Anything you type on a computer can come back to haunt you.

No matter how well you've hidden your data or how many times you may have encrypted it, there's always a chance that someone somewhere will be able to find and read what you have written.

So if you really want to get information about other people or learn how to protect yourself from others trying to get into your computer, keep reading. The secrets inside your computer can be pried open easier than you think.

Defeating Passwords
Although passwords restrict access to a computer, they're the weakest link in any security system. The most secure passwords are lengthy, consisting of random characters. But most people tend to choose simple, easy-to- remember passwords and use the same password for several different systems (for example, their work computer, America Online account, and Windows screensaver). If you discover a person's password, you'll often have the key to their other accounts as well.

You have several methods of attack any time a computer requires a password, and you don't know what it is:

• Disable or circumvent the program that requires the password
• Steal a valid password
• Use a dictionary attack that methodically tries common passwords

Disabling or circumventing a password
Often you will need a password to access someone's computer system. There are two common ways that computer systems are password-protected:

• Use the operating system screensaver
• Use a separate security program

Defeating the Windows 95/98 screensaver
The simplest way to defeat a Windows 95/98 password-protected screensaver is to turn off the computer and turn it back on (pressing ctrl-alt-del won't work). When the computer comes back on, you should have complete access to the computer. Then you can right-click on the desktop, choose Properties, click on the Screen Saver tab when the Display Properties dialog box appears, and uncheck the Password-protected check box.

For the really devious, try assigning a new password instead of disabling password-protection. To do so, keep the Password-protected check box checked and click on the Change button. Then type in a new password for the screensaver. Now anyone who tries to access this computer will be locked out unless he or she can guess the new password you registered.

Another way to break into a password-protected computer is to avoid loading security or opening menu programs that may run on start-up and lock you out of the computer. To avoid loading these programs, reboot the computer and press one of the following keys as soon as you see the "Starting Windows 95/98" message on the screen:

• F8 -- Pressing F8 displays the Windows 95/98 start-up menu, which lets you choose whether to load Windows 95/98 without any start-up programs or go straight to MS-DOS.
• shift-F5 -- Pressing shift-F5 bypasses any start-up programs and displays the MS-DOS prompt.
• shift-F8 -- Pressing shift-F8 allows you to step line by line through the start-up procedure so you can selectively choose which programs you want to load.

Defeating third-party screensavers and security programs
Not everyone relies on the Windows screensaver for password protection, but you should be able to beat third-party screensavers the same way: Turn the computer off and on again, then use one of the above methods of holding down the F5, F8, or shift keys (for Windows 3.1) or F8, shift-F5, or shift-F8 (for Windows 95/98) to keep the screensaver or security program from loading.

You probably won't be able to circumvent the better security programs by rebooting the computer. To get around these sophisticated programs, boot from a floppy disk to load MS-DOS, and then use MS-DOS commands to copy, move, or delete files on the hard disk at your leisure. If a third-party security program still blocks your access even after rebooting, you may have to resort to stealing the password to the security program.

Stealing a password
The easiest way to steal a password is by shoulder surfing-peeking over someone's shoulder as they type in a password. If that doesn't work, poke around the person's desk. Most people find passwords hard to remember so they often write them down and store them where they can easily find them, like next to their monitor or inside their desk drawer.

Still can't find that pesky password? Try one of these:

• A keystroke logger
• A desktop monitoring program
• A password recovery program

NOTE -- All of these programs require that you have access to the victim's computer so you can install or run the programs without the user's knowledge.

Using a keystroke recorder or logger
Keystroke recorders or "loggers" are programs that record everything a person types and either sends their typing to a monitoring computer or saves it to a file. Since they simply record typing, it doesn't matter whether passwords are encrypted. When the user is away, you can remove the keystroke logging program from their machine and retrieve its logging file containing the password and anything else they typed.

A Keystroke logger can record everything you type.

While many loggers were originally written for legitimate purposes, people have found creative ways to use them. (The program WinWhatWhere was originally written as a time and billing tool.) Remember, though, if you use one on someone's computer without permission you could be breaking Federal eavesdropping laws, punishable by up to five years in prison and $250,000 in fines.

