Tuesday, September 16, 2014

How easy is it for someone to hack your windows password?

So my Dad died last week and I am visiting my Mom for the funeral and she had a printed document he had written out some time ago about where to access all of the financial records and whatnot which, for the most part, he had copies of stored on his computer. He also had everything backed up to an external hard disk which was pretty smart because he failed to tell my Mom (or she forgot) the password to log on to his computer.

So I found myself in one of the rare situations where I had a legitimate reason to hack someone's computer. I was so taken aback by how ridiculously easy it was that I thought I should post about it.

In less then a minute of googling I found myself on this very nice page that laid out all of the options for Windows password "recovery":

http://pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm

I tried the first tool in the list:

http://sourceforge.net/projects/ophcrack/?source=typ_redirect

So here I went and burned the OphCrack tool to a bootable CD and it turned out my Dad's computer had no optical drive... oops!

A couple more minutes of googling took me to another tool called Rufus:

http://rufus.akeo.ie/

Rufus allowed me to take the OphCrack CD image and burn it to my handy dandy Yoda USB stick. Yoda is now a password hacker.

Power cycle the computer, punch in a couple keystrokes to get to the BIOS to make the computer boot from USB storage, pop in Yoda, reboot and watch the show. OphCrack decoded the hashed password in the windows registry and showed it to me in under a minute and that minute included time for the Linux image now inside Yoda to boot up. I was all ready with a CD image for a command line password reset tool but I didn't need it because my Dad was not using a complicated password.

Now what if I was not doing this for a legitimate reason? What if I was someone you invited to a party at your house? Or a student you left alone in the classroom with your computer for a few minutes? The possibilities are endless. With Yoda in my pocket and physical access to a computer I can get your password in less then five minutes. This should highlight the need to be very cautious who you allow physical access to your computer. If, like most people, you use the same password for everything then I can steal your identity very easily by simply downloading all of your bookmarks and browser history onto my buddy Yoda.

With Windows 8 it is possible to use a Microsoft account instead of a local account which means your account information is stored in the cloud. Well, Jennifer Lawrence and her boobies can tell you how secure that is! Even with cloud based accounts you need to use two factor authentication to really protect your data.

All is not doom and gloom though if you take sensible precautions to protect your data from Yoda USB up there. Here are some things that everyone with sensitive data on a computer (ok, so that is actually everyone everyone) should do:


  1. Never leave your computer unattended in front of people you do not know well enough to trust to hold your checkbook. If you are planning a party unplug the computer or stow it in the attic until the party is over. Definitely do not pass out drunk with your laptop open...
  2. Use a complex password. If my Dad had set a complex password it would have taken OphCrack hours to figure it out. Complex passwords have no recognizable words in them and contain letters, numbers, and special characters. Here is a good site with a password generator you can use to create these passwords:
    http://www.pctools.com/guides/%20password/
  3. Do not use the same password for multiple password protected websites. If someone were to gain your password because Paypal, Target, Home Depot, Sony Online Entertainment, or Adobe got hacked and they can identify you as that password holder they can easily get into all the other sites you use by trying that same password
  4. The most important password to protect is your computer logon password. The next most important is your email password. Your email address is used for the username on a lot of password protected sites and if a hacker gets into your email they can change the password to lock you out of it and then proceed to issue password reset requests to get into all the other password protected sites that you use. Under no circumstances use the same password for both email and computer logon. 
  5. Do not write that hard to remember complex password on a sticky note and sticky it to your monitor. Treat written down passwords the same as money.. keep them in your wallet or safe or under the mattress or frozen in a block of ice at the back of the freezer but no where near your computer.
  6. Do not email or text message or instant message your password to anyone ever as those forms of communication cannot be secured adequately; anyone on the same public hotspot as you or piggy backed onto your own wireless connection can spy on them. If you must send a password electronically then do it over PGP encrypted email.
    http://lifehacker.com/180878/how-to-encrypt-your-email
  7. If the site offers it, use two factor authentication. This means more then just a password is required every time you login like answering a security question, having a one-time-use code set to your phone, or a biometric reader like the fingersprint scanner in iPhone 5s / 6. If iTunes backup files stored in iCloud had been protected by two factor authentication at the time then Jennifer Lawrence's boobies would still be private. 
Posted by at No comments:

Saturday, September 13, 2014

The 2015 Apple Watch is proof that Steve Jobs is dead.

