Re: Hackers please help

From: Dossy (dossy@panoptic.com)
Date: Sun Feb 23 2003 - 21:34:48 MST

  • Next message: Damien Broderick: "IRAQ sort of: Torching the oil"

    On 2003.02.23, gts <gts_2000@yahoo.com> wrote:
    > > the only challenge is getting your password. It probably wasn't
    > > longer than 8 characters, was it?
    >
    > I know better than to answer a question like that online. ;-) The password
    > in question is still "out there," though I have changed my email
    > addresses/usernames/passwords on the sites that concern me most.

    This means it's probably shorter than 8 characters, which could be
    reasonable to hack by brute-force. If it were longer, you'd probably
    respond "of course it's much longer than 8 characters -- you wouldn't
    bother trying to brute-force it, would you?" :-)

    > > > My PC is generally not physically accessible to anyone other than
    > > > myself.
    > >
    > > What do you mean by "generally"? How often is your PC physically
    > > accessible to someone else? Once a week? Once a month?
    >
    > Basically, never. I can't think of a time that anyone had access to
    > this computer without my close supervision, which is not to say it's
    > never happened.

    Even under close supervision, if someone else was using your computer
    and went to a malicious site that'd drop a quiet in-the-background
    installer of a keylogger, do you think you'd be able to (1) know enough
    to spot it happening, (2) be quick enough to catch it happening?

    > > Occam's Razor would say your little conspiracy theory is a bit
    > > unlikely.
    >
    > If you knew more about my life and the placement of my computer then I
    > think you find my remote keylogging theory to be the best explanation.

    If I knew more about your life, would I be able to guess your password?

    > > > I am running Windows XP Home Edition. Until a couple of week ago I was
    > > > connected 24/7 via DSL, but in the last few weeks I have been using
    > > > dialup only.
    > >
    > > h0 h0 h0! Windows XP 0wned Edition connected 24/7 by DSL. I bet you
    > > probably didn't keep up with the latest security patches as they
    > > immediately came out, did you?
    >
    > Actually I do. I'm set up to automatically download and install every patch.

    I'm too paranoid to do that -- I'm still waiting for someone to 0wn
    Microsoft Windows Update and widely distribute a backdoor/trojan from
    Microsoft's own servers.

    > > Did you know enough to rename your owner account? And put a password on
    > > it?
    >
    > I've had several different user accounts on my own PC over several different
    > installations, each one a renamed admin account. One of them used the same
    > password as that used on the hacked site. Stealth software capable of
    > recovering that owner password would have helped the hacker.

    Did you disable the Guest account? If not, remotely someone could have
    grabbed the appropriate file on your drive that contains the passwords,
    and as you mention, go through the process of password-recovery of it.

    > > Anyone running Windows XP (Home or Pro, but /especially/ XP Home) should
    > > at least glance over this web page at least three times:
    > >
    > > http://www.blackviper.com/WinXP/supertweaks.htm
    > >
    > > Specifically, number 12 which I'll quote here:
    >
    > Very interesting (and another thing to be alarmed about).
    >
    > However I don't believe I've ever used the default owner/admin account
    > without first renaming it.

    Of course, this is only useful to do if you've also disabled the guest
    account as well.

    > > If I were a betting person, I'd bet you a nickel that you got socially
    > > engineered or shoulder surfed, and not keylogged.
    >
    > Yes, social engineering is quite possible, as is shoulder surfing, though
    > I'm usually extremely careful about the latter.

    I'm betting that the password was not a random sequence of letters and
    numbers, and was probably a mnemonic of some sort, which is conceivably
    guessable given enough knowledge about you and the kind of thing you may
    choose as a password. A few very pointed (but still benign) questions
    might be enough to reveal it.

    > In case I haven't made it clear, my focus on anti-keylogging is due in
    > part to the fact that I have another password, one which I use for
    > high security purposes (e.g., encryption of data files). I'm most
    > concerned about that password, and it's not one that would normally be
    > accessible via such things as social engineering and shoulder surfing.
    > Probably only a keylogger could capture it, because I use it only
    > rarely, (never on websites), and because I am in general very careful
    > about its use.

    You sound like a person who thinks they have something worth hiding.
    What could you possibly be protecting that's worth losing sleep over?
    Schematics for a space-temporal-transport-matter-thing-a-ma-dingy that
    you received from your future self, or something?

    About the most worried I get with regard to passwords is the fact that
    my bank uses my ATM's PIN code as the /same/ password for their online
    banking interface. Can you say "brute force a password less than 8
    characters and is entirely numeric"? I knew you could.

    I'm waiting for people to set up high-powered telescopes aimed at public
    ATM keypads from a distance to surf people's PIN codes as well as a
    glance at their ATM card to get their account number, then see if
    they're signed up for web banking then *slurrrrrrrrrp* run off with
    their money. I cannot believe it hasn't happened yet, especially in
    places like New York City.

    Regardless, whatever it is you're trying to either hide, or protect ...
    sounds like you shouldn't be storing it on a machine that's ever
    connected to a public network. Otherwise, you might as well not be
    protecting it -- locks only keep honest people out -- since you're only
    inconveniencing yourself.

    > Thanks for all your advice.

    Free advice is worth exactly what you paid for it. :-)

    -- Dossy

    -- 
    Dossy Shiobara                       mail: dossy@panoptic.com 
    Panoptic Computer Network             web: http://www.panoptic.com/ 
      "He realized the fastest way to change is to laugh at your own
        folly -- then you can let go and quickly move on." (p. 70)
    


    This archive was generated by hypermail 2.1.5 : Sun Feb 23 2003 - 21:37:43 MST