Keystroke logging programs tend to be fairly small, so they're easy to hide on a victim's computer. Hackers have written and posted some simple keystroke logging programs with names like Playback, KeyTrap, or Phantom, but many companies have released shareware versions of keystroke loggers too, which you can find at sites like http://www.download.com or http://www.Rocketdownload.com. Some of the more popular shareware and commercial keystroke logging programs include KeyKey (http://mikkoaj.hypermart.net), Keystroke Recorder (http://www.campsoftware.com/camp), and Stealth Keyboard Interceptor (http://www.geocities.com/SiliconValley/Hills/ 8839/index.html).

Some keylogging programs, such as SureShot Ghost Keylogger (http://home.swipnet.se/~w-94075/keylogger) and Stealth Activity Recorder and Reporter (http://www.iopus.com/), can secretly email you the recorded keystrokes. Parents or employers may legitimately use a keystroke logger to see what their children or employees are doing. Hackers, though, may use keystroke loggers for less than legitimate puroposes, such as capturing valuable information such as passwords without having to physically access the targeted computer.

D.I.R.T.
Many hackers also use keystroke logging to capture credit card numbers, passwords, and encrypted data through remote access Trojan Horses like Back Orifice (see Chapter 16). Turning the tables on the hackers, law enforcement officials use a similar program called D.I.R.T. (Data Interception and Remote Transmission), available from Codex Data Systems (http://www.thecodex.com).

D.I.R.T. can secretly record keystrokes and email the captured keystrokes to another computer. That way law enforcement officials can capture evidence as the suspect types it in. If someone is secretly recording and reading your captured keystrokes, even the best encryption won't protect you. The Peeping Tom who is looking into your computer will already have the password you used to encrypt your data, as well as every keystroke you typed before encrypting your file.

Spying with a desktop monitoring program
Desktop monitoring programs are slightly more sophisticated than keystroke loggers. Like a computer surveillance camera, they secretly record the programs a person uses, how long the person uses each program, the Web sites viewed, and every keystroke. Many monitoring programs can store days of recordings, and some can be set to record at designated times only, when certain applications are run, or when a user logs on to the Internet.

Investigator monitors a user's computer activity.

Like keystroke loggers, many desktop monitoring programs were designed for legitimate use. Many people use them to protect their computer from abuse or to monitor their children's computer. Desktop monitoring programs are also perfect for less-than-legitimate uses, such as spying on another person's computer. If you do, be sure to use the stealth mode so the user won't know that the program is tracking their actions. Then, when the person leaves, go back to the target computer to retrieve the captured data.

A desktop monitoring program can track every program and keystroke used on a specific computer.

Like loggers, you can find several shareware versions of desktop
monitoring programs at sites like Download.com. For specific programs, try these sites: AppsTraka (http://appstraka.hypermart.net), Desktop Surveillance (http://www.omniquad.com), WinWhatWhere Investigator (http://www.winwhatwhere.com), Security Officer (http://www.compelson.com), or WinGuardian (http://www.webroot.com).

Remotely viewing another computer's desktop
Desktop monitoring programs are useful if you have regular access to the computer you want to watch. But if you don't, you can use a remote desktop monitoring program instead. Just install a program such as QPeek (http://www.qpeek.com), NetBus (http://www.netbus.org), I-SeeU (http://www.faxtastic.com), or PC Spy (http://www.softdd.com) on the computer you want to monitor. Then anything someone types, views, or manipulates on that computer will appear live on your computer's screen.

Using a password recovery program
Because typing a password over and over again to access a program can be a nuisance, many programs let you store passwords directly in the program, hidden behind a string of asterisks. Because people often forget these passwords and then can't access their programs or files, password recovery programs have been developed to retrieve these lost or forgotten passwords. You can, of course, also use these programs to retrieve other people's passwords.

There are many shareware versions of password recovery programs. Look for 007 Password Recovery (http://www.iopus.com), Password Recovery Toolkit (http://www.lostpassword.com), or Revelation (http://www.snadboy.com).

