dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
801
share rss forum feed


x009

@spcsdns.net

How to protect the passwords!?

Hi all! Lets say I go to facebook,amazon and then I log onto AOL Messenger,then I decide to play CS online game and while trying to connect to a gaming server I get hit by driveby/game infected files(trojan horse) left by A hacker whos hosting a gaming server! And my AV misses it and the trojan opens a backdoor and steals all of my paswords!? Now...Will cleaning internet explorer cache files,temp files and cookies is going to be enough to erase the stored passwords? And what about CCleaner will that to the trick!?



dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
kudos:5
Reviews:
·Comcast

1 recommendation

Try this and then if further problems request help in the forum: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

PS I would change your passwords now then again after cleaning just to be sure.



norwegian
Premium
join:2005-02-15
Outback

1 recommendation

reply to x009

First, don't have the settings on for saving passwords is the best practice.

Internet Options|Content|Auto Complete|Settings|uncheck "User names and passwords on forms"

This will mean no passwords are saved to be of concern.
This is all void if you enter passwords to a site if you have an infected computer already and the trojan is a password stealer.

-------

However, you mention a server and infected files, usually they have to run to be of concern, so if the game.exe or hotpatch.exe are for the game and infected then switch to a more well known server for the game.
Use a limited user too, so any other unknown.exe files will have to prompt for admin permissions, as drive-bys are in this category.
Know though once you have allowed an executable file to run, there is not much you can do; at that point you have committed to allowing a process.
What it does, you can not say.
Trusted servers are the best place to game; there are plenty of people who prefer to keep their name clean.
Venturing to an unknown server, and a possible hacker is like allowing the front door to be open and allowing anyone a glass of water from the fridge on a hot day.

Also a solid password manager might be more helpful if you have to store the passwords locally on the computer.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by norwegian:

First, don't have the settings on for saving passwords is the best practice.

That's been one of the foundations of net security & a practice that I've not only endorsed but embraced.
Let's revisit that.

Strictly referring to Firefox (15.0.1, including earlier releases) I believe allowing the browser to remember passwords is a security feature.

The benefit comes from allowing the browser to determine if the site asking for the login/password is the site it appears to be.
Gmail, Yahoo, my banking site, any site that presents a user name/password challenge input box can easily be a malicious site pretending to be the site I want to access.

Within the past ~6 months on 2 separate occasions I landed on a fake Gmail & a fake Yahoo login page that might have fooled me if not for the fake sites inability to populate the challenge boxes with the correct (any) login info.
That was an immediate red flag that I wasn't where the browser appeared to be.
Allowing FF to save the login info also reaffirms that I am at the site I intend to enter by showing it has the login cached.

I have never experienced a look alike site being able to enumerate cached login info of the site it's attempting to look like, it's a bulletproof check, AFAIK.

If the concern is someone 'stealing' the login data from the user accounts browser that would take an access that spells game over long before the browser data was abused.

On a smaller scale, if a keylogger is present & logging a user accounts activity it can't capture keystrokes that aren't entered.

Allowing the browser to cache login data will also foil fake sites that will behave as a man in the middle by verifying in real time if the login entered at the fake site is actually the correct login to the intended site.
That's because with login data cached there isn't anything to verify - the browser either has the login data because it's at the intended (real) site or it doesn't because it's at a fake site.

For high security sites that don't allow password caching but allow user name caching the same holds true - the real site knows your user name - the fake sites won't.




norwegian
Premium
join:2005-02-15
Outback

Well, I've almost been converted to cached data there Snowy.

However exploited pages can and will extract user data and history, including this info, I would need proof the browser keeps passwords encrypted or similar but doubt that is the case?
I am willing to discuss this more.

For the OP's question I think I've given a clear answer.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



HA Nut
Premium
join:2004-05-13
USA

1 recommendation

reply to x009

I could never trust internet browsers to protect usernames and/or passwords.

In my mind, browsers are under constant attack. It seems like every new version fixes some significant security weakness. Not to mention that there legitimate tools out there that easily reveal passwords in IE, FF and Chrome (from Nirsoft.)

IMO, password tools like KeePass or LastPass are much safer alternatives. When used in situations like the original poster lays out, the passwords aren't stored in accessible files on the PC and are only in use long enough to do the job.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Snowy

But you have to allow browser caching. Who does that these days? Connections are fast enough to be able to turn off the cache (ALL cache...all types of cache) totally in all browsers (except IE where you must allow a small cache...but if you are smart you will avoid IE anyway).

