Elcomsoft has announced that certain versions of fingerprint software named Protector Suite made by UPEK (now part of Authentec) stores your Windows password in a ‘scrambled’ format in registry. This allows an attacker through different entry points to get easy access to a users Windows password. I have no reason not to believe Elcomsoft in their claims, but UPEK/Autentec seriously disagrees. In the middle of this I happen to have some questions, and an opinion regarding biometric software today.
I have lost count of all the times colleagues have approached me with a big smile, challenging me to break into their work laptops now that they have enabled fingerprint authentication. Pressing Esc to get the normal logon prompt and then entering my AD username & password logged me in. Having local admin rights made things even easier to conduct pass-the-hash of their locally cached credentials, and smile turned to sadness. Hey, I have even been accused of cheating when I did that.
I purchased my first fingerprint reader back somewhere in 1999. It was complete crap. Many years later I purchased a Microsoft keyboard with integrated fingerprint reader:
I still remember a very clear warning in their documentation: the fingerprint reader should not be trusted for security. It should be considered as a toy. Oh well.
Today the integrated fingerprint readers in many laptops is the most common place we interact with biometric solutions. IF we choose to use it of course – there is no requirement to do so from the vendor. Enter Elcomsoft.
Security vs Convenience
Lots of people – including infosec professionals, doesn’t see the difference between using biometric authentication as a security feature, and as a convenience feature. Simply explained for the home user:
If you use biometric authentication to logon to your laptop, but can bypass it by pressing Esc and enter your username & password, you are using biometrics as a convenience feature.
If you have removed any and all possibilities to logon except by using/including biometrics, you are using biometrics as a security feature.
The differences here are … well… BIG, at least in theory. But wait; that was for the home user. I don’t care much about your private pictures, christmas wish list and facebook account anyway, so lets look at it from a corporate perspective:
There is no integrated support for replacing passwords with biometric authentication within Microsoft Windows.
This means that any kind of authentication addition or replacement you set up on laptops, tablets or desktop computers in a corporate enviroment with Active Directory, a password still has to be configured for a user in a domain, and that password is what authenticates the user throughout the domain. Using highly advanced visualization tools, hours and hours of hard work and a colorful palette, I made this infographic to explain what happens:
Using biometric logon, we add another step in the authentication process in a corporate environment. Please note; we added one more step, we didn’t necessarily add one more layer of security.
I blogged about upcoming password security features in Windows 8 Password Security. Please observe that using picture password and/or a PIN is an addition to having a password. They are quite simply convenience features. Having said that, I would like to give kudos to Microsoft for doing quite a bit of research into picture passwords and presenting it in such a detailed form that we can make up an opinion about the security it provides.
What did Elcomsoft discover?
Well, they claim that certain versions of the software in question stores your Windows password using weak protection locally (see step 2 in the biometric chain above). Using a simple PoC, they have successfully extracted the stored Windows password from registry by the biometric software and “decrypted” it.
Since the biometric software is local only, it needs to know your Windows password to properly give you both local and domain access. To repeat; your username and password gives you access, not your fingerprint or any other biometric ID. If your password is changed, either locally or in the domain, you will have to provide your new password to the biometric software.
Is this such a big deal? Yes.
Good practice is to store passwords using hash irreversible algorithms, preferably strong types such as PBKDF2, Bcrypt or Scrypt. The draft cheat sheet from OWASP on password storage gives more information about such algorithms, and more. Even though Microsoft doesn’t use salting or key stretching in their LM/NTLM algorithms, they are still hash algorithms. You cannot “reverse” the process to get the plaintext password, you have to
My Authentec (Thinkpad) fingerprint software, which is NOT affected by Elcomsofts findings, knows my password (or passphrase in my case), and there is an option in the software to display it on screen, as the video on top shows you.
But I can do pass-the-hash/ticket and more, why is this a big deal?
Sure you can. But you cannot do those attacks against a Outlook Web Access configuration from the Internet using SSL. You don’t know the users actual password when you do pass-the-hash attacks, so you cannot check if the user uses the same password on other services, at work or on a personal basis.
