Sunday, July 20, 2008

Spaces

Made this yesterday. It's a collection of random footage edited together to match an untitled track, composed by Pablo. Watch away —



I'm off to watch The Dark Knight in a couple of hours. And if you haven't seen the Watchmen trailer yet, you should — it's simply amazing! If you didn't think it was amazing, you probably haven't read the book.

Thursday, July 03, 2008

Browser Password Managers - Safe?

When Firefox (or any other browser for that matter) prompts you to remember passwords, do you say 'Yes'? I used to, until yesterday, when I discovered how surprisingly easy it is for someone to get his/her hands on them.

Assume that I want to grab the passwords that Person X has saved on his computer using Firefox. This is how I would go about it —

Scenario 1: I have access to his computer

I would simply open up Firefox on his computer, go to Tools > Options > Saved Passwords > Show Passwords. Firefox shows so very neatly (in plain English), a window containing a list of sites along with the stored username and password for each of them.

Easy, no?

Scenario 2: The computer is at a remote location

You'd think getting those passwords in such a scenario is difficult, but it isn't. All you need to know is the location of the files that contain all the username/password information and then write a simple program that mails those files to you as attachments.

First the location of the files. If you have Windows installed on C: drive, then you'll find all the important files at the following location —

C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\Profile Folder

Open up the file called signons3.txt. You'll see a list of websites along with the username and password saved for each of them. However, you can't read it because it's in an encrypted format. To decrypt it, you'll need the private key — this is stored in the file key3.db. And the certificates (signed public keys) are stored in the file cert8.db. The MozillaZine page has more details about these files.

I wrote a small application that locates these files on a user's computer and sends them to me as email attachments. I tried out the application on Karthik's laptop and it worked like a charm! Once I got the files, I simply replaced my copies of the files with the ones I downloaded and voila! I could now log on to all the sites that Karthik had saved passwords for!


I wrote a harmless version of the same application for you guys to try out — download it here (5KB ZIP). It does everything except the emailing. If you don't trust me, you can always disable your internet connection before you run it.



If you're saying "Whew! Thank God I use Internet Explorer and not Firefox!", you should know that a similar process can be employed to grab passwords from ANY browser that has the Remember Passwords feature.

Anyway, if you're interested in reading more about all this stuff, I suggest you have a look at this exhaustive two-part article on "Password Management Concerns with Firefox and IE"

Part 1: http://www.securityfocus.com/infocus/1882
Part 2: http://www.securityfocus.com/infocus/1883