Author Archive

‘Casual and Secure’ Friday Post

Friday, May 14th, 2010

German law has always been strict about any possible security breaches. This week German court ordered that anyone using wireless networks should protect them with a password so the third party could not download data illegally.  

However, there is no order that users have to change their Wi-Fi passwords regularly, the only requirement being to set up a password on the initial stage of wireless access installation and configuration.

I’ve conducted a mini-research here in Russia. There are 5 wireless networks in range that my computer finds when at home. Although all of the networks have rather bizarre names, they are all WPA- or WPA2-protected. My guess is that people do not install wireless access at home by themselves or browse the Internet for instructions and find some on protection and passwords. At the same time, I often come across unprotected networks in Moscow and I do use them to check my Twitter account. It is obvious that to make any conclusions, one has to dive into this topic much more deeply.

What I learnt working for ElcomSoft – the company that recovers passwords and does it very well – is the following: sometimes a password is not enough. You need a good password to make sure your data is protected. WPA requires using passwords that are at least 8 characters long. Such length guarantees quite good protection. The problem as usual is the human factor. We still use admin123 and the like to protect our networks.

Fortunately, there are tools that can help you check how strong your WPA/WPA2-password is. One of such tools is Wireless Security Auditor. It makes use of various hardware for password recovery acceleration and a set of customizable dictionary attacks. The idea is simple: if this monster does not find your WPA/WPA2-password, then it is secure :)

Nice weekend to all.

Back from Infosec

Thursday, May 6th, 2010

 

It was the third time we participated in Infosecurity Europe. The whole affair was in jeopardy due to volcanic ash paralyzing all major European airports but we did it. And everything went smoothly as planned.

We presented several latest developments at Infosecurity. First, two of our products, Elcomsoft Wireless Security Auditor and Elcomsoft iPhone Password Breaker, now support Tableau TACC1441.  These hardware accelerators are widely used in digital forensics to recover passwords and gather evidence from encrypted files. They consume considerably less power than GPUs and can be easily plugged and unplugged.

Second, the sales of Elcomsoft iPhone Password Breaker have started. The product is already quite popular and now it is finally out of beta. We expect it to gain even more popularity as it now supports Tableau as well as NVIDIA CUDA and ATI Stream acceleration technologies.

Quite often people ask us why we go to exhibitions and what benefits we see in such events. I’m not going to put any marketing or brand-awareness considerations into this post, although the visibility at major events is always a grand factor. For us as a company, the most important thing is that we can meet our customers in person at such global events as Infosecurity Europe. We get feedback from our customers by e-mail but personal feedback is a thing one could not underestimate.

 I would like to thank everyone who visited ElcomSoft’s stand at Infosecurity for your tips, ideas and feedback on our products. You could also send your suggestions to info at elcomsoft dot com. Tell us what we should improve or what features add.

And see you next year in London at the 16th Infosecurity Europe.

The pics will follow soon.

123 Out Goes… Your Password

Friday, January 22nd, 2010

About a month ago, a SQL Injection flaw was found in the database of RockYou.com, a website dealing with social networking applications. The Tech Herald reports that 32.6 million passwords were exposed and posted online due to the flaw. The complete examination of the passwords from the list showed that the passwords in question are not only short as RockYou.com allows creating 5-character-passwords but also alphanumeric only.

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456”, followed by “12345”, “123456789”, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567”, “12345678”, and “abc123” to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

ElcomSoft at it-sa, Nuremberg, Germany

Wednesday, October 14th, 2009

IT-SA-Expo goes on very well and our presentation at the Technical Forum (Forum Blau) was a success – thanks to Rene Mathes who gave out the presentation and 8com GmbH. The talk was about how one speeds up the hash recovery process with the parallelizing CUDA technology. If you happen to be in Nuremberg, Germany, visit our booth at Hall 6 (Stand 542).

There is also a workshop on hash cracking at the booth of 8com where our software will be featured. It starts today at 11:45.
 

Click to enlarge

Click to enlarge

SysAdminDay

Friday, July 31st, 2009

Guys,

it is SysAdminDay today.  We wish you to have thankful colleagues that will respect your time and show gratitude each time you print a test page.  Let accountants brew you hot tea. We wish you tolerance each time users forget their passwords (passwords can always be recovered with our tools). Keep your networks safe and sound.

To celebrate SysAdminDay we are eating real salo in the office and singing this sysadmin song 🙂

The salo. Click to enlarge this piece. Mmmmmmmmm 

Believe me, it’s tasty.

