Archive for the ‘Industry News’ Category

ElcomSoft Opens a Password Store to Sell Passwords Balancing Strength and Memorability

Friday, April 1st, 2011

Great news, ElcomSoft starts Elcomsoft Password Store, an online service to supply customers with guaranteed secure passwords. The new Password Store provides customers a variety of selections, and complies with all industrial and government requirements regarding the length and complexity of passwords being sold. As a value-added service, the company offers near-instant recovery of all passwords sold through its Password Store for a nominal fee.

The many different security policies and government regulations make standard practices of choosing passwords inadequate (passwords are too easy to break) or unfeasible (passwords are impossible to memorize, get written on yellow stickers, and get easily hijacked).  To facilitate the needs of its customers, ElcomSoft Co. Ltd. employed its extensive expertise in the areas of information security and password recovery, and offers a service to provide the perfect balance between password strength and memorability. After breaking millions of passwords, the company has inside information on what’s strong, what’s weak, and what’s adequate for every task.

Offering three strength levels and several additional options, ElcomSoft offers an economical way to create passwords perfect for the type of information they protect. Customers can choose passwords that are short and strong, long and extremely strong, or very long and guaranteed unbreakable. For a small extra fee, Password Store customers can choose passwords that are easy to pronounce or quick to memorize, without sacrificing a single bit of security. In addition, ElcomSoft offer a “gift-wrap” option that accompanies every password with a digital authenticity certificate.

As a value-added service, ElcomSoft offers exclusive password recovery service to all customers of its Password Store. For a nominal fee, forgotten passwords can be recovered in an instant. Under no circumstances will the company sell passwords to any third-parties or upload the lists to the three-letter agencies, government or law enforcement officials unless they become our clients and buy their own passwords.

More info at http://www.elcomsoft.com/password_store.html

Firefox, Safari, Opera, and Chrome Passwords Cracked

Thursday, November 11th, 2010

What is a Web browser for you? It’s virtually a whole world, all together: web sites, blogging, photo and video sharing, social networks, instant messaging, shopping… did I forget anything? Oh yes, logins and passwords. :)  Set an account here, sign in there, register here and sing up there – everywhere you need logins and passwords to confirm your identity.

Yesterday, we recovered login and password information to Internet Explorer only, but it was yesterday… Now, Mozilla Firefox, Apple Safari, Google Chrome and Opera Web browsers are at your disposal.

Let’s plunge into some figures…

(more…)

‘Casual and Secure’ Friday Post

Friday, May 14th, 2010

German law has always been strict about any possible security breaches. This week German court ordered that anyone using wireless networks should protect them with a password so the third party could not download data illegally.  

However, there is no order that users have to change their Wi-Fi passwords regularly, the only requirement being to set up a password on the initial stage of wireless access installation and configuration.

I’ve conducted a mini-research here in Russia. There are 5 wireless networks in range that my computer finds when at home. Although all of the networks have rather bizarre names, they are all WPA- or WPA2-protected. My guess is that people do not install wireless access at home by themselves or browse the Internet for instructions and find some on protection and passwords. At the same time, I often come across unprotected networks in Moscow and I do use them to check my Twitter account. It is obvious that to make any conclusions, one has to dive into this topic much more deeply.

What I learnt working for ElcomSoft – the company that recovers passwords and does it very well – is the following: sometimes a password is not enough. You need a good password to make sure your data is protected. WPA requires using passwords that are at least 8 characters long. Such length guarantees quite good protection. The problem as usual is the human factor. We still use admin123 and the like to protect our networks.

Fortunately, there are tools that can help you check how strong your WPA/WPA2-password is. One of such tools is Wireless Security Auditor. It makes use of various hardware for password recovery acceleration and a set of customizable dictionary attacks. The idea is simple: if this monster does not find your WPA/WPA2-password, then it is secure :)

Nice weekend to all.

New password-cracking hardware

Friday, February 19th, 2010

Some time ago we wrote about the smallest password cracking device. Not suitable for you? No problem, here is another one: not as small, but definitely more powerfull: Audi. Yes, it's a car. No, we're not kidding. Just read NVIDIA and Audi Marry Silicon Valley Technology with German Engineering press release from NVIDIA. Or if you need more information, The New MMI Generation from Audi might be also helpful. In brief: Audi A8 luxury sedan is equipped with an entertainment system that uses two GPUs from NVIDIA. We have no idea what are these chips (may be Fermi?) and is it technically possible to load our own code to them, but still funny, isn't it? :)

123 Out Goes… Your Password

Friday, January 22nd, 2010

About a month ago, a SQL Injection flaw was found in the database of RockYou.com, a website dealing with social networking applications. The Tech Herald reports that 32.6 million passwords were exposed and posted online due to the flaw. The complete examination of the passwords from the list showed that the passwords in question are not only short as RockYou.com allows creating 5-character-passwords but also alphanumeric only.

