Today we are pleased to unveil the first public beta of our new product, Elcomsoft iPhone Password Breaker, a tool designed to address password recovery of password-protected iPhone and iPod Touch backups made with iTunes.

About a month ago, a SQL Injection flaw was found in the database of RockYou.com, a website dealing with social networking applications. The Tech Herald reports that 32.6 million passwords were exposed and posted online due to the flaw. The complete examination of the passwords from the list showed that the passwords in question are not only short as RockYou.com allows creating 5-character-passwords but also alphanumeric only.

It’s a well-know fact that WPA-PSK networks are vulnerable to dictionary attacks, though one cannot but admit that running a respectable-sized dictionary over a WPA network handshake can take days or weeks.

One of our customers sent me two Excel XLA add-ins. When I tried to open that file in the VBA Editor — the "Project is locked" message appeared. Add-in has been already unlocked by our VBA password recovery tool. According to Microsoft article this message may appear in two cases: when the macro is protected by password or when it is digitally signed. I analysed the macro password record and found that the password is empty. MS Excel also showed me that macro have no any digital signatures. Then I looked into protection record with more attention and for example found that:

We are waiting for release of new Microsoft office suite – Office 2010. Right now Microsoft has only technical preview of new Office; this preview has been leaked from Microsoft and everyone can download it with the help of torrent trackers. We’ve got a copy of Office 2010 and analysed its (new) password protection.

In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.

New statistics* shows disaster recovery (DR) is getting more attention, and more upper level execs become involved with DR issues. Ideally, each company should have an emergency plan in case of power/system failure, loss of access, outside attack, sabotage or else – called DRP (disaster recovery plan) or even DRRP (disaster response and recovery plan). DRP is only a part of risk management practices which ensure emergency preparedness and risk reduction and include such initiatives as regular data backups, stocking recovery software, archiving, etc. – these activities are reflected in PMI and NIST standards.

In my previous post I suggested several variants of computer security translated by different laws. Now I’d like to get to ciphers…again viewed by law.

Most laws define security obligations as reasonable, appropriate, suitable, necessary, adequate etc. without giving more precise directives to follow. Is it good or bad? And what should be known about these standards?

In the city of Bozeman (the US) it is…pardon, was “acceptable” to require user credentials to your personal mailboxes and other social networking accounts, when applying for a job. What for? For “a thorough background check”. (more…)