If my fingerprint – my biometric template – was the secret key to unlock the password using reversible encryption like AES, things could perhaps be considered a bit better, but it would still not be good practice to store any users password using reversible encryption. Which is exactly what is evidenced by my video above.
Now if claims by Elcomsoft are true, malware could easily exploit the weakness found to extract users Windows plaintext passwords in yet another way, adding to the already existing ways of doing so.
I haven’t twisted my mind long enough on this to figure out ways of improving this, but I am open for suggestions.
Switching iPhones into a DFU (Device Firmware Update) mode is a hassle. Power off, press that and hold those that many seconds, release this but continue holding that until hopefully something happens on the phone. Many iPhone users have major troubles switching their iPhones into DFU mode. Luckily for them, they don’t have to do the Apple Dance too often.
Criminal investigators, police officers and workers of the intelligence are not as lucky. They have dozens of iPhones to process every day, hundreds every week. “When I get an iPhone, I only have two hours”, says a police officer who’s name we cannot disclose. “In 120 minutes, I have to acquire and process information from that phone. Honestly, I can rarely complete it in a proper way.”
Here at ElcomSoft, we’re trying to do everything to make the life of investigators easier. Performing a physical acquisition with EIFT, which is the only proper way to capture everything in the phone, only takes 20 to 40 minutes depending on the model. But here comes another pitfall. Unlike pickpockets and fraudsters with long, thin fingers, police officers have big hands and firm, strong fingers. Performing the Apple Dance is extremely frustrating and almost physically painful. “I have to try and try before I can twist my fingers to hold those damn buttons”, confesses another police officer. “These damn things are too small and slick”.
Visiting the EuroForensics conference a few days ago, I was demonstrating how easy it was to switch an iPhone into DFU mode. I did it right the first time, but on a second try I failed miserably. “I’m too old for this shtuff”, commented yet another visitor whose badge simply read “Special Agent”.
I passed my concerns to ElcomSoft R&D department, and they built a mockup of an ingenious device automating this sort of things. They called it “iOS DFU Mode Starter”. As a first mockup, it’s not yet perfect. It requires careful placement of the device, and you have to plug a USB cable by hand. Other than that, iOS DFU Mode Starter can switch the device into Debug Firmware Update mode with 100% reliability. “It’s almost infallible”, says Andrey Belenko, ElcomSoft leading researcher. “And it was incredible fun to build”.
Here’s a video demonstrating how the new device works:
I was shocked at first when I saw the robot. A LEGO? Are you guys kidding me? It turned out our R&D guys were serious as ever. Here’s what Andrey Belenko has to say about this robot.
“Constructing mockups and early prototypes with LEGO bricks is commonplace for building robots. Honestly, LEGO blocks are a godsend to all robot builders. Don’t be fooled with the look of the thing; these bricks are a serious prototyping tool.”
“LEGO bricks hold together amazingly well under low and medium load. LEGO blocks come in a wide assortment of shapes and sizes. They give a tight fit, they are reusable, and they save us a lot of time when prototyping. We’re not building an industrial piece; this robot simply handles a modern electronic device. No force is required.”
Whether or not this device goes into production, and what the price is going to be like if it does is yet to be determined.
SANS Information Security Reading Room has recently publicized a whitepaper about iOS security where they mentioned our software – Elcomsoft iOS Forensic Toolkit – in a section about encryption. Kiel Thomas, the author of the whitepaper, explained one more time the main principles of iOS 4 encryption, which became stronger in comparison with iOS 3.x and how our toolkit can bypass new strong algorithms.
In its next part about iTunes Backups Kiel touches upon Elcomsoft Phone Password Breaker which virtually crunches backup passwords at speed of 35000 passwords per second (with AMD Radeon HD 5970) using both brute force and dictionary attacks, here are some benchmarks.
