Some time ago we wrote about the smallest password cracking device. Not suitable for you? No problem, here is another one: not as small, but definitely more powerfull: Audi. Yes, it's a car. No, we're not kidding. Just read NVIDIA and Audi Marry Silicon Valley Technology with German Engineering press release from NVIDIA. Or if you need more information, The New MMI Generation from Audi might be also helpful. In brief: Audi A8 luxury sedan is equipped with an entertainment system that uses two GPUs from NVIDIA. We have no idea what are these chips (may be Fermi?) and is it technically possible to load our own code to them, but still funny, isn't it? 🙂
Archive for the ‘Industry News’ Category
About a month ago, a SQL Injection flaw was found in the database of RockYou.com, a website dealing with social networking applications. The Tech Herald reports that 32.6 million passwords were exposed and posted online due to the flaw. The complete examination of the passwords from the list showed that the passwords in question are not only short as RockYou.com allows creating 5-character-passwords but also alphanumeric only.
A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456”, followed by “12345”, “123456789”, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567”, “12345678”, and “abc123” to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.
Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.
As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.
The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.
Related articles and publications:
It’s a well-know fact that WPA-PSK networks are vulnerable to dictionary attacks, though one cannot but admit that running a respectable-sized dictionary over a WPA network handshake can take days or weeks.
A low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary has been recently unveiled. The so-called WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in about 20 minutes. Want to pay less, do it for $17 and wait 40 minutes to see the results.
Another notable feature is the use of the dictionary that has been set up specifically for cracking Wi-Fi Protected Access passwords. While Windows, UNIX and other systems allow short passwords, WPA pass codes must contain a minimum of eight characters. Its entries use a variety of words, common phrases and "elite speak" that have been compiled with WPA networks in mind.
WPA Cracker is used by capturing a wireless network's handshake locally and then uploading it, along with the network name. The service then compares the PBKDF2, or Password-Based Key Derivation Function, against the dictionary. The approach makes sense, considering each handshake is salted using the network's ESSID, a technique that makes rainbow tables only so useful.
Everything seems to be perfect, but for the fact that there exists another alternative to crack WPA passwords which allows to reach the same speed. Just instead of installing a 400-CPU cluster, it’s possible to set 4 top Radeons or about two Teslas and try Elcomsoft Wireless Security Auditor.
Tom’s Hardware is a really good source we can definitely trust, so if you need more details on Radeon HD 5000-series cards (specifications and prices) that are coming soon, just read:
Update (Sep 16th): GT300 could outperform the Radeon HD5870
Update (Sep 22nd): ATI Radeon HD 5870 pricing and specs list revealed
Update (Sep 23rd): ATI Radeon HD 5870: DirectX 11, Eyefinity, And Serious Speed
ATI is going to release Radeon HD 5000 cards (5850, 5870, 5870 X2) in October — well, hopefully. The top one (HD 5870X2: single-PCB, dual-GPU) will retail for $599.
As for NVIDIA’s new GT300, the specifications were revealed in April. In brief, it groups processing cores in sets of 32 (up from 24 in GT200) — up to 512 cores total for the high-end part. If the clocks remain the same as on GT200, that will double the overall performance. And there are other improvements as well: e.g. GT300 cores rely on MIMD-similar functions. Some fresh information about GT300 availability:
- Where is the nVidia GT300?
- nVidia plans GT300 demos for late September
- NVIDIA GeForce Drivers Include Details on GT300 GPU Series
You may ask — what about Intel? Well, new Core i5 and i7 (codename Lynnfield) now available. Nothing revolutionary new, just Intel P55 Express Chipset support: integrating both a 16-lane PCI Express 2 graphics port and two-channel memory controller on a single chip (previous chipsets required separate northbridge and southbridge), as well as several minor improvements. More information and some benchmarks at Intel Lynnfield; Core i5 750 and Core i7 870 Evaluation and New Intel Core i5, i7 Processors Product Matrix.
And still [almost] noting about Intel Larrabee, mostly just rumors:
Finally, funny article: NVIDIA to Intel: Your Days Are Numbered 🙂
According to NordicHardware, Sapphire Or Zotac Might Launch Larrabee. No further information on Larrabee yet, though; as we already wrote, the Larrabee lauch date is set to 2010. The only news from Intel so far is about i3, i5, i7 CPU naming system: Lynnfield, Clarksfield, Arrandale, Clarkdale; besides, Intel plans shipments of 32nm ‘Clarkdale’ in Q4.
The world is waiting for the specifications of currently most powerful processor – AMD Phenom II 42 TWKR Black Edition aka Formula 1. They say it has an unlocked clock multiplier for ease of overclocking, though consumes 200W and thus requires good cooling. One of the pictures on the website of Maingear PC founder and CEO (Wallace Santos) has a not-for-sale-note which caused a gossip that the new processor is not meant for retail, but probably for direct selling from AMD to “extreme enthusiasts”.
We wrote about the new iPhone last week, but these we only rumors. And now it is officially announced (on WWDC); the sales will start on June 17th (in the U.S.). Additional information is available at Apple web site: general and about iPhone 3.0 software update. But unfortunately, still no tech specs of its GPU; according to the above article, Maybe there is some truth to the rumors that Apple is using OpenCL. If that’s true, there will be (technical) ability to crack passwords on it, and the speed should not be disappointing.
News from the other side: Intel could Atomise handsets in two years. An era of portable password crackers is coming 😉
Password management has got government support and the status of the national initiative in Australia. The National E-security Awareness Week is held from 5-12 June this year. A series of events and workshops take place across Australia to raise awareness of e-security risks.
In the interview to ABC radio, Australian Communications Minister Stephen Conroy urged to use stronger passwords and update them regularly. He recommended passwords that are 8 or more characters long, including lower- and upper-case characters, one digit and one special symbol. Passwords should be updated at least twice a year.
We welcome the Australian initiative to raise awareness of secure passwords. In the recent years we at ElcomSoft have been trying to draw attention to the fact that both individuals and businesses have to rethink passwords they use. Password recovery techniques have developed much thanks to growing potential of parallel computations and supporting architectures, cheaper graphic adaptors’ prices and constant cryptographic research.
We recommend changing your password every 3 months. Do not forget that for applications with 40-bit encryption (e.g.MS Office 97/2000) 8-character passwords are not enough. Never use any personal data or dictionary words for your password. Read our white papers to learn more about password strength.