I would never allow Fx, or any browser, to keep my passwords. A browser will just mess that up. I've been there, done that years ago and will never allow it again.

I also refuse to use third party applications that also mess up everything...all of them fail. I've been there and done that too.

I write my passwords down on paper and keep them in a file going back to the days of my first computer in 1999. I keep banking passwords separate from the others but also written down and I rarely change any passwords.

How can your banking site "easily be a malicious site" as long as you ALWAYS use your browser's bookmark entry to access the site? As for Yahoo and Gmail, you get what you deserve using junk, crappy sites like those. They are in my Hosts file.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to norwegian

said by norwegian:

Well, I've almost been converted to cached data there Snowy.

To be clear about this I used the word "cached" to refer to user name/password only - not to recent session history.

said by norwegian:

However exploited pages can and will extract user data and history, including this info, I would need proof the browser keeps passwords encrypted or similar but doubt that is the case?

With Firefox it's possible to view your user accounts login data in clear text.
My contention is that it's not possible for a look alike (phish) site to access this data, on the contrary that's why it's a security feature.
I'll stoke the curiosity a bit here - for whatever reason a site be called "malicious" a malicious site has never exploited the user name/password feature of a Firefox release.

That's not saying that browsers do not get exploited - they get exploited all to often.
When they do get exploited though if the login data is targeted it will capture that the next time that data is keyboarded (on the next login attempt) far more often than it would be captured from the browsers "save passwords" feature.
The reason for this is that the former is an automated task with the latter usually being a manual function.

HA Nut See Profile mentions tools that can extract a user's login credentials but that requires a malicious user with local access to the machine. In that situation the security game is lost anyway - completely lost.

It's not possible to prove the non-existence of something but I've been unable to prove the existence of an exploit that abuses Firefox's stored login data.

said by norwegian:

I am willing to discuss this more.

Yes, it wasn't by accident that I chose to drop this into one of your post replies.
I chose you because of your willingness to openly discuss what some may see as off the wall.

said by norwegian:

For the OP's question I think I've given a clear answer.

Absolutely!


norwegian
Premium
join:2005-02-15
Outback

It is a point I hadn't thought of in my constant "keep clean" mode.

The fact you have retained data from a, for the conversation, known secure connection and the hand shake made at the time, you would assume too it being an added security measure. Something I had not thought of.

So that leaves us with 3 points of discussion.

1. Do not store locally, but in the head or a notepad nearby.
2. Use cached data to help avoid phishing/web exploited exchanges due to already holding valid/authorized data from a previous connection.
3. 3rd party password manager

1. Avoids CSS or similar exploit of stored user data.
Phishing can not be avoided by this method.

2. Gives a great degree of satisfaction because you believe the last connection was legitimate and you reuse data.
If there are pages out there phishing, it does make it hard without looking first at the source code for the pages or possibly the cert if ssl. I know I once found a bogus google search page with a search engine, but by another site altogether.
They are out there.

3. A password manager is still exploitable locally, however it is a fair better way to store passwords locally at the same time though.
I can't help wander thoughts to the connection storage in the browser, and how it is handled. SSL you gather is okay but plain text transport isn't. So would you have the browser still not store locally or, as you pointed out, re-use stored data.

Something else you have inadvertently brought up by using the local cache storage, is that of standard http or https as the protocol. Sure SSL secure socket is better than http, and on the point of the game site, how many allow https handshakes to authenticate? There wouldn't be many, and being generally for the young by the young, funds for this might not be available either, although free certs can be obtained.

Interesting....
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable


Fig. 1
 
Click for full size
Fig. 2
said by norwegian:

It is a point I hadn't thought of in my constant "keep clean" mode.

I'm afraid I have sidetracked or confused the point of my own original post.
To clarify: I was solely referring to Firefox's "Remember passwords for sites" function (Fig. 1)

My point being that with the "Remember passwords for sites" enabled, when confronted with a login screen to a site where the login credentials have been saved the challenge input boxes will populate with the saved passwords "Only if the browser is actually at the site that it appears to be, in this case a Gmail login page Fig 2.

If I were at a bogus Gmail login page (or any other login page) the challenge input boxes would not populate.

For the 100's of phish sites I purposefully have multiple visits to each week it can get confusing over what is real vs fake.
As I mentioned in my original post reply, twice over the past ~half year I got sufficiently confused over what was real vs fake almost logging into a fake site.
My clue that I had gotten confused about where I actually was came from the challenge input boxes not populating.