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456″, followed by “12345″, “123456789″, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567″, “12345678″, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

New sweeping WPA Cracker & its alternatives

Tuesday, December 8th, 2009

It’s a well-know fact that WPA-PSK networks are vulnerable to dictionary attacks, though one cannot but admit that running a respectable-sized dictionary over a WPA network handshake can take days or weeks.

A low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary has been recently unveiled. The so-called WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in about 20 minutes. Want to pay less, do it for $17 and wait 40 minutes to see the results.

Another notable feature is the use of the dictionary that has been set up specifically for cracking Wi-Fi Protected Access passwords. While Windows, UNIX and other systems allow short passwords, WPA pass codes must contain a minimum of eight characters. Its entries use a variety of words, common phrases and "elite speak" that have been compiled with WPA networks in mind.

WPA Cracker is used by capturing a wireless network's handshake locally and then uploading it, along with the network name. The service then compares the PBKDF2, or Password-Based Key Derivation Function, against the dictionary. The approach makes sense, considering each handshake is salted using the network's ESSID, a technique that makes rainbow tables only so useful.

Everything seems to be perfect, but for the fact that there exists another alternative to crack WPA passwords which allows to reach the same speed. Just instead of installing a 400-CPU cluster, it’s possible to set 4 top Radeons or about two Teslas and try Elcomsoft Wireless Security Auditor.

Elcomsoft Wireless Security Auditor: WPA-PSK Password Audit

More on Radeon HD 5000

Thursday, September 10th, 2009

Tom’s Hardware is a really good source we can definitely trust, so if you need more details on Radeon HD 5000-series cards (specifications and prices) that are coming soon, just read:

Best Graphics Cards For The Money: September ’09

Update (Sep 16th): GT300 could outperform the Radeon HD5870

Update (Sep 22nd): ATI Radeon HD 5870 pricing and specs list revealed

Update (Sep 23rd): ATI Radeon HD 5870: DirectX 11, Eyefinity, And Serious Speed

AMD vs NVIDIA, next round

Wednesday, September 9th, 2009

Looking for new password cracking hardware (to take advantage of GPU acceleration)? Wait just a little bit more: new ATI and NVIDIA cards (with DirectX 11) will be available soon.

ATI is going to release Radeon HD 5000 cards (5850, 5870, 5870 X2) in October — well, hopefully. The top one (HD 5870X2: single-PCB, dual-GPU) will retail for $599.

As for NVIDIA’s new GT300, the specifications were revealed in April. In brief, it groups processing cores in sets of 32 (up from 24 in GT200) — up to 512 cores total for the high-end part. If the clocks remain the same as on GT200, that will double the overall performance. And there are other improvements as well: e.g. GT300 cores rely on MIMD-similar functions. Some fresh information about GT300 availability:

You may ask — what about Intel? Well, new Core i5 and i7 (codename Lynnfield) now available. Nothing revolutionary new, just Intel P55 Express Chipset support: integrating both a 16-lane PCI Express 2 graphics port and two-channel memory controller on a single chip (previous chipsets required separate northbridge and southbridge), as well as several minor improvements. More information and some benchmarks at Intel Lynnfield; Core i5 750 and Core i7 870 Evaluation and New Intel Core i5, i7 Processors Product Matrix.

And still [almost] noting about Intel Larrabee, mostly just rumors:

Finally, funny article: NVIDIA to Intel: Your Days Are Numbered :)
 

Intel Larrabee, AMD Llano: when?

Tuesday, June 23rd, 2009

According to NordicHardware, Sapphire Or Zotac Might Launch Larrabee. No further information on Larrabee yet, though; as we already wrote, the Larrabee lauch date is set to 2010. The only news from Intel so far is about i3, i5, i7 CPU naming system: Lynnfield, Clarksfield, Arrandale, Clarkdale; besides, Intel plans shipments of 32nm ‘Clarkdale’ in Q4.

What about ATI? Nothing really new so far; but here is some info on Llano chip; also, in AMD blog, and at Tom’s Hardware: ATI Stream: Finally, CUDA Has Competition.

AMD Phenom II 42 TWKR Black Edition is the new black

Friday, June 19th, 2009

The world is waiting for the specifications of currently most powerful processor – AMD Phenom II 42 TWKR Black Edition aka Formula 1. They say it has an unlocked clock multiplier for ease of overclocking, though consumes 200W and thus requires good cooling. One of the pictures on the website of Maingear PC founder and CEO (Wallace Santos) has a not-for-sale-note which caused a gossip that the new processor is not meant for retail, but probably for direct selling from AMD to “extreme enthusiasts”.

So, let’s wait together for a detailed description. :)