The Onion News Network has a news webcast about Facebook program and its use in acquiring information during federal investigations and how greatly this project can save federal expenses:

CIA's 'Facebook' Program Dramatically Cut Agency's Costs

Joking aside, although Facebook was not presupposed to carry out any federal mission like this, the fact is that Feds can very well use Facebook to gather more details of people they are looking for. The question is: how can they do this (if, of course, that’s not the ‘special project’ itself)? One of possible ways to get necessary data would be to set an account and make friends with the suspect, however there are some hidden rocks in it. First, the suspect might not like to make friends with “camouflaged” feds; second, even if you managed to get friends, your access to suspects’ details can be restricted.  Obviously, this is not an easy way to chase a criminal, on the other hand it provides an opportunity to establish and initiate personal contact with the suspect if that’s required.

What else can be done? Well, getting access to suspects’ computer is not a bad idea and most probably this would be point number one. There are many ways to seize and arrest suspects’ computers and as soon as it is accessible computer specialists start scrutinizing its content in search of any evidence. Here all ElcomSoft password recovery tools come into action and now also Facebook Password Extractor designed exclusively for Facebook accounts. 

The new utility gets Facebook account passwords saved in Web browsers on the local computer.  Pleasant thing is that ElcomSoft decided to help saving federal costs as well and made the software free of charge: “This is our duty!”, says unnamed ElcomSoft representative. The main Facebook Passwords Extractor features:

• The utility is absolutely free
• Easy exploitation – you simply start the program and it takes over the rest of work
• Supports all popular Web browsers and their versions: Internet Explorer till v. 9, Mozilla Firefox till v. 4, Opera till v. 11.10, Google Chrome till v. 11, Apple Safari till v. 5
• Works almost instantly
• Finds unlimited (i.e. all) number of logins and passwords stored in Web browsers on local computer.
• Does not matter how long and complex the passwords are and what languages they're in

N.B. Passwords stored in Mozilla Firefox and Opera protected with master password, cannot be recovered with this tool. For the first one (Firefox), however, we do have the solution: Elcomsoft Distributed Password Recovery. Let us know if you're interested in Opera master password recovery, too!

Working with it is quite simple. Right after you start Facebook Password Extractor, it searches Web browsers installed in the system and analyses data stored in every of the installed browsers, local databases, and cache. This allows finding all account information (login – password) that has ever been saved in Web browsers as autocomplete and/or authentication data. All found passwords to Facebook accounts are being decrypted and displayed in convenient form.

There is one “problem” with Facebook Password Extractor, though. It works with Facebook only  . If you need to reveal passwords to other social networks, get the Elcomsoft Internet Password Breaker instead. It is not free, but you always get what you paid for – not just [saved] passwords to social networks, but also the contents of ‘autocomplete’ fields (an extremely good source of information, including passwords), Windows Live Mail credentials and more.

• “I don't have Outlook, so I can't do it [synchronization] automatically, but I really need you guys' help.”
• “Unfortunately I had to wipe out the device completely after applying the latest OS update which screwed up my contacts and calendar.”
• “The latest verson of the software (bundle 1656) INSTANTLY caused my contacts on my BB to be wiped out and replaced with 657 blank entries.”
• “Is there any way I can export my address book to oulook or windows contacts or whatever so i can put them on my friends iphone?”
• “How can I get my 20,000+ contacts from my Curve 8530 to a CSV or exported somewhere online? It seems like there is no way without syncing software crashing because of the time a transfer takes…”

It looks like currently the main problem with BB’s usability is absence of proper synchronization.  Well, to tell the truth it WAS a problem, which is now at least partly solved. With our new tool (EBBE) you can export all contacts saved in BB backup into the single CSV file, as the most universal format supported by all email clients (including web-based email services), and then do whatever you need – import these contacts into your favorite client (regardless an operating system – Windows, Mac OS, Lunix etc), merge with the contacts stored in the other smartphone, open in Excel etc. How that? Just using Elcomsoft Blackberry Backup Explorer.  With this simple though nice and effective utility you can extract, display, print or export BlackBerry backup information. A whole array of all sorts of data can be at hand in a matter of minutes: pictures, messages, URLs, contacts, certificates, call logs, etc.  – literally everything is at your disposal anytime and in any convenient format, be it PDF, HTML, DOC, RTF (which btw include a hyperlinked Table of Contents)or other preferable file formats like CHM, HLP, TXT, MDB, XLS, TIFF, DCX, VCF (vCard), VCS (vCalendar) and even more.   I’m sure most of business people using BlackBerry might have encountered an urgent necessity to restore some correspondence to read it on PC/Mac, print it out, or forward to a partner, I suppose it’s a frequent situation. Now, you don’t have to be bound by Outlook to process your BB emails. It becomes a 3 step procedure with Elcomsoft Blackberry Backup Explorer. First, you start on the tool and open your BB backup. Second, you choose “messages” and filter them by contact (using familiar fields To and From), subject, date (see, you can sort them just as you like) and even manage their sequence. And finally – drum roll – save the correspondence in any convenient file format. That’s it. In fact, Elcomsoft Blackberry Backup Explorer is a perfect tool for forensics experts to get BlackBerry backup content in a perfectly structured and readable form. As said “no more secrets, no more lies, see right through your alibis…”, © Papa Roach. And even though experts may require a password to the encrypted backup, it’s not a problem when you have Elcomsoft Phone Password Breaker, unless you know the password some other way

