Developing software for ATI cards is (okay — was) a nightmare. In 2009 ATI quietly introduced two changes in their drivers which made previously perfectly functional and compatible applications to crash (if you are curious: with Catalyst 9.2 or 9.3 they’ve changed names of supporting DLLs bundled with drivers; with Catalyst 9.9 or 9.10 they’ve probably changed format of underlying binary so that anything compiled and linked in with earlier versions caused a driver to crash).

Well, with the release of Catalyst 10.4 drivers ATI is again at it. This time problem only affects users who have display adapters from different vendors in their computer. Applications utilizing ATI Stream will work on such configurations just fine with Catalyst 10.3, but once you upgrade to 10.4, applications will crash with faulting module being aticaldd.dll, a part of ATI Display driver. Kinda embarrassing, I would say. Regression testing is really something one with millions of users should consider.

Users of our software relying on ATI hardware accelerations (as well as any other ATI Stream enabled applications) should not update to 10.4 if ATI Readeon is not the only card in their computer.

The brute-force attack consists of two parts:

1. Trying digits and latin letters
2. Trying national characters depending on code page set in Windows.

Before this time these parts were hardcoded in the program. The new version of Advanced Office Password Recovery has an option to customize the preliminary brute-force attack. 

Look to the directory where AOPR is installed. There is "attacks.xml" file inside. The first section of this file is the language map:

The codes are Windows language identifiers. You can link any LID to your custom name.

The next section contains predefined charsets:

All charsets are in unicode so you can define any national characters here.

And the final section is "documents". All parts of this section has comments about document types. You can define the "common" charsets and charsets that are related to system language. Each "attack" record defines password length and charset.

In this XML file you can simply change the standard preliminary attack and define the custom charsets for your language. I hope this will help to recover your Office passwords faster.

Well, that reminded me of a very funny stupid CAPSoff Campaign…

In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.

An implementation is really simple: all you have to do is set the ES_PASSWORD style for the given Edit control.

Does that feature add some security? Yes, I think so. Though it does not protect from keyloggers. Besides, the content of the masked edit control (i.e. the password) can be easily read by other software: e.g. look at Behind asterisks feature available in Proactive System Password Recovery – with it, you can "unmask" all controls in all programs currently running, and even enable disabled (grayed out) buttons and menu items.

However, Nielsen says that password masking causes more errors, and second, even reduces the security. I can see the first point: yes, if you don’t see what you type, it is easier to make a typo. But all well-designed programs (like PGP) have an option to [un]mask the password field, or at least ask you to enter the password twice (I doubt you can make exactly the same typo two times).

The second point is much harder to understand:

"The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security."

True? Yes, definitely. But no connection to password masking. I don’t feel uncertain when entering something into the masked box, really. And most users select short/simple passwords anyway, and/or write them down – regardless the usability issues discussed here

I see another problem, though – related to non-US keyboards. You may have the keyboard layout switched to other (than default) language… Or the CapsLock switched on. However, well-designed systems will bring your attention about layout and CapsLock (e.g.: Windows logon prompt).

And finally… Most (if not all) email clients and instant messengers have an option to "remember" the passwords (and yes, it is convenient – you don’t have to enter it every time when you connect). And if the password is saved, you can see the asterisks only (in program options, or in ‘connection’ window), so you feel secure – someone who get the physical access to your computer will be able to get your mail and connect to your IM account, but cannot get your password. Right? Wrong. Unfortunately, most programs save the plaintext passwords, or use ‘snake-oil’ encryption, and so can be easily extracted by programs like Advanced Mailbox Password Recovery and Advanced IM Password Recovery. The only (good) exceptions are ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype – they save not the password itself, but its hash (which is really hard – and sometimes impossible – to recover the plaintext from). This (stroring the passwords) IS the real security problem. Password masking is NOT.