ElcomSoft News

Wednesday, July 22nd, 2009

 As the second summer month is coming to an end, it’s time to sum up our news and updates that you might have missed because of vacation in some tropical heaven. Last two weeks brought us really hot days, not only because of the temperature in Moscow City but also due to hard work on program updates. Here is the news:

  • We released the new version of Distributed Password Recovery. It features support for TheBat! and TheBat! Voyager mail clients master passwords (masterkey.dat) and passwords to TheBat! backup files (*.tbk). The GPU acceleration has been extended and now works for Domain Cached Credentials (DCC), as well as Office 2007, Adobe PDF 9, Windows logon passwords (LM and NTLM), WPA/WPA2, and MD5 hashes.
  • A new version of Elcomsoft Wireless Security Auditor was released. EWSA 1.03 is able to extract WPA-PSK password hashes from local systems when Wireless Zero Configuration is used.
  • Our website is now available in Spanish, Italian, and Polish. We promise to add more languages soon to bring our customers information in their native tongues.
  • Follow us on Twitter to be the first to receive our news or become a fan on our brand-new Facebook page. You can also subscribe to our newsletter.

Password Recovery Tools Are Legal In Germany

Wednesday, June 24th, 2009

 When we meet our customers at trade fairs in Germany, we are always asked questions about legality of our tools. The reason for this is that German law on so-called “hacking tools” is very strict. At the same time the wording of the respective paragraphs is unclear and ambiguous.

On Friday, German Federal Constitutional Court dismissed a complaint of an entrepreneur that production and distribution of tools for capturing traffic data is against the law. The judges said that the constitutional rights are not violated by the use of “hacking tools” (§202a-202b). According to the court decision, legal penalty applies only in the case when the software was developed with illegal intent in mind. “Double-purpose” tools that are designed to be used by law enforcement and IT security officers are not regarded illegal.

Special thanks for Florian Hohenauer for sending us the link.

Did You Change Your Password on a Happy ‘Change Your Password Day’?

Monday, June 8th, 2009

 

Password management has got government support and the status of the national initiative in Australia. The National E-security Awareness Week is held from 5-12 June this year. A series of events and workshops take place across Australia to raise awareness of e-security risks.

In the interview to ABC radio, Australian Communications Minister Stephen Conroy urged to use stronger passwords and update them regularly. He recommended passwords that are 8 or more characters long, including lower- and upper-case characters, one digit and one special symbol. Passwords should be updated at least twice a year.

We welcome the Australian initiative to raise awareness of secure passwords. In the recent years we at ElcomSoft have been trying to draw attention to the fact that both individuals and businesses have to rethink passwords they use. Password recovery techniques have developed much thanks to growing potential of parallel computations and supporting architectures, cheaper graphic adaptors’ prices and constant cryptographic research.

We recommend changing your password every 3 months. Do not forget that for applications with 40-bit encryption (e.g.MS Office 97/2000) 8-character passwords are not enough. Never use any personal data or dictionary words for your password. Read our white papers to learn more about password strength.

 

Officers of Indian Customs To Be Punished For Password Breach

Wednesday, June 3rd, 2009

The Central Board of Excise and Customs of India claimed that compromised passwords are the biggest threat to system security. Despite elaborate instructions on passwords, which all employees are supposed to follow, “instances of password compromise continue to recur with unfailing regularity”, an unnamed official says.

Sharing of passwords was identified as one of the main reasons of unauthorized access and information leakage. According to CBEC representative, officers who share their passwords with others should “be regarded as being in collusion in the fraud that results”. To prevent insecure use of passwords CBEC plans to introduce a set of measures, including disciplinary action and even dismissal from the Government service.   

Penalty threat may not be the most effective solution. In case of password breach, complex countermeasures are required, and regular password audit is a significant part of it. If it is required that users change their passwords every 30 days, then system administrators have to perform password audits with the same regularity. There is a lot of both free and commercial auditing tools that allow to check password security.

Source: Business Line

Nvidia Unveils 1U Server With 2 Tesla GPUs On Board

Wednesday, June 3rd, 2009

The summer has begun, and as usual at this time of the year big companies present the results of hard work to the public. With Microsoft’s Bing and Google Wave flooding the news, you might have overlooked the joint release of NVIDIA and Supermicro. At Computex 2009 in Taipei, Taiwan, Nvidia and Supermicro announced

a new class of server that combines massively parallel NVIDIA® Tesla™ GPUs with multi-core CPUs in a single 1U rack-mount server.

According to the news text, the performance will increase 12 times compared to a traditional quad-core CPU-based 1U server. The new 1-unit solution combines 2 NVIDIA Tesla 1060 GPU cards with Dual Quad/Dual-Core Intel® Xeon® processors 5500 series, so you do not have to configure your machine as in case with Nvidia S1070 featuring four Tesla GPUs. The new server is based on Nvidia CUDA™ architecture.

It should be a very powerful solution and an expensive one too. However, we do not expect password recovery to benefit much from it. As we’ve mentioned many times before, password recovery is barely cost-effective when expensive hardware is involved in the process.

Read the press release