Here's an article that reminds us of caution and the use of passwords in our e-mail systems. Hm-m-m-m

Team 4: Judge's Personal E-Mails Accessed

WTAE-TV's Jim Parsons Reports
POSTED: 4:36 p.m. EDT July 22, 2002
UPDATED: 4:39 p.m. EDT July 22, 2002

PITTSBURGH -- It started with a bitter divorce case. It ended with FBI agents handcuffing the husband -- not because of anything he did to his ex-wife, but because of what he is accused of doing to the judge.
The following investigative report by Team 4's Jim Parsons aired Monday on WTAE Action News at 5 p.m.


Brian Ferguson knows his way around a computer and the Internet.
Donna Ferguson, ex-wife: "He moved up very, very quickly in the world of computers and he is a very intelligent person."
But even she is surprised at what he is acccused of pulling off.
Donna Ferguson: "I didn't think it would ever come to this point."
On April 12, a dozen FBI agents seized a computer and arrested Brian Ferguson on a charge of unauthorized access of a computer. Specifically, it was the computer of Allegheny County Family Court Judge Kim Eaton, who decided the Fergusons' divorce case one week before Brian Ferguson's arrest.
In the FBI's criminal complaint against Brian Ferguson, agents claim he was unhappy with Eaton's handling of his divorce case and appeared to harbor animosity toward her. According to the complaint, he was so unhappy that he allegedly sent her an e-mail threatening to sue her. The phrase, "The honeymoon is over," was allegedly included in the e-mail.
Then, during court proceedings, Brian Ferguson handed Eaton copies of e-mails from her personal America Online account. One e-mail was from the judge to a high school friend that described Eaton's children and their schedules.
Donna Ferguson: "When the judge looked at the paper, she was very surprised at what was in there. She was pretty much taken aback for a short moment, and had to gain her composure."
Eaton said she could not speak with Team 4 about Brian Ferguson. In a court filing, she says she "has suffered distress as well as pecuniary loss resulting from increased security measures."
Parsons: "Brian Ferguson? This is Jim Parsons from Channel 4. Did you hack into Judge Eaton's personal e-mail account?"
Brian Ferguson: "No, I did not."
Parsons: "How did you end up with those personal e-mails of hers, handing those to her in court?"
Brian Ferguson: "Actually, I found them on my windshield after I went shopping one day."
Parsons: "You came back from shopping and found her personal e-mails on your windshield?"
Brian Ferguson: "Yes, I did."
Parsons: "How did they get there, do you think?"
Brian Ferguson: "I have no clue. That's what I'm trying to find out."

There is one major problem with his explanation. The FBI was able to trace whoever hacked into Eaton's e-mail account to a house in Scott Township, which happens to be the home of Brian Ferguson's girlfriend.
Ferguson is accused of using password-cracking software to gain access to Eaton's e-mail account. How easy is that to get ahold of? Team 4 asked an expert.
Trooper Robert Erdely, Pennsylvania State Police Computer Crimes Unit: "When you called me up for this interview, I went online and found a tool that was available. I used the tool and found out it did, in fact, work."
Erdely says it is easy for criminals to hack into your e-mail account. He showed us just how easy.
Erdely: "It will attempt to crack the password, over and over again, until it figures out what the password is."
Parsons: "So you just put in your e-mail address, and have your list of all possible passwords, hit OK, and it found it?"
Erdely: "That's all it takes."
A neat trick, to be sure. But Erdely says, in the end, all e-mail hackers will end up facing criminal charges like Brian Ferguson.
Erdely: "They shouldn't think they're getting away with something because, before they know it, they're going to turn around and find the computer crime unit knocking on their door with a search warrant. We will seize their computer and prove it came from them. That's what we do, full-time."

Sounds like he or someone used a dictionary or brute force password cracker.  What they do is throw dictionary words or combinations of words at the system when asked for an account password until it either finds a match or exhausts the dictionary.  A brute force attempt is similar, just throwing a continuous stream of pseudorandom strings until it hunts them down.  Dictionary attacks are generally the most successful of the two, as people tend to pick passwords made up of dictionary words.

Tip: In order to make your passwords more secure, you should inset characters like !@$%, alternate capitalization, and utter randomness into your password, i.e. "a4Gr!Tz."  The only problem is that a password like that might be hard to remember and you'd be tempted to write it down and leave it someone convenient for you.  I've found away around this is to use a phrase and do the following.

Phrase: [B]I[/b] [b]w[/b]ish [b]I[/b] [b]w[/b]as [b]i[/b]n [B]D[/b]ixie, [b]h[/b]ooray [b]h[/b]ooray

Gives us: IwIwiDhh.

Then, to make it more random, we can substitute a 1 or ! for one of the I's and get:

Iw!wiDhh.  

That password would be impossible to crack via dictionary attack, and very hard for a brute force attack.

BTW, since I just used that one publicly for my example, please don't use it.

Remember the Alamo, and God Bless Texas...