AFAIK, that's a bulletproof way of determining a sites 'legitimacy'.
If I'm wrong about this, giving the nature of this forum & the size of it's membership I hope if I'm incorrect someone would point that out.

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to Snowy

said by Snowy:

If the concern is someone 'stealing' the login data from the user accounts browser that would take an access that spells game over long before the browser data was abused.

Probably.

said by Snowy:

On a smaller scale, if a keylogger is present & logging a user accounts activity it can't capture keystrokes that aren't entered.

Your points still stand, but if we're discussing a persistent threat like a 'banking trojan', then the threat from 'man-in-the-middle' is from more than real-time monitoring of keystrokes -- it's capturing the data at the time of transmission to the banking site. (Commonly referred to as 'man-in-the-browser'.)

It's just another point to throw into the mix when one is weighing the different risks.

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to norwegian

said by norwegian:

Use a limited user too, so any other unknown.exe files will have to prompt for admin permissions, as drive-bys are in this category.
Know though once you have allowed an executable file to run, there is not much you can do; at that point you have committed to allowing a process.

For clarity (I hope), non-root/limited user/least privilege is protecting against a different set of threats -- to the operating system and beyond. A user's personal storage is generally at risk even when running without root/admin rights.


norwegian
Premium
join:2005-02-15
Outback

It was in reference to the question on trojans that I mentioned a limited user to help with stopping process infection.
I understand though any user with a browser can be affected without a process or driver through separate vectors, javascript, plug-ins, etc.

No confusion.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


psloss
Premium
join:2002-02-24
Lebanon, KS

said by norwegian:

It was in reference to the question on trojans that I mentioned a limited user to help with stopping process infection.
I understand though any user with a browser can be affected without a process or driver through separate vectors, javascript, plug-ins, etc.

No confusion.

A limited user login doesn't stop processes from running, it stops processes from getting admin access (setting aside theory vs. practice). Keeping those other things (browsers, plugins) free of exploits that are being exploited (or blocking exploitable functionality) can stop a visit to an exploit site from resulting in a new process. If something isn't fully patched (like Oracle's JRE, for example), a visit to one of those sites is likely to result in at least one new running process.


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to Snowy

said by Snowy:

AFAIK, that's a bulletproof way of determining a sites 'legitimacy'.
If I'm wrong about this, giving the nature of this forum & the size of it's membership I hope if I'm incorrect someone would point that out.

So far as I know -- and I just ran a quick 'n dirty with Opera and a couple VMs -- the only authentication a browser does is to match the URL and the field names before populating the login info.

Thus, you are relying on the security and authenticity of DNS communication to/from your browser (and all points in between).
--
Think Outside the Fox.


Faster
Premium
join:2013-03-09

1 recommendation

reply to x009

Maybe I've missing or misunderstanding the problem being described but I've never had problems with protecting or password being compromised in the 20 years I've been using computers.

I currently "control" all passwords for everything through the password manager "LastPass." Been using it for two or three years and find it priceless for my preference of usage.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to Snowy

said by Snowy:

Strictly referring to Firefox (15.0.1, including earlier releases) I believe allowing the browser to remember passwords is a security feature.

The benefit comes from allowing the browser to determine if the site asking for the login/password is the site it appears to be.

Yes, I completely agree with that. I have been arguing that position for some time.

I do believe, however, that one should configure firefox (or whatever browser) to encrypt the passwords. In the case of firefox, that's the option to set a master key.

As an additional safeguard, I use a separate firefox profile for the most critical sites (such as banking). That minimizes the risk of cross site scripting. And since I close down that banking browser when I have finished using it, the encryption key for passwords is only cached by the browser for a relatively short time.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 19.0.2


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to psloss

said by psloss:

said by Snowy:

On a smaller scale, if a keylogger is present & logging a user accounts activity it can't capture keystrokes that aren't entered.

Your points still stand, but if we're discussing a persistent threat like a 'banking trojan', then the threat from 'man-in-the-middle' is from more than real-time monitoring of keystrokes -- it's capturing the data at the time of transmission to the banking site. (Commonly referred to as 'man-in-the-browser'.)

It's just another point to throw into the mix when one is weighing the different risks.

Yes, that was the weakest argument I could have presented.

But in the presence of a banking trojan it's academic anyway.