Archive for the ‘Elcom-News’ Category

Breaking Apple iWork Passwords

Thursday, February 9th, 2012

Apple iWork, an inexpensive office productivity suite for the Mac and iOS platforms, has been around since 2005 and 2011 respectively. The iWork suite consists of three apps: Numbers, Pages, and Keynotes, and gained quite some popularity among Apple followers. Yet, for all this time, no one came out with a feasible password recovery solution for the iWork document format.

The reason for the lack of a password recovery solution for the iWork format is extremely slow recovery speed. This owes to Apple’s implementation of encryption: the company used an industry-standard AES algorithm with strong, 128-bit keys. Brute-forcing a 128-bit number on today’s hardware remains impossible. The original, plain-text password has to be recovered in order to decrypt protected iWork documents.

However, recovering that plain-text password is also very slow. Apple used the PBKDF2 algorithm to derive an encryption key from plain-text passwords, with some 4000 iterations of a hash function (SHA1). While it takes only a hundredth of a second to verify a single password, an attack would be speed-limited to about 500 passwords per second on today’s top hardware. This is extremely slow considering the number of possible password combinations.

Distributed Attacks

When starting considering the addition of Apple iWork to the list of supported products, we quickly recognized the speed bottleneck. With as slow a recovery, a distributed attack on the password would be the only feasible one. Indeed, using multiple computers connected to a large cluster gives us more speed, breaking the barrier of unreasonable and promising realistic recovery timeframe. Brute-forcing is still not a good option, but ElcomSoft’s advanced dictionary attack with customizable masks and configurable permutations is very feasible if we consider one thing: the human factor.

The Human Factor

Let’s look at the product one more time. Apple iWork is sold to mobile users for $9.99. Mac customers can purchase the suite for $79. These price points clearly suggest that Apple is targeting the consumer market, not government agencies and not corporations with established security policies enforcing the use of long, complex, strong passwords.

Multiple researches confirm it’s a given fact that most people, if not enforced by a security policy, will choose simple, easy to remember passwords such as ‘abc’, ‘password1’ or their dog’s name. In addition, it’s in the human nature to reduce the number of things to remember. Humans are likely to re-use their passwords, with little or no variation, in various places: their instant messenger accounts, Web and email accounts, social networks and other places from which a password can be easily retrieved.

Considering all this, 500 passwords per second doesn’t sound that bad anymore. Which brings us to the announcement: Elcomsoft Distributed Password Recovery now supports Apple iWork, becoming an industry-first tool and the only product so far to recover passwords for Numbers, Pages and Keynotes apps. It’s the human factor and advanced dictionary attacks that help it recover a significant share of iWork passwords in reasonable time.

Read the official press-release on Elcomsoft Distributed Password Recovery recovering Apple iWork passwords.

We know what makes you happy, so here are our holiday discounts! :)

Thursday, December 15th, 2011

 

Dear friends,

It really takes willpower to control our excitement about the surprises we prepared for you these pre-holiday days.  We arranged three ultra-appealing bundles and we can’t hide them any loger, so here they are:

 

1. EPPB + EBBE = take two at the price of one!
2. EPPB + EBBE + EIFT = get EBBE & EPPB for free!
3. EPRB Forensic = special NY 2012 price! (twice less!!)

 Check out more info on our website:

http://www.elcomsoft.com/happy-new-year-2012.html

Experience Elcomsoft Password Recovery Bundle which breaks all barriers, twice cheaper throughout December 2011. There is no substitute. 

Don’t rush, take your time… till December 31. ;)

 

Newer iOS Forensic Toolkit Acquires iPhones in 20 Minutes, Including iOS 5

Tuesday, November 1st, 2011

iOS 5 Support

When developing the iOS 5 compatible version of iOS Forensic Toolkit, we found the freshened encryption to be only tweaked up a bit, with the exception of keychain encryption. The encryption algorithm protecting keychain items such as Web site and email passwords has been changed completely. In addition, escrow keybag now becomes useless to a forensic specialist. Without knowing the original device passcode, escrow keys remain inaccessible even if they are physically available.

What does enhanced security mean for the user? With iOS 5, they are getting a bit more security. Their keychain items such as Web site, email and certain application passwords will remain secure even if their phone falls into the hands of a forensic specialist. That, of course, will only last till the moment investigators obtain the original device passcode, which is only a matter of time if a tool such as iOS Forensic Toolkit is used to recover one.

What does this mean for the forensics? Bad news first: without knowing or recovering the original device passcode, some of the keychain items will not be decryptable. These items include Web site passwords stored in Safari browser, email passwords, and some application passwords.