It seems the paper does not miss out on any nuance about iOS 4 and provides practical advice to either avoid or prevent from the depressing outcomes, such as loss of data. Closer to the end of the paper you will also find several sagacious tips for using the devices within organizations, including passcode management, a so called “first line of defense” which according Kiel’s view “can be matched to existing password policies”, however he inclines to use passwords instead of 4 digit passcodes.
What is a Web browser for you? It’s virtually a whole world, all together: web sites, blogging, photo and video sharing, social networks, instant messaging, shopping… did I forget anything? Oh yes, logins and passwords. Set an account here, sign in there, register here and sing up there – everywhere you need logins and passwords to confirm your identity.
Yesterday, we recovered login and password information to Internet Explorer only, but it was yesterday… Now, Mozilla Firefox, Apple Safari, Google Chrome and Opera Web browsers are at your disposal.
Although this new book is on sale from January this year, we are happy to officially say our words of gratitude to Kevin Beaver and advise it to you.
In his book Kevin insists that the best way to really understand how to protect your systems and assess their security is to think from a hacker’s viewpoint, get involved, learn how systems can be attacked, find and eliminate their vulnerabilities. It all practically amounts to being inquisitive and focusing on real problems as in contrast to blindly following common security requirements without understanding what it’s all about.
In this guide Kevin communicates the gravity of ethical hacking in very plain and clear words and gives step –by- step instructions to follow. He easily combines theory and praxis providing valuable tips and recommendations to assess and then improve security weaknesses in your systems.
We want to thank Kevin for testing and including our software in his very “digestible” beginner guide to hacking and recommend our readers this book as a helpful tool to get all facts in order.
Developing software for ATI cards is (okay — was) a nightmare. In 2009 ATI quietly introduced two changes in their drivers which made previously perfectly functional and compatible applications to crash (if you are curious: with Catalyst 9.2 or 9.3 they’ve changed names of supporting DLLs bundled with drivers; with Catalyst 9.9 or 9.10 they’ve probably changed format of underlying binary so that anything compiled and linked in with earlier versions caused a driver to crash).
Well, with the release of Catalyst 10.4 drivers ATI is again at it. This time problem only affects users who have display adapters from different vendors in their computer. Applications utilizing ATI Stream will work on such configurations just fine with Catalyst 10.3, but once you upgrade to 10.4, applications will crash with faulting module being aticaldd.dll, a part of ATI Display driver. Kinda embarrassing, I would say. Regression testing is really something one with millions of users should consider.
Users of our software relying on ATI hardware accelerations (as well as any other ATI Stream enabled applications) should not update to 10.4 if ATI Readeon is not the only card in their computer.
Every time when you open a document in Advanced Office Password Recovery it performs the preliminary attack in case when the "file open" password is set. This attack tries all passwords that you recovered in past (which are stored in password cache), dictionary attack and finally the brute-force attack is running.
The brute-force attack consists of two parts:
1. Trying digits and latin letters
2. Trying national characters depending on code page set in Windows.
Before this time these parts were hardcoded in the program. The new version of Advanced Office Password Recovery has an option to customize the preliminary brute-force attack.
Look to the directory where AOPR is installed. There is "attacks.xml" file inside. The first section of this file is the language map:
All charsets are in unicode so you can define any national characters here.
And the final section is "documents". All parts of this section has comments about document types. You can define the "common" charsets and charsets that are related to system language. Each "attack" record defines password length and charset.
In this XML file you can simply change the standard preliminary attack and define the custom charsets for your language. I hope this will help to recover your Office passwords faster.
In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.
New statistics* shows disaster recovery (DR) is getting more attention, and more upper level execs become involved with DR issues. Ideally, each company should have an emergency plan in case of power/system failure, loss of access, outside attack, sabotage or else – called DRP (disaster recovery plan) or even DRRP (disaster response and recovery plan). DRP is only a part of risk management practices which ensure emergency preparedness and risk reduction and include such initiatives as regular data backups, stocking recovery software, archiving, etc. – these activities are reflected in PMI and NIST standards.