Solved

Windows Vista - Hack of user account password

Posted on 2009-07-14
10
1,270 Views
Last Modified: 2013-12-04
My cliient's Dell XPS 1530 laptop running Windows Vista 64-bit Service Pack 2 with Norton 360 version 3 had its only user account password hacked, i.e., someone changed the password to something different from the original password so my client could not log on.  The computer was hard wired to the Internet via a very old D-Link router attached to a Comcast cable modem.  I am interested in learining about the ways the user account password could have been changed without my client's knowledge.  For example, if someone had access to the computer, they could have made the change unbeknownst to my cient.  What are some other ways?  Thanks in advance for your thoughts.
0
Comment
Question by:bbaumberger
10 Comments
 
LVL 1

Assisted Solution

by:rickrythe
rickrythe earned 100 total points
Comment Utility
Possibly the computer being left unlocked and logged into the desktop or their are various windows password recovery iso's that can be downloaded and burned to a disk. Weak password could have been an issue too. How secure is the location of the computer?
0
 
LVL 1

Assisted Solution

by:rickrythe
rickrythe earned 100 total points
Comment Utility
Also their could be a possibility that the laptop wasn't connected to a secure wireless connection and someone was using a program like cain & abel to sniff the network and could have gained access that way too.
0
 

Author Comment

by:bbaumberger
Comment Utility
The computer is located in a residential environment with access limited to my client and his wife.  He has had a practice of using the SAME password for EVERYTHING.  Naturally, he is now listening to my counsel about creating unique, strong passwords for every electrronic relationship.  Fortunately, he is not an e-commerce afficiando.  I am wondering if a malicious script tied to an email attachment could have changed the user account password.  Interestlingly, my client is in the public eye, and the new user account password hint reflected that the perpetrator knows his famous vocation, so it was not a random attack.
0
 
LVL 12

Accepted Solution

by:
Gideon7 earned 80 total points
Comment Utility
I suggest developing a system of passwords that your client can recreate from memory.  For example take the last 2 letters of the web site and append it to a secret prefix -- for Amazon use "Secreton", for bankofamerica.com use "Secretca", for EBay use "Secretay", etc.   For added obfuscation you can do a letter shift ("Secretpo", "Secretdb", "Secretbz"), or some other simple transposition.
0
 

Assisted Solution

by:ReaktiuM
ReaktiuM earned 80 total points
Comment Utility
As the above people have said, maybe the user has gotten directly into your computer and changed the password via the Control Panel. Another way is that the user may have used OphCrack, which is an application to crack the passwords of a Windows computer, to access the password, then change it from there.

Other ways also include the use of keyloggers to gain the password, then change it.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Assisted Solution

by:jb2286
jb2286 earned 80 total points
Comment Utility
I've used a program called Spotmau Powersuite 2009 - this program has the capability to change user passwords from booting into it's Linux-based boot mode and also using the Spotmau Windows-based tool to change passwords.  According to Spotmau, there is a portion of the registry that stores user passwords and is encrypted.  It's difficult to change passwords supposedly, but wiping them and then re-establishing a password is the method Spotmau uses.

Is your client setup on a domain?  If so, you could change the user permissions to never allow a password change for that user, so unless the blackhat gets a hold of your server and domain admin. credentials, you should be better off.
0
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 80 total points
Comment Utility
I really dont see any gain for someone wanting to maliciously change the password. Is it at all possible that the client did change the password and simply forgot?

Here are some methods for changing the password

If the person had physical access to the computer:
-Boot from a password reset cd (Offline NT Password and Registry Editor)
-If the computer was left unattended and unlocked, simply changing the password there
-The user changing the password with CAPS LOCK on so when they enter the password next time it seems like a different password
-A family member changes the password without informing the owner

Any other circumstance
-Brute force password guessing
-Dictionary attacks to guess the password
-Sniffing passwords sent over the internet/network (if same password is commonly used)
-Malware/spyware/virus/worm changing the current users password
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 80 total points
Comment Utility
Someone could have had remote access to a command shell, via some exploit, and changed it that way as well. Are you sure the password was changed? Possible that the SAM got corrupted, and doesnt recognize the current password?
0
 

Author Closing Comment

by:bbaumberger
Comment Utility
Thanks to all for thoughtful, incisive suggestions.  
0
 

Author Comment

by:bbaumberger
Comment Utility
Each person contrubing to thus question provided useful infomation that underscores the importance of using strong passwords that are changed periodically.  Thanks to all contributors.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now