Now the good news: iOS Forensic Toolkit can still recover the original plain-text device passcode, and it is still possible to obtain escrow keys from any iTunes equipped computer the iOS device in question has been ever synced or connected to. Once the passcode is recovered, iOS Forensic Toolkit will decrypt everything from the keychain. If there’s no time to recover the passcode or escrow keys, the Toolkit will still do its best and decrypt some of the keychain items.

Faster Operation

Besides adding support for the latest iOS 5, Elcomsoft iOS Forensic Toolkit becomes 2 to 2.5 times faster to acquire iOS devices. When it required 40 to 60 minutes before, the new version will take only 20 minutes. For example, the updated iOS Forensic Toolkit can acquire a 16-Gb iPhone 4 in about 20 minutes, or a 32-Gb version in 40 minutes.

EPPB: Now Recovering BlackBerry Device Passwords

Thursday, September 29th, 2011

Less than a month ago, we updated our Elcomsoft Phone Password Breaker tool with the ability to recover master passwords for BlackBerry Password Keeper and BlackBerry Wallet. I have blogged about that and promised the “next big thing” for BlackBerry forensics to be coming soon. The day arrived.

(more…)

New version of EPPB: Recovering Master Passwords for BlackBerry Password Keeper and BlackBerry Wallet

Tuesday, August 30th, 2011

Conferences are good. When attending Mobile Forensics Conference this year (and demoing our iOS Forensic Toolkit), we received a lot of requests for tools aimed at BlackBerry forensics. Sorry guys, we can’t offer the solution for physical acquisition of BlackBerries (yet), but there is something new we can offer right now.

RIM BlackBerry smartphones have been deemed the most secure smartphones on the market for a long, long time. They indeed are quite secure devices, especially when it comes to extracting information from the device you have physical access to (i.e. mobile phone forensics). It is unfortunate, however, that a great deal of that acclaimed security is achieved by “security through obscurity”, i.e. by not disclosing in-depth technical information on security mechanisms and/or their implementation. The idea is to make it more difficult for third parties to analyze. Some of us here at Elcomsoft are BlackBerry owners ourselves, and we are not quite comfortable with unsubstantiated statements about our devices’ security and blurry “technical” documentation provided by RIM. So we dig. (more…)

Visiting BlackHat and DefCon 2011

Monday, August 22nd, 2011

Yet again, we are back from a couple of conferences organized specially for heavy computer users like us. We are particularly happy that our company was again warmly welcomed by the overseas hacking community – thank you for accepting and visiting our talk – and that FBI didn’t bother us too much during our stay, though they didn’t miss a chance to scare the crap out of Andrey and Vladimir right before their departure back to Moscow.  Apart from that little episode with three-letter guys everything went smoothly.

At Black Hat Andrey made his presentation about iOS encryption and as you may guess it was not the only one talk about iOS on the conference, as the topic is quite popular now.

(more…)

iOS Forensic Toolkit: Keychain Decryption, Logical Acquisition, iOS 4.3.4, and Other Goodies

Monday, July 25th, 2011
 
You might have heard about our new product – iOS Forensic Toolkit. In fact, if you are involved in mobile phone and smartphone forensics, you almost certainly have. In case our previous announcements haven’t reached you, iOS Forensic Toolkit is a set of tools designed to perform physical acquisition of iPhone/iPad/iPod Touch devices and decrypt the resulting images. This decryption capability is unique and allows one to obtain a fully usable image of the device’s file system with the contents of each and every file decrypted and available for analysis. And the fact is, with today’s update, iOS Forensic Toolkit is much more than just that.
 
(more…)

ElcomSoft at Techno Security Conference and AMD Fusion Developer Summit

Tuesday, June 28th, 2011

ElcomSoft had a great time overseas in the US, first at Techno Security Conference in Myrtle Beach, SC and later at AMD Fusion Developer Summit in Bellevue, WA. So it happened to be quite a long visit to the US full of preparations, talks, meetings, new acquaintances, parties and positive emotions (sun and ocean did their work). 

At Techno Security it seemed like we were the only newcomers (maybe partly due to this fact we were so warmly welcomed), as practically everybody knew each other (even visitors) and the whole situation resembled an alumni party in a very positive and friendly atmosphere. (more…)

How to trace criminals on Facebook

Thursday, June 2nd, 2011

Facebook lockThere has already been much said about enhanced federal activity in social networks “including but not limited to Facebook, MySpace, Twitter, Flickr” etc. in order to gather suspects’ information and use it as evidence in investigation. However, far not everybody can understand (neither do three-letter agencies I suppose) how they can represent such info in courts and to what extent it should be trusted. (more…)

ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps

Monday, May 23rd, 2011

ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4. While at first this may sound as a minor achievement, ElcomSoft is in fact the world’s first company to do this. It’s also worth noting that we will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies. We have a number of good reasons for doing it this way. But first, let’s have a look at perspective.

(more…)