Re: Password cracking and webmail.

From: Winged (Winged_at_nofollow.com)
Date: 08/31/05

  • Next message: Imhotep: "Hollywood, Microsoft Align on New Windows"
    Date: Tue, 30 Aug 2005 18:39:02 -0500
    
    

    Unruh wrote:
    > qewjf <kewfk2@ifrw.com> writes:
    >
    >
    >>According to a website I use: "XXX uses hi-tech software to prevent
    >>password crackers from operating, but most web-email providers, such as
    >>Hotmail, do not. Because anyone who has access to your email account can
    >>request your XXX password, revealing your email address means that
    >>anyone capable of hacking your email account can request your XXX
    >>password. This happens around 300 times a day and in these instances,
    >>there is nothing we can do to help you."
    >
    >
    >>I do not understand this. When I access my webmail, I type in the
    >>username/password and the page loads. If the combination is incorrect I
    >>am rejected.
    >
    >
    >>1. Are there crackers that work on web based e-mail? I thought you
    >>had to download the password file and crack it locally.
    >
    >
    >>2. How do they work?
    >
    >
    >>3. Wouldn't the cracker be locked out after a few incorrect enteries?
    >
    >
    > Many places will send y ou your password if you loose it. They send it to
    > your email account on file. Thus if someone can get at your email account
    > they can request thatthe password be sent to you and then read what the
    > password is from your email.
    >

    Many users use the same password everywhere. Users use names, pets,
    streets addresses etc on multiple sites. Very few users use complex and
    sufficiently long passwords.

    Some sites have their password files exposed that can be accessed using
    for example a telnet session embedded HTML Java page from their free
    website host, file may be hidden from the Internet but accessible
    directly through their user web server site(there are other methods,
    this is just an example). This allows password files to be cracked at
    leisure, without provider even seeing traffic, though this would imply
    someone was watching.

    Many of the free web mail hosts do not set a max tries setting...causes
    too many user support issues.

    The most common "cracker" I have seen used on Yahoo are simple name
    dictionary crackers. It is remarkable how successful even this simple
    method appears to be.

    Another method commonly used with Yahoo would be simply to place a
    trojan on the machine you wanted using one of several buffer overflow
    methods in their older Yahoo versions. Some of the exploits were
    related to JAVA and others with the YAHOO tool itself. I am not aware
    of any exploits in their current 6.0 version of IM however there are
    several methods to obtain the victims IP and attack the remote user host
    directly with other exploits.

    Another method commonly used is posting links in rooms (probably some
    sexy sounding girl with pics posted) where an exploit awaited users who
    clicked links. Some of the profile pages had exploits embedded (varied
    methods). Once trojaned getting passwords is easy.

    For awhile I found IM exploits in Yahoo an interesting study in methods,
    they ran the gambit. Yahoos password is good for their IM, mail,
    portfolio, and other sensitive areas.

    They have a difficult time fixing stupid users or compromised machines
    which makes their options complex and difficult to manage, so they don't.

    What do you expect for free, security?

    Winged


  • Next message: Imhotep: "Hollywood, Microsoft Align on New Windows"

    Relevant Pages

    • Re: Urgent!! Exchange Server 2000 cannot received emails....
      ... I have a critical problem right now about Exchange 2000, ... I tried to send an email from my hotmail & yahoo ... I then use my email account to send a testing email to another account on ...
      (microsoft.public.exchange.admin)
    • Re: Always ask input UserID and Password
      ... Is your Yahoo email account a free one? ... Windows Mail handles POP mail but not webmail. ...
      (microsoft.public.windows.vista.mail)
    • Re: Heres your Red Cross....
      ... > else who wants to investigate me from finding my posts to ROFF. ... > It is a request, ... > Since I post from my "work" account (it's my only email account, ... But I do offer my own opinions. ...
      (rec.outdoors.fishing.fly)
    • Re: repeated incoming emails
      ... Thank you sooooooooooooooo much for responding you are the only one. ... The kind of email account my friend uses is POP through Yahoo its set up on ...
      (microsoft.public.outlook.general)
    • Re: AT&T emails disappearing
      ... Anyone with an AT&T (or SBC, or formerly Pacific Bell) email account: ... Unfortunately they seem to have outsourced their email stuff to Yahoo a ... anyone know a trick how to adjust/disable a AT&T spam filter without ...
      (sci.electronics.design)