Rest In Peace Steve Jobs.

With Steve Jobs at the helm of Apple Computer, Apple was a market innovator and led the personal computing market, setting the rules and forcing the competition to follow them. On September 9, 2014 Apple went from being a leader to being a follower.

The Apple Watch is not functionally much different then the Moto 360 or Samsung Galaxy Gear or any of the other recently introduced wearable devices. It is too big and heavy to really be a watch and as a device tethered to your phone it offers not much other then the convenience of not taking your phone out of your pocket or your bag.

I have not worn a watch since I got a pager in the mid 90s. In 1997 I even got a fancy bi-directional pager with which I could reply to messages. When I realized I could just glance at the pager to tell the time I realized I never needed to wear a watch again. My pager was, of course, replaced by a smartphone. In this day and age where a smartphone is an essential device that everyone carries, no one needs to wear a watch. People who still do wear watches mostly wear them as jewelry. As a piece of jewelry this thing is big and clunky and, well, it is, like, square, man... While it may be the nicest looking smart watch offered to day (the Moto 360 is another nice one), it looks like something from the stone ages when compared to a designer watch.

The only thing the Apple Watch brings to the market is the health related functions of monitoring your heart rate while working out. I expect this thing will cost $200 - $300 and it is not worth it for that added functionality. The Apple Watch really brings nothing to the market that is not already available from the Motorola or Samsung smart watches. This is why I say Apple has changed positions from leading the market to a market chaser.

To give some specifics, here is what I consider is wrong with the device that should have prevented it from launching:

  • It has to tether to a phone. It has no built in cellular radio to operate as a standalone device. You should be able to "tether" it to a personal computer or tablet that sits at home and be able to choose to take the watch with instead of the phone or even not even own a phone at all anymore since the watch gives you mobile communications while a larger tablet, laptop, or desktop device gives you computing power. 
  • You have to plug it in to charge it every night. Even with the clever mag lock charger you still have to remember to charge it every night. A new wireless charging technology is needed; something with the range of Bluetooth. I think with clever enough engineering you could even have it pull enough power to run the device and charge the battery off of a class 1 bluetooth connection of which the RF signal is harvested for the charging circuitry. Or they could have gone really radical and even integrated a solar charging technology into the touch screen layers. 
  • It is missing an essential accessory that will allow you to place phone calls and listen to streaming music through the device (as a standalone untethered device). Apple just bought Beats audio! They should have spent some time creating a fantastic bluetooth connected headset with the Beats branding that every teenager would kill for and is not so gaudy that you couldn't use it in an office or a restaurant.
  • It is missing the accessory that will allow you to setup an impromptu dance party or movie viewing. A bluetooth connected speaker with HDMI connection out to monitors and maybe even an optional built in 720p projector you could stash in your bag and pull out to start the party and control it all from your wrist.


Remember what the smartphone market looked like before iPhone? The best device out was a heavy Windows Mobile device that required a stylus to use (I had a few of those). Apple watched that market flounder and even see growth for several years before they stepped in with the iPhone and changed the market forever combining the smartphone, digital camera, and iPod into a single device with an intuitive touchscreen interface. Even with the iPhone Apple has decided to follow the market now and make a Phablet with the 5.5" screen on the iPhone 6 Plus. Remember the Steve Jobs keynote where he sung the praises of the 4" screen because it allowed your thumb to travel anywhere on the screen? Well, with iOS8 they added a gimmick to double tap the home button to force the data on the screen to pull down where your thumb can reach it. This also hides the bottom half of the screen until you touch something or double tap again... gimmick.

Remember what the tablet market looked like before iPad? Different tablet configurations were the talk of CES for three years running without anyone making much headway into actually getting people to buy them until Apple stepped in with the iPad and suddenly the tablet market took off like a rocket with many people opting for the much more stable iPad over a laptop.

Apple should not have entered the smart watch market this year. This Apple Watch will still bring lines outside Apple stores when it is released and anyone with a few hundred bucks to burn that already has an iPhone 5 or better that wants to look "Tech Chic" will probably still get one even though no one needs one. I estimate that the total sales of this device will never amount to more then 5% of the active iPhones. Even though this watch may sell more units then all Android based smart watches combined it will still be a flop when compared to the success of the iPhone or iPad initial launches.
Posted by at No comments:
Subscribe to: Posts (Atom)