APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

How to Protect your PC from password theft?

Got questions? Go ahead: Ask me anything!

by Bruce Garlock

We recently had a situation, where someone "hacked into" one of our Win98 machines, and displayed the saved passwords in Mozilla, which happened to be a users network password as well. As most people know, you can simply press escape to get past the network logon screen in Win98, and gain some access to the PC. Of course, you cannot browse any network resources, but since Mozilla was installed on this PC, and the user had told Mozilla to save their passwords, so they did not have to retype them. Most of our Intranet resources are protected with Apache Basic authentication, and those passwords are the same as their domain logon passwords, to keep things easy for the user.

Well, someone had some free time, and decided to go searching for passwords, and see what he could find. All he did was press escape at the Windows domain logon screen, lauch Mozilla, and display the password manager, press show passwords, and voila! There was the users password. There is also a master password that can be set in Mozilla to prevent people from viewing the saved passwords in Mozilla, but this was not used.

My main concern is how easy it is to get past the logon screen in Windows 98. Sure, Windows XP is a little bit tougher, but we do not have the $$ to replace all of our PC's with brand new XP machines. I have a few questions for people out there:

1) Is there a way to disable, and require a person to have a password to logon to a Win98 machine?

2) Other than a product like Norton Bootlock, is there an opensource equivalent to a program like that, to disable booting from a floppy, or CDROM, without a password? It would be easy for someone to boot into a Win98 system, and run l0pht crack on those .PWL files, which are a joke for encrypting passwords.

3) What other methods are there for protecting a PC against someone who has some idea of what they are doing, and how can we further password protect the machine from having people install software or running password cracking programs?

Thanks for any insight. I really do not want to install Norton BootLock on all of our machines, to safeguard against booting with a boot CD, floppy or other removable media device.

We have since required all employees to disable password saving in Mozilla, and set a master password on each machine in case they do enable password saving.

Personally, I cannot wait until other means of ways of securing a machine, and network resources is available, like fingerprint scanning, retina scanning, or what ever. Having to retype passwords is cumbersome, and if you did get someones password, it is all too easy to take over their identity, and make it look like they were the one accessing the resources, instead of the hacker.

What other options are there?

--BruceGarlock


Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> How to Protect your PC from password theft?


6 comments



Increase ad revenue 50-250% with Ezoic


More Articles by © bruceg







Fri Mar 18 10:09:36 2005: 191   TonyLawrence

gravatar
(link) talks about this stuff.

If you don't have bios passwords or something like Norton Bootlock, you'd also need to remove floppies and cd's, which could be annoying. And at the end, you still have a basically insecure machine which is susceptible to all kinds of other problems beyond just this. I think the only real soultion is to upgrade or replace.

How about putting Linux on with RDP and send 'em to a Terminal Server ? Could be cheaper..







Fri Mar 18 11:53:40 2005: 192   anonymous


Well the only thing that I can think of is physical security devices. Locked doors, security keytags, and that sort of thing. Were I work, it's a fairly small business, you simply cannot access a room that has a computer without passing thru 2 locked doors that you need your keycard to pass. (the entrance to the building and then the various work areas.).

Aside from that, I don't know of any way to realy lock down a PC from physical attack. Even if you setup BIOS passwords and encrypted file systems and enforce unreasonable demands on your users a guy could come in and stick a keylogger on the back of the computer.

Or maybe if they have time, crack open the case, stick the HD in a firewire based enclosure and 'dd' the contents over. I suppose that's pretty exotic/stupid.

I can't realy think of any other way. I mean the next best thing would be to run everybody on a X terminal or something were all their files and data are locked down on a server machine in some secure room, but I am sure that's completely impractical.

Maybe if Mozilla storing passwords seems to be the main issue, or maybe a few other apps.. Setup a batch script to delete all the saved password files that you can think of. Let it run every evening, so that people just give up on saving passwords and write them down on little sticky notepad papers... er.. :P

--Drag



Fri Mar 18 14:17:08 2005: 195   anonymous


These are all great ideas, thank you. I am possibly thinking of the RDP and setting everyone up with thin client linux terminals. Our users really do not need any CDROM, or floppy drives, so RDP would be a possibility. I also like the idea of writing a script to clean out the cached passwords in Mozilla.

Our servers are kept in a room that require you pass through two sets of locked doors. We may add key FOB's, which we now have at all the main entries to our plant. Extending the key FOB access inside would be another good idea.

This seems like it is going to be a never ending issue. Once we add one layer, there will just be one more layer to go through. If we set everyone up with Linux desktops, and use RDP to a terminal server for the only needed Windows apps, (which are becoming far and few between now that I have most of our ERP system Web based now), this may be the best solution. Most of the clients run a label making program, which I am currently looking to replace with a Linux version.

I purchased a $99 fingerprint reader for my Powerbook, and it works great. That may be another possibility, since we know in the future that passwords will be replaced by some bio reader device, in order to authenticate resources. I wish this was reality now. I know all the "big brother" theories scare people, but how else can we really know "who" is supposed to be using a particular resource.

Management has said that they will finally appropriate some money for computer security, so I am going to look at the terminal server route, and lock everyone down with linux thin clients. I will have so much more control over the desktop when I can do that. We also are in need of a serious network upgrade. Our main building still has 10Mbs hubs, not switches, so traffic is very congested. I am lucky to get 250k/s ftp transfers. My cable modem connection at home is faster than our wired network at work! I will of course need to replace the guts of our network. The wire is all cat-5 or cat-5e, so it can handle the increased speeds, and all of the NICS are capable of 100Mbs, but not of our hubs or switches are. They are very old. This would of course be part of the security upgrade cost, since a lot of the applications would be run over the network on the server.

Thanks for the link for helping to secure a 98 machine. This will certainly help in the short term. We use a product called "FoolProof" on our shop floor to keep people from messing around, as just about everything is locked down, and only certain apps are allowed to run. We then lock the PC in a cabinet, so there is no physical access to the PC without a key. I guess that would be another possible fix for the office, but we would have to give access to the power button somehow. We also don't want our people to feel like criminals by locking everything down, but it may have to come to that in the name of security.

Thanks again for all the ideas, and link.

--BruceGarlock



Fri Mar 18 15:04:28 2005: 196   TonyLawrence

gravatar
Makes you miss the dumb terminals, doesn't it? :-)



Fri Mar 18 16:47:03 2005: 198   anonymous


Yes, I do miss terminals! Very easy to admin - everything on the server makes sense! I really think we are headed back down that road, with the "terminals" being a little smarter, and more colorful :-) The UNIX way of doing things just makes more sense to me.

I found this page helpful, to bypass people being able to hit escape, or press cancel at the logon screen:

(link)

--BruceGarlock



Mon Mar 21 15:01:30 2005: 214   BigDumbDinosaur


You could implement Mozilla roaming profiles. Since they would be on the server, not the workstation, and since they would be in each user's private storage, the likelihood of doing what you described is small.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





If we define Futurism as an exploration beyond accepted limits, then the nature of limiting systems becomes the first object of exploration. (Frank Herbert)

If you ask "Should we be in space?" you ask a nonsense question. We are in space. We will be in space. (Frank Herbert)












This post tagged: