By Lou Dolinar
Third in a Series
Updated Feb. 20, 2006

The Victorians dubbed it "smash and grab" - a thief strolls into a jewelry store, breaks a display case with hammer, grabs what he can and runs like heck. No class in comparison to bypassing an alarm system in the dark of night - but highly effective.

Much the same technique can be applied to any computer to which others have physical access. Walk away from your PC for lunch, and a moderately savvy podmate can strip-search your hard drive. In fact, he might even set it up for further exploits.  

For our last two columns, we explored the classy approach to hacking with what I call commercial hackware - increasingly popular, user-friendly tools including boot disks that break system passwords and programs and hardware that steal your keystrokes. Today we're going to look at some of the quick and dirty stuff the bad guys use when they do get access, as well as more sophisticated intrusions- and what you can do about it.

Passwords are a key target of opportunity, since many kinds of personal financial data are accessed from PCs. Not only Web bank accounts or credit card accounts are of interest; investments, 401(k) retirement funds, even air mileage programs can be easily compromised and turned into cash. A hacker also can capture the passwords of your e-mail accounts or instant messaging.

The vulnerability is a function of Microsoft, Web site operators and lazy users. In Windows, Microsoft builds in an "autocomplete" utility that, among other things, remembers account names and passwords. Type in one or two letters of the account name (usually your last name) and Windows obligingly fills out the rest. Some Web sites plant files called cookies on your computer that accomplish much the same thing. Thus, if a hacker knows your name and manages to get physical access to your computer, he can gain access to many of your accounts, since most of us use our last names for account names.

But wait, you say: Windows hides passwords (or, as the pros say, "suppresses" passwords) by overtyping them with asterisks - and a hacker exposes himself to arrest if he spends a lot of time in front of my computer. Thanks to password suppression, he can't write down the passwords and use them from another computer. Not the greatest security, but not too shabby.

Sorry, Charlie, that doesn't cut it. There are many companies that sell  or give away easy-to- use utilities that display suppressed passwords, though I'm a little nervous about the whole sector.

Maybe I'm just paranoid, but I'll note here that an outfit called Nirsoft (http://www.nirsoft.net) has a suit of free password recovery utilities and carefully explains that you really shouldn't worry that when you install their programs, your anti-virus software triggers an alarm. Now they didn't trigger MY antivirus software, but who knows?   I think would be more inclined to deal with firms that charge for their wares, like Last Bit software, which markets to forensic investigators.  Google "protected storage" and "password" and you'll find dozens of vendors. 

   There's no limit to what programs like these can do.  Besides shredding Windows internal security, they can get at specific programs that have their own password protection schemes, including Microsoft Word, Excel, various personal finance and accounting systems, and even good old Winzip. Besides compressing files, Winzip is relied on for locking up files users don't want others to see.

They can recover the suppressed password from your e-mail program, the one for your remote mail server. The hacker thus can access your e-mail from any location, in a way that leaves no trace that the mail has been read - and even send mail in your name. (Along these same lines, I also tested a utility that recovers the stored passwords for instant messaging programs. I'll leave its potential to your imagination.)

So what do we do? You have to assume any password that's stored on your computer can be read if someone can get physical access to your computer. And unless you can physically lock up your computer, you should not save passwords. You can deal with the worst offenders from inside Internet Explorer:

Go to Tools, Internet Options and select the "Content" tab (interestingly enough, not the "Security" tab). Hit the "Autocomplete" button. Up pops a screen with some options. Uncheck "User Names and Passwords," then hit the "Clear User Names and Passwords" button. You can also remove personal data and Web site trails by unchecking the other boxes and clearing those settings, too.

Sometimes individual applications, as per mail programs, store passwords internally. In most cases you can disable this feature and log in manually every time you use the program - though it's not practical if you're accustomed to checking your e-mail every five minutes. Your call.

Passwords to certain network resources are stored with user account data. Go to the Control Panel, select "User Accounts," then select yours. Under "Related Tasks," select "Manage My Network Passwords." You'll get a dialogue box: Delete any sites that would present a problem if compromised.

Some Web sites store access permissions by placing a "cookie" on your computer, a little file that identifies you when you access the site. High-security sites (think banking) usually know better, but you'll run into this system with magazines and newspapers that are collecting information about registered users. The key here: Use a low-security password for a low-security site. And if for some reason your bank offers to save your password, say no.