Sigh. (5, Interesting)

Spyware23 (1260322) | more than 3 years ago | (#32756004)

This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

Re:Sigh. (1)

Hijacked Public (999535) | more than 3 years ago | (#32756438)

Tip: A large number of stories on Slashdot are product placement. It has been this way since, to my recollection, the series of stories on They Might be Giants. It was probably going on before that and I just didn't recognize. Those seemed like the first slashvertisements that made no real effort to disguise themselves.

Slashdot is good for its user submitted content. There are still some really good, really informative discussions going on involving people who really know the subjects, that can't be found anywhere else. If slashvertising like this is necessary to subsidize those discussions I think it is worth the trouble.

Re:Sigh. (0)

Anonymous Coward | more than 3 years ago | (#32756550)

Posted by CmdrTaco on Thursday July 01, @09:18AM
from the change-early-change-often dept.

If it was any other editor, you would be calling them out by name. Why does CmdrTaco get a free pass?

Re:Sigh. (0)

Anonymous Coward | more than 3 years ago | (#32756684)

It's not so much news as it is a reminder of how easy it is even for "non-hackers" to get these types of tools and how accessible they are to anyone with basic computer skills. Bottom line - clear cache often, use encryption and don't be an idiot! :)

Re:Sigh. (1)

The Car (1846356) | more than 3 years ago | (#32756730)

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

In their defense, the core logic is written in C#.

Re:Sigh. (1)

interval1066 (668936) | more than 3 years ago | (#32756952)

Yeah, this really isn't anything new or newsworthy; that some Russian web site is charging $50 to give you already existing tools in a nice package; now that's news!

Re:Sigh. (1)

hedwards (940851) | more than 3 years ago | (#32758020)

No it's not, what's news is that they then take your credit information and completely empty the bank accounts associated with it.

Passwords (2, Funny)

Rik Sweeney (471717) | more than 3 years ago | (#32756058)

And it's for this reason that I write all my passwords down on the back of my hand.

I've already addressed the problem of them washing off by using using permanent marker. And not bathing.

Re:Passwords (0)

Anonymous Coward | more than 3 years ago | (#32756470)

Ah, but as your epidermis skin cells die and fall off then it will fade and go away, a better option is to get them tatooed on you then the ink is down in the lower layers of the skin, you just have to do it yourself, or kill the tatoo artist so they can never reveal the secrets you have written on your body.

Re:Passwords (1)

robot256 (1635039) | more than 3 years ago | (#32756634)

It's okay, because he changes his password every two weeks when the ink fades and writes the new one down on top of it. Right?

Well, ok (0)

HeckRuler (1369601) | more than 3 years ago | (#32756172)

in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail."

...But how does this effect me?

Ad = News = "swearing on slashdot" = ? = Profit (0, Offtopic)

ZeroNullVoid (886675) | more than 3 years ago | (#32756264)

A better news than this ad for a tool that has existed in many free forms would be that Woot is owned by Amazon now and their first duty was to sell their ebook reader at a discounted price.

Firefox password security (3, Informative)

bartwol (117819) | more than 3 years ago | (#32756484)

Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

Here are some more details about how Firefox stores passwords. [luxsci.com]

Useless (0)

Anonymous Coward | more than 3 years ago | (#32757110)

Big deal. Sites using SSL (HTTPS) do not cache passwords to begin with on any local FS, just in memory. That leaves this "new" tool to just find passwords from websites that use unencrypted communication anyway which can just as easily been nabbed from line sniffers or the other 200+ tools used to analyze internet cache.

Read this out loud with Russian accent (0)

Anonymous Coward | more than 3 years ago | (#32757188)

"Moscow based ElcomSoft, developer of the new password recovery tool, “Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics, criminal investigators, security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC."

Old News (0)

Anonymous Coward | more than 3 years ago | (#32757310)

Cain and Able has done this for years now...

Old news (0)

Anonymous Coward | more than 3 years ago | (#32757736)

This "tool" has been present in the program called SIW (system info for windows) in the tools menu under the name Eureka!. It's been like that for years. Google it, it's free.

It's not an exploit. The program loads the cached passwords into the text field at runtime and masks them. Extremely stupid, but there are a number of ways to get this info since it's stored in ram.

I have not read the fucking article. Just read the descriptions.

I actually use the Eureka! tool all the time to get people's Outlook passwords for work. I do general IT support for a lot of companies, and they often do not know their Outlook passwords for their pop accounts and they want the account setup on another new computer or something.

What is going on? (0)

Anonymous Coward | more than 3 years ago | (#32758176)

I always assumed MS software uses the credential store for this sort of thing where key management is just punted to syskey. Does anyone know if the issue is just that syskey is operating in the default insecure mode (In which case this would be totally understandable) or are MS browsers and mail clients really not using the MS APIs available to them and storing credentials using an app specific "encryption" or "obfuscation" function leveraging secrets hardcoded in software?

All password managers have the same problem of how to protect data without generating proper keying materials. The only thing you can do is leverage the logged on users session context or ask for a master key or passphrase which would annoy many users.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...