The Victorians dubbed it "smash and grab" - a thief strolls into a jewelry store, breaks a display case with hammer, grabs what he can and runs like heck. No class in comparison to bypassing an alarm system in the dark of night - but highly effective.
Much the same technique can be applied to any computer to which others have physical access. Walk away from your PC for lunch, and a moderately savvy podmate can strip-search your hard drive. In fact, he might even set it up for further exploits.
For our last two columns, we explored the classy approach to hacking with what I call commercial hackware - increasingly popular, user-friendly tools including boot disks that break system passwords and programs and hardware that steal your keystrokes. Today we're going to look at some of the quick and dirty stuff the bad guys use when they do get access - and what you can do about it.
Passwords are a key target of opportunity, since many kinds of personal financial data are accessed from PCs. Not only Web bank accounts or credit card accounts are of interest; investments, 401(k) retirement funds, even air mileage programs can be easily compromised and turned into cash. A hacker also can capture the passwords of your e-mail accounts or instant messaging.
The vulnerability is a function of Microsoft, Web site operators and lazy users. In Windows, Microsoft builds in an "autocomplete" utility that, among other things, remembers account names and passwords. Type in one or two letters of the account name and Windows obligingly fills out the rest. Some Web sites plant files called cookies on your computer that accomplish much the same thing. Thus, if a hacker knows your name and manages to get physical access to your computer, he can gain access to many of your accounts, since most of us use our last names for account names.
But wait, you say: Windows hides passwords (or, as the pros say, "suppresses" passwords) by overtyping them with asterisks - and a hacker exposes himself to arrest if he spends a lot of time in front of my computer. Thanks to password suppression, he can't write down the passwords and use them from another computer. Not the greatest security, but not too shabby.
Sorry, Charlie, that doesn't cut it. There are several easy-to-use utilities, one of which we will call "Utility X," that display suppressed passwords. I'd love to give you the name of the company that sells it, but my editor is nervous about handing out burglary tools. Worldly me, on the other hand, is rarely shocked by this sort of thing. But I did find it unsettling that a company is giving away this particular tool to promote a line of hacking tools it sells for cracking password security in such programs as Microsoft Word, personal finance and accounting systems, and even good old Winzip. Besides compressing files, Winzip is relied on for locking up files users don't want others to see.
The so-called Utility X has other nifty uses, too. If you check your e-mail program, you'll note that it, too, contains a suppressed password, the one for your remote mail server. The hacker can access your e-mail from any location, in a way that leaves no trace that the mail has been read - and even send mail in your name. (Along these same lines, I also tested a Utility Y, which recovers the stored passwords for instant messaging programs. I'll leave its potential to your imagination.)
So what do we do? You have to assume that any password that's stored on your computer can be read. And unless you can physically lock up your computer, you should not save passwords. You can deal with the worst offenders from inside Internet Explorer:
Go to Tools, Internet Options and select the "Content" tab (interestingly enough, not the "Security" tab). Hit the "Autocomplete" button. Up pops a screen with some options. Uncheck "User Names and Passwords," then hit the "Clear User Names and Passwords" button. You can also remove personal data and Web site trails by unchecking the other boxes and clearing those settings, too.
Sometimes individual applications, as per mail programs, store passwords internally. In most cases you can disable this feature and log in manually every time you use the program - though it's not practical if you're accustomed to checking your e-mail every five minutes. Your call.
Passwords to certain network resources are stored with user account data. Go to the Control Panel, select "User Accounts," then select yours. Under "Related Tasks," select "Manage My Network Passwords." You'll get a dialogue box: Delete any sites that would present a problem if compromised.
Some Web sites store access permissions by placing a "cookie" on your computer, a little file that identifies you when you access the site. High-security sites (think banking) usually know better, but you'll run into this system with magazines and newspapers that are collecting information about registered users. The key here: Use a low-security password for a low-security site. And if for some reason your bank offers to save your password, say no.
