[ISN] Don't take passwords to the grave

From: InfoSec News (isn@private)
Date: Tue Jan 06 2004 - 02:38:06 PST

  • Next message: InfoSec News: "Re: [ISN] Computer sleuths ply Internet"

    http://www.canada.com/calgary/calgaryherald/info/business/story.html?id=AECE029D-BE09-42E7-8691-4A11A6988D02
    
    Doug Bedell   
    The Dallas Morning News  
    January 05, 2004
    
    As an ambulance whisked Jon Hansen to the hospital last year, he held
    tightly to his wife's hand and told her things she needed to know if
    he were to die.
    
    "Write down this password," he told her. "Oh, you'll need this one,
    too. And you don't have this one, either."
    
    The Orem, Utah, software salesman managed to recover from that
    near-fatal bout with encephalitis.
    
    But the ambulance ride taught him a valuable lesson.
    
    "One of the first things I did was write down all my passwords and put
    them in the safe," he said. "I should have done that a long time ago."
    
    Perhaps there are secrets we all should take to the grave. But, as
    Hansen and others have learned, important computer account passwords
    are not among them.
    
    As an increasing amount of critical personal and work-related
    information is stored on computers instead of inside file cabinets,
    passwords are creating digital locked doors for lawyers, will
    executors and the relatives of deceased loved ones. Without a
    comprehensive list of passwords left behind by the dead, survivors and
    their representatives are often forced to hire special
    password-cracking services to break through electronic barriers.
    
    The lack of access to password-protected online bank and brokerage
    accounts -- as well as electronic mail and sections of computer hard
    drives -- has prolonged the settlement of estates and thwarted
    emotional closure for survivors.
    
    "It's becoming a very common occurrence," said John E. Kuslich, a
    for-hire password cracker and developer of break-in software. "I've
    had families of people who have committed suicide, for example, and
    they'll call me and say all these files are encrypted and they want to
    get into them. In those cases, especially, people call back and are so
    thankful for what they were able to read. It's really something else."
    
    In discussion boards across the Internet, friends and relatives seek
    advice on gaining computer access. In the alt.hacking newsgroup, a
    user named Mobius was looking for help tracing his late aunt's final
    correspondence. She had overdosed on Valium and died, he said.
    
    "Her husband (my uncle) is now trying to get into her e-mail to see if
    there is anything that might provide a clue as to why she did it,"  
    Mobius wrote.
    
    The aunt's Internet service provider agreed to open up her mail
    account, but only if it received copies of a death certificate, a
    notarized statement about the status of her estate and other
    documents.
    
    "He asked me if I could do anything to get into her account without
    jumping through all the hoops," Mobius wrote. "I told him I would try,
    and so I am here."
    
    Although there are a variety of ways to retrieve a dead person's
    passwords, there are legal issues to consider.
    
    Matt Yarbrough, a former federal prosecutor and current head of Fish &
    Richardson's Cyber Law Group, said survivors risk violating both state
    and federal statutes if they're not careful.
    
    "Most estate cases are as nasty as divorce, or worse," Yarbrough said.  
    "You can really run afoul of the law if you don't have the authority."
    
    Even if the deceased once allowed a relative to log into a computer
    account, for example, the person doesn't necessarily have permission
    in perpetuity, Yarbrough said. When someone dies without preparing a
    will, there are still procedures for determining which relative should
    have access to private records and accounts.
    
    Disregarding the legal rights of the deceased and their estates could
    even result in a criminal prosecution under the federal Computer Fraud
    and Abuse Act Crossing or existing state laws. Estate executors can
    take legal action if they find anyone else has entered secured
    accounts and made changes, said Keith Novick, estate-planning
    specialist for law firm Gardere Wynne Sewell.
    
    "That's called thievery," Novick said, and the estate has a strong
    legal right to reclaim any funds lost during an unauthorized online
    session.
    
    Lawyers handling probate usually can secure the right to pull together
    records and assets of the deceased without breaking into computer
    drives or online accounts, he added. For example, if hard copies of
    financial statements are available, they can be obtained by lawyers.
    
    Legalities aside, a simple Internet search turns up dozens of websites
    like Password-crackers.com, Kuslich's Crak.com and AccessData.com that
    sell do-it-yourself forensic software packages priced as low as $9.99
    US and for more than $1,500.
    
    Professional password crackers warn that some of these programs may
    have been developed by malicious hackers, who secretly receive copies
    of the passwords cracked on an Internet-connected computer.
    
    Many legitimate solutions are specifically designed for certain types
    of computer files. AccessData.com, for example, got its start
    primarily helping lawyers regain access to protected Word Perfect
    files for which they had forgotten passwords.
    
    A spokesman for AccessData said the company has developed more
    sophisticated software that can decipher passwords for all sorts of
    files. One program, for example, scans a hard drive for all data and
    creates a "dictionary" of every word typed by the user. By examining
    the most often-used words or combinations of letters and numbers,
    forensic experts usually can deduce favourite passwords of the
    deceased.
    
    Patterns can also be gleaned from the record of websites visited,
    experts say, because people often create passwords out of quirky words
    used in their favorite avocations.
    
    Professional crackers often employ high-powered computers to run
    decryption programs that perform "brute force" attacks on password
    protected files. These machines can quickly generate millions of
    possible letter and number combinations, then test them within
    seconds. Well-formed passwords -- words not in the dictionary coupled
    with numbers or symbols -- may take the best equipment days to crack.
    
    Hiring forensic computer experts can get pricey. Most charge between
    $150 and $300 an hour.
    
    "Usually, people are trying to get into a single file -- a Word file,
    a Quickbooks file, something like that," said Kuslich. "Those are
    fairly easy to break into. On occasion, it's been mail files -- PST
    files from Microsoft Outlook, that sort of thing."
    
    Sometimes, software vendors can help survivors. For example, Intuit --
    the maker of Quicken -- doesn't record an individual's password but
    does assist properly documented executors in bypassing password
    protection. Intuit spokesman Chris Rapetto said survivors can fill out
    an online form
    (intuit.com/support/-quicken/dataservicesassword_removal.html), copy
    the Quicken data file to a diskette and send it to the company.
    
    The company charges $65 for service within five business days and $150
    for one-day express treatment, but will usually waive fees in the case
    of survivors seeking access to a dead person's financial records,
    Rapetto said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 06 2004 - 05:13:13 PST