Here's the real problem. If Joe Sixpak can do this, just think what the govt leaders can do. Just think what snooping systems "they" have to get into our conversations. Velcome to der Fatherland. Heil USA! Heil Computers!

Dictionary attacks are FASTER, but Brute Force attacks are, overall, more successful, because they will catch just about any password... eventually.



Not very hard, just time consuming.  Also, modern PCs can brute force at an incredible rate.  Recently, we had to crack a couple of (windows login) passwords in the office, and the 1.7GHz P4 we used for the task went through like sixteen million potential passwords a second.  

Considering that an eight character password made up of exclusively lowercase letters has 26^8 potential combinations (roughly 209 billion) a brute force attack will still take a while (three and a half hours, at the above rate) but it WILL get the job done.

Also, some of these tools will run in a distributed environment--if you've got enough hardware, nothing is beyond your reach.

BTW, I used to use cartridge names as passwords (don't use them anymore, so don't bother.)

"5.56x45MM-NATO" "7.62x39MM-Soviet" and ".338Lapua-Magnum" meet just about every security guideline I've ever seen, and are easy to remember to boot--and the possible number of choices is in the thousands, with variations on the theme in the tens of millions. [:D]

(edited to remove bits of quote I missed.)

True.  No password is uncrackable.  The key is to leverage the time it would take to crack a password with the time until a password is expired by the administration and has to be changed.



That's the point.  Brute force attacks of random passwords with alternating case, insertion of characters like !@#$%^&*, and numbers significantly increases the time it would take to crack the password.  Your passwords should be expried at least once every 90 days.  I personally expire mine ever 30.




Depends upon the algorithm used.  Using less intensive algorithms like RC4 with shorter length passwords does not take long.  But using MD5, which is a much more complex algorithm, takes longer.  Furthermore, the most effective way to brute force passwords is actually getting copies of the password file.  Trying to do it remotely via POP services is a little more time consuming, as most POP servers should time out after 3 password attempts.  Having to reestablish sessions also increases the time it takes.  And any administrator worth their salt would notice so many failed auth attempts.



That has more to do with the inadequacies with the windows password hashing scheme than anything else.  Breaking the password into two 7 or 8 byte boundaries and encrypting each half was a bad idea.



Start factoring alternating case, numbers, and the "!@#$^&" subset and refigure your timeframe.  Each instance of one of those characters is an order of magnitude in your time calculations, is it not?

Again, your'e balancing time to crack vs. time to expire.



Sure.  At Enron I had l0phtcrack running on a farm of 12 dual PIII servers.  Easy passwords like dictionary words were cracked fairly quickly, but brute force attacks still took lots of time for those passwords that didn't get cracked via dictionary attacks.  Running for 4 weeks on my existing setup, I still only had about 70% discovery of passwords.

Did I mention the company I worked for managed the distributed.net master server until recently being bought out?

Remember the Alamo, and God Bless Texas...

(I am assuming this guy is guilty and I am also assuming that he obtained a password cracking utility.)
This feat required NO intelligence.
This guy is NOT a hacker by any stretch of the imagination....all he did was execute a utility that a REAL hacker had already written.
He is the end-user who committed a crime and got caught.
I can't believe anyone would be "suprised" that he could pull this "amazing" feat off!!!

I just can't get my computer to "hiel"- how do you do that?

All it will do is "sit", "roll-over" and "play dead".  For some reason, it just won't "hiel"...

[;D]

Probably some script kiddie from alt.2600

The government gets so upset when a citizen does what they do every day....

Dscott said, " just can't get my computer to "hiel"- how do you do that?

All it will do is "sit", "roll-over" and "play dead". For some reason, it just won't "hiel"..."

Ya got me. I knew that didn't look right. I corrected it. Thanks.

Sorry, couldn't resist!

I sometimes wonder if the best solution is to turn the damn thing off and go out and play in the real world.

If the power goes out for too long, how am I supposed to use/recharge my computer, stereo, TV, palm, cell phone, etc., etc., and so forth...

Hey GodBlessTexas, Which do you consider a more secure hashing algorithm: MD5, RIPMED160, SHA1, or TIGER192? I'm a newbie to encryption.

Why not mix them up a little bit??? Why stick with ONE method. Encrypt, then encrypt, then encrypt again.... Create your own medley, and nobody will know how to crack it.

Her ISP must be retarded to allow dictionary or brute force attacks.  Most half-way intelligent ISPs or E-mail providers will run a script to detect multiple invalid logins and/or lock out attempts after so many failed logins.  Hell, simply glancing over the logs would scream "hacker attack".

[(:|)]

My thoughts as well... but I think it was AOL-- which explains a lot...

Provided there is no serious flaw found in the collision behavior of the hashing function, i.e. the Birthday Attack, all should be fine.  As of yet, no such problem has been found with any of those hashing algorithms that I'm aware of.

Crypto is not my strong suit, but beware of any closed algorithm touted as being secure.  The ones that stand up to public testing are generally more trustworthy than those that do not.  Still, even secure algorithms can be made ineffective if the implementation is poor.

Remember the Alamo, and God Bless Texas...