Don't take passwords to the grave

[InfoSec News <isn () c4i org>]

http://www.canada.com/calgary/calgaryherald/info/business/story.html?id=AECE029D-BE09-42E7-8691-4A11A6988D02

Doug Bedell   
The Dallas Morning News  
January 05, 2004

As an ambulance whisked Jon Hansen to the hospital last year, he held
tightly to his wife's hand and told her things she needed to know if
he were to die.

"Write down this password," he told her. "Oh, you'll need this one,
too. And you don't have this one, either."

The Orem, Utah, software salesman managed to recover from that
near-fatal bout with encephalitis.

But the ambulance ride taught him a valuable lesson.

"One of the first things I did was write down all my passwords and put
them in the safe," he said. "I should have done that a long time ago."

Perhaps there are secrets we all should take to the grave. But, as
Hansen and others have learned, important computer account passwords
are not among them.

As an increasing amount of critical personal and work-related
information is stored on computers instead of inside file cabinets,
passwords are creating digital locked doors for lawyers, will
executors and the relatives of deceased loved ones. Without a
comprehensive list of passwords left behind by the dead, survivors and
their representatives are often forced to hire special
password-cracking services to break through electronic barriers.

The lack of access to password-protected online bank and brokerage
accounts -- as well as electronic mail and sections of computer hard
drives -- has prolonged the settlement of estates and thwarted
emotional closure for survivors.

"It's becoming a very common occurrence," said John E. Kuslich, a
for-hire password cracker and developer of break-in software. "I've
had families of people who have committed suicide, for example, and
they'll call me and say all these files are encrypted and they want to
get into them. In those cases, especially, people call back and are so
thankful for what they were able to read. It's really something else."

In discussion boards across the Internet, friends and relatives seek
advice on gaining computer access. In the alt.hacking newsgroup, a
user named Mobius was looking for help tracing his late aunt's final
correspondence. She had overdosed on Valium and died, he said.

"Her husband (my uncle) is now trying to get into her e-mail to see if
there is anything that might provide a clue as to why she did it,"  
Mobius wrote.

The aunt's Internet service provider agreed to open up her mail
account, but only if it received copies of a death certificate, a
notarized statement about the status of her estate and other
documents.

"He asked me if I could do anything to get into her account without
jumping through all the hoops," Mobius wrote. "I told him I would try,
and so I am here."

Although there are a variety of ways to retrieve a dead person's
passwords, there are legal issues to consider.

Matt Yarbrough, a former federal prosecutor and current head of Fish &
Richardson's Cyber Law Group, said survivors risk violating both state
and federal statutes if they're not careful.

"Most estate cases are as nasty as divorce, or worse," Yarbrough said.  
"You can really run afoul of the law if you don't have the authority."

Even if the deceased once allowed a relative to log into a computer
account, for example, the person doesn't necessarily have permission
in perpetuity, Yarbrough said. When someone dies without preparing a
will, there are still procedures for determining which relative should
have access to private records and accounts.

Disregarding the legal rights of the deceased and their estates could
even result in a criminal prosecution under the federal Computer Fraud
and Abuse Act Crossing or existing state laws. Estate executors can
take legal action if they find anyone else has entered secured
accounts and made changes, said Keith Novick, estate-planning
specialist for law firm Gardere Wynne Sewell.

"That's called thievery," Novick said, and the estate has a strong
legal right to reclaim any funds lost during an unauthorized online
session.

Lawyers handling probate usually can secure the right to pull together
records and assets of the deceased without breaking into computer
drives or online accounts, he added. For example, if hard copies of
financial statements are available, they can be obtained by lawyers.

Legalities aside, a simple Internet search turns up dozens of websites
like Password-crackers.com, Kuslich's Crak.com and AccessData.com that
sell do-it-yourself forensic software packages priced as low as $9.99
US and for more than $1,500.

Professional password crackers warn that some of these programs may
have been developed by malicious hackers, who secretly receive copies
of the passwords cracked on an Internet-connected computer.

Many legitimate solutions are specifically designed for certain types
of computer files. AccessData.com, for example, got its start
primarily helping lawyers regain access to protected Word Perfect
files for which they had forgotten passwords.

A spokesman for AccessData said the company has developed more
sophisticated software that can decipher passwords for all sorts of
files. One program, for example, scans a hard drive for all data and
creates a "dictionary" of every word typed by the user. By examining
the most often-used words or combinations of letters and numbers,
forensic experts usually can deduce favourite passwords of the
deceased.

Patterns can also be gleaned from the record of websites visited,
experts say, because people often create passwords out of quirky words
used in their favorite avocations.

Professional crackers often employ high-powered computers to run
decryption programs that perform "brute force" attacks on password
protected files. These machines can quickly generate millions of
possible letter and number combinations, then test them within
seconds. Well-formed passwords -- words not in the dictionary coupled
with numbers or symbols -- may take the best equipment days to crack.

Hiring forensic computer experts can get pricey. Most charge between
$150 and $300 an hour.

"Usually, people are trying to get into a single file -- a Word file,
a Quickbooks file, something like that," said Kuslich. "Those are
fairly easy to break into. On occasion, it's been mail files -- PST
files from Microsoft Outlook, that sort of thing."

Sometimes, software vendors can help survivors. For example, Intuit --
the maker of Quicken -- doesn't record an individual's password but
does assist properly documented executors in bypassing password
protection. Intuit spokesman Chris Rapetto said survivors can fill out
an online form
(intuit.com/support/-quicken/dataservicesassword_removal.html), copy
the Quicken data file to a diskette and send it to the company.

The company charges $65 for service within five business days and $150
for one-day express treatment, but will usually waive fees in the case
of survivors seeking access to a dead person's financial records,
Rapetto said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.