Besides blocking access to a program, passwords can also block access to files like WordPerfect documents or Microsoft Excel spreadsheets. To retrieve or crack password-protected files, get a special password- cracking program from one of these companies: Access Data (http://www.accessdata.com), Alpine Snow (http://www.alpinesnow.com), Crak Software (http://www.crak.com), ElCom (http://www.elcomsoft.com), Password Crackers Inc. (http://www.pwcrack.com), or Passware (http://www.lostpassword.com).

A variety of password-cracking programs are readily available for purchase over the Internet.

You can also find plenty of free cracking programs on hacker Web sites or through Crak Software or Access Data's Web sites. Many provide the source code too so you can see how they work. Surprisingly, their source code is short and relatively simple, revealing the incredible weakness of the encryption algorithms used by Microsoft Word or Lotus 1-2-3. By studying the source code, you can learn how to crack open password-protected files yourself or even how to write your own password-cracking program.

If you need to retrieve passwords from a computer running Windows NT, grab a copy of the L0phtCrack program from the L0pth Heavy Industries Web site (http://www.l0pht.com). Windows NT encrypts user passwords-the L0phtCrack program simply studies these encrypted passwords and attempts to decrypt them.

Dictionary attacks on passwords
Most people choose easy-to-remember passwords, so hackers have created special dictionary files (sometimes called word lists) that contain common passwords such as actors' names, names of popular cartoon characters, popular rock bands, Star Trek jargon, common male and female names, technology-related words, and common words found in most dictionaries.

Password-cracking programs take each word from a dictionary file and type it into the program as a password until it finds one that works or runs out of words. If the password works, you have access to the program you want. Of course, if it runs out of words in its dictionary file, you can try other dictionary files until you find a valid password or run out of dictionary files. If a password is an ordinary word, it's only a matter of time before a dictionary attack will uncover it. To foil a dictionary attack, sprinkle some random characters (such as symbols and numbers) in your passwords or use a special password-generating program such as PassGen (http://www.noodlesoft.co.uk) or Quicky Password Generator (http://www.quickysoftware.com), which can create truly random passwords of varying lengths.

You can create your own password lists for use in a dictionary file with a dictionary-making program; these programs create random word combinations, words consisting of all uppercase or lowercase, words with random symbols mixed in, and so on. (Dictionary attacks are most useful when you don't have to worry about being spotted, as when you're breaking into a remote computer through a phone line or the Internet.)

You can create your own dictionary files or manipulate existing ones to make additional password lists.

To find dictionary files, use a Web search engine to search for "dictionary file" or "word lists." You can find a number of shareware and password crackers at Download.com, with names like Ultra Zip Password Cracker, CracPak, and Password List Recovery.

Using a dictionary attack to defeat UNIX passwords
UNIX operating systems are designed to handle multiple users on a single computer. To isolate users from one another, each user has an account defined by an ID or user name and a password.

Conveniently (for both hackers and system administrators), most UNIX systems store the list of account names and passwords in the /etc/passwd file. To provide a small degree of security, UNIX encrypts each person's password using an encryption algorithm (also called a hash function), usually using the Data Encryption Standard (DES).

To gain access to UNIX computers, hackers copy the /etc/passwd file to their own computer so they can run a dictionary attack that tries common passwords from a list of words encrypted with DES. If it finds a match between an encrypted word on its list and an ecrypted password in the file, then it knows it has found a legitimate password. At this point, the hacker can use that password to gain access to that unlucky person's account.

To increase the chances of finding a valid password, UNIX password- cracking tools like John the Ripper or CrackerJack not only try commonly used passwords, but also variations of those common passwords (typing them backwards or adding a 1 or 9 to the end or beginning). While this slows down the overall cracking process, it does make sure the dictionary attack isn't fooled by a simple variation on a common password.

Steal This Computer Book 2 is available from No Starch Press (800-420- 7240, http://www.nostarch.com) for $24.95.

Wally Wang is a regular contributor to Boardwatch magazine ("Notes From the Underground") and frequently appears on radio and TV programs to talk about hackers and computer viruses. He performs stand-up comedy regularly in Las Vegas and has appeared on the nationally syndicated television show, "A&E's Evening at the Improv." He currently lives in San Diego, California.

Click here to return to top