The many different security policies and government regulations make standard practices of choosing passwords inadequate (passwords are too easy to break) or unfeasible (passwords are impossible to memorize, get written on yellow stickers, and get easily hijacked).  To facilitate the needs of its customers, ElcomSoft Co. Ltd. employed its extensive expertise in the areas of information security and password recovery, and offers a service to provide the perfect balance between password strength and memorability. After breaking millions of passwords, the company has inside information on what’s strong, what’s weak, and what’s adequate for every task.

Offering three strength levels and several additional options, ElcomSoft offers an economical way to create passwords perfect for the type of information they protect. Customers can choose passwords that are short and strong, long and extremely strong, or very long and guaranteed unbreakable. For a small extra fee, Password Store customers can choose passwords that are easy to pronounce or quick to memorize, without sacrificing a single bit of security. In addition, ElcomSoft offer a “gift-wrap” option that accompanies every password with a digital authenticity certificate.

As a value-added service, ElcomSoft offers exclusive password recovery service to all customers of its Password Store. For a nominal fee, forgotten passwords can be recovered in an instant. Under no circumstances will the company sell passwords to any third-parties or upload the lists to the three-letter agencies, government or law enforcement officials unless they become our clients and buy their own passwords.

More info at http://www.elcomsoft.com/password_store.html

Yesterday, we recovered login and password information to Internet Explorer only, but it was yesterday… Now, Mozilla Firefox, Apple Safari, Google Chrome and Opera Web browsers are at your disposal.

Let’s plunge into some figures…

Imagine, just a couple of years ago there was no Chrome at all and now it captivates more than 19% of users and is the third most popular Web browser. Safari appeared first in 2003 under Mac OS and in 2007 under Windows, now it’s the fourth popular Web browser.

A curious scene unfolds before us, IE is constantly losing its followers to the advantage of FireFox and rapidly spreading newcomers like Chrome. However, in spite of all these browser wars, any statistical data can only be relatively true and I’m sure we all use more than one Web browser (I use three at least).

Some of them are at hand because they are default browsers like Safari on iPhones and iPads, some of them are more convenient for Web designing, and some run under Linux and Mac OS X as well.

That’s why we decided to crack other browsers as well. BTW, our CTO Andy Malyshev claims that compared to IE 8 protection all the other browsers were just “a piece of cake”.

Just if you’re curious, different Web browsers store their data (including logins and passwords to web sites) in different formats. In Apple Safari, it is Property List (plist), in versions up to 3.x (incl.), that was just a plain XML which is easy to parse. In Safari 4 and 5, it is in binary form (though organized very similar internally). Encryption is done with DPAPI.

Mozilla Firefox: up to version 3.5, they stored everything in plain text; starting with version 3.5 – in SQLite databases. Everything is encrypted there (yes, in old text files, too) using their own API called Network Security Services (NSS).

In Google Chrome SQLite is used as a storage and DPAPI for encryption.

Opera: proprietary (binary) file format whereas encryption is done with DES.

Now it’s easy to get back account information, logins, passwords and cached forms in all browsers like IE, Apple Safari, Google Chrome, Opera, and Mozilla Firefox, as well as Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail.

However, there is a trick with Mozilla Firefox…if it has a master password, your only prey will be URLs, unless you know the required master password…OR have Elcomsoft Distributed Password Recovery which deals with such passwords.

One more trick with Firefox (quite a tricky browser, isn’t it?) is that unlike the others it should be installed itself, because EINPB refers to some of its dll-files.

As we’ve seen, the tendency is to use several browsers, or better said switching from IE to other ones, which implies some problems with switching some details (such as name, address, or whatever else) cached in your previous Web browser and happily forgotten. This is a frequent scenario – I personally found myself in similar situation a couple of days ago, when I had to reach an online account (which login and password are cached) from another browser and couldn’t…but my situation was even worse because I used different computers. Anyway, this won’t bother you anymore, because EINPB can pull all data from your old browser and gather it in one file. 

So, let us not dampen our joy over browser wars as they are not finished yet and appease our hunger for new browsers (?) We also get influenced by popular opinion, so tell us your browser preferences and maybe we’ll crack them too.

However, there is no order that users have to change their Wi-Fi passwords regularly, the only requirement being to set up a password on the initial stage of wireless access installation and configuration.

I’ve conducted a mini-research here in Russia. There are 5 wireless networks in range that my computer finds when at home. Although all of the networks have rather bizarre names, they are all WPA- or WPA2-protected. My guess is that people do not install wireless access at home by themselves or browse the Internet for instructions and find some on protection and passwords. At the same time, I often come across unprotected networks in Moscow and I do use them to check my Twitter account. It is obvious that to make any conclusions, one has to dive into this topic much more deeply.

What I learnt working for ElcomSoft – the company that recovers passwords and does it very well – is the following: sometimes a password is not enough. You need a good password to make sure your data is protected. WPA requires using passwords that are at least 8 characters long. Such length guarantees quite good protection. The problem as usual is the human factor. We still use admin123 and the like to protect our networks.

Fortunately, there are tools that can help you check how strong your WPA/WPA2-password is. One of such tools is Wireless Security Auditor. It makes use of various hardware for password recovery acceleration and a set of customizable dictionary attacks. The idea is simple: if this monster does not find your WPA/WPA2-password, then it is secure 

Nice weekend to all.

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456″, followed by “12345″, “123456789″, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567″, “12345678″, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

A low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary has been recently unveiled. The so-called WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in about 20 minutes. Want to pay less, do it for $17 and wait 40 minutes to see the results.

Another notable feature is the use of the dictionary that has been set up specifically for cracking Wi-Fi Protected Access passwords. While Windows, UNIX and other systems allow short passwords, WPA pass codes must contain a minimum of eight characters. Its entries use a variety of words, common phrases and "elite speak" that have been compiled with WPA networks in mind.

WPA Cracker is used by capturing a wireless network's handshake locally and then uploading it, along with the network name. The service then compares the PBKDF2, or Password-Based Key Derivation Function, against the dictionary. The approach makes sense, considering each handshake is salted using the network's ESSID, a technique that makes rainbow tables only so useful.

Everything seems to be perfect, but for the fact that there exists another alternative to crack WPA passwords which allows to reach the same speed. Just instead of installing a 400-CPU cluster, it’s possible to set 4 top Radeons or about two Teslas and try Elcomsoft Wireless Security Auditor.

Best Graphics Cards For The Money: September ’09

Update (Sep 16th): GT300 could outperform the Radeon HD5870

Update (Sep 22nd): ATI Radeon HD 5870 pricing and specs list revealed

Update (Sep 23rd): ATI Radeon HD 5870: DirectX 11, Eyefinity, And Serious Speed

ATI is going to release Radeon HD 5000 cards (5850, 5870, 5870 X2) in October — well, hopefully. The top one (HD 5870X2: single-PCB, dual-GPU) will retail for $599.

As for NVIDIA’s new GT300, the specifications were revealed in April. In brief, it groups processing cores in sets of 32 (up from 24 in GT200) — up to 512 cores total for the high-end part. If the clocks remain the same as on GT200, that will double the overall performance. And there are other improvements as well: e.g. GT300 cores rely on MIMD-similar functions. Some fresh information about GT300 availability:

• Where is the nVidia GT300?
• nVidia plans GT300 demos for late September
• NVIDIA GeForce Drivers Include Details on GT300 GPU Series

You may ask — what about Intel? Well, new Core i5 and i7 (codename Lynnfield) now available. Nothing revolutionary new, just Intel P55 Express Chipset support: integrating both a 16-lane PCI Express 2 graphics port and two-channel memory controller on a single chip (previous chipsets required separate northbridge and southbridge), as well as several minor improvements. More information and some benchmarks at Intel Lynnfield; Core i5 750 and Core i7 870 Evaluation and New Intel Core i5, i7 Processors Product Matrix.

And still [almost] noting about Intel Larrabee, mostly just rumors:

• Intel says Larrabee is still 1st Gen
• Intel Larrabee Based Graphics Card Coming in 2010 Still

Finally, funny article: NVIDIA to Intel: Your Days Are Numbered :)