New statistics* shows disaster recovery (DR) is getting more attention, and more upper level execs become involved with DR issues. Ideally, each company should have an emergency plan in case of power/system failure, loss of access, outside attack, sabotage or else – called DRP (disaster recovery plan) or even DRRP (disaster response and recovery plan). DRP is only a part of risk management practices which ensure emergency preparedness and risk reduction and include such initiatives as regular data backups, stocking recovery software, archiving, etc. – these activities are reflected in PMI and NIST standards.

Contrary to risk management DRP is meant for providing clear-cut instructions in case of emergency, indicating activities required to recover the critical data or services and optionally people responsible for these activities (if not mentioned in other directives) , and thus should be clear and concise, take a look at the DRP diagram. There are two main recovery objectives.

First is the recovery time objective meaning how long a business can continue to function without the critical data or services. And the survey results* show the recovery time objectives are currently reduced to 4 hours.

Second one is the recovery point objective which stands for from what time can an organization recover damaged or lost data, which practically means how often an organization should back up their data and how much info they are prepared to lose. In this respect Symantec survey* demonstrates that more than a third of virtual environments do not back up their data on a regular basis, explaining this by absence of good automation.

In a disaster recovery situation a formula “time is money” gets its critical point, as you have limited time not only to restore and get in order your data, but also to find necessary means for this. Hopefully, the DRP specifies all necessary contacts and services to help you avoid taking unwise steps in a rush.

Another time-dependent problem appears to be testing and absence of necessary resources for regular tests. According to the report results the most popular reason why companies are unwilling to do testing is because of a lack of resources in terms of people’s time (48 % respondents)*.

Relying on their previous studies Symantec claims lack of resources is a general problem throughout many years. I agree with them that introducing tools for easy regular audit and recovery minimizes human involvement and reduces the need to turn to third party services. What I’m also driving at is that our tools are good both for regular password audit and urgent data recovery, e.g. Elcomsoft System Recovery or Advanced EFS Data Recovery.

*Symantec’s fifth annual IT Disaster Recovery survey

** The IT disaster recovery plan

I bet it was more than once that you had to fill out a sort of name-company-position-email-telephone-whatever form when registering or subscribing to something. Do you think about preserving privacy of your information when leaving such data on someone’s website? It is a common experience which gradually became an axiom that anything you leave in the Internet sooner or later becomes public. Hopefully you do not try your fortune and do not use your registration data anywhere in your passwords. Besides, when registering please be careful about your “secret questions” and your secret answers, because most of your answers (like mother’s maiden name, favorite football team…) can be guessed in different ways. 

The term phishing must be familiar to you as it became sort of buzz word, but still the meaning is that fake websites (usually copies of some popular existing ones) are being created to gather personal data like names, telephone numbers, e-mail addresses and sensitive information like passwords or credit card numbers. But they are not necessarily site-duplicates; it can be an absolutely new and original website which gathers users’ info under color of download resource or any service opportunity. 

There is no such term as overcautiousness regarding user authentication. A password like GxOxD#P$@$w0rD may be good enough for a PDF file with 128-bit encryption, but bad for an online account for several reasons: first, an online account password can be tried for any other your accounts and/or protected files (what if you used the same one?); second, you can easily forget such a difficult password yourself, while there is no need to make it so complex because there are no programs for online passwords’ recovery (provided they are not captured by the turned-on AutoComplete of your web browser, in this case our AIEPR easily finds it). Thus, a normal password for an online account could be like PisO’Kake!

What’s worth remembering is that in particular Internet systems (fortunately, their number seems to decrease, but still they are) your password is being sent through the Internet totally unprotected, which means it is not a problem to capture it. In such cases passwords’ managers like KeePass (keepass.info) can help – they keep passwords in an encrypted file, which opens only if you know master password and this one (contrary to online passwords) must be highly secure. 

Please be careful with your online passwords and make them different from those that you use for protecting your files. Again, remember everything you leave in the Internet is no longer yours, at least not only yours, this is the sad truth. 

To sum up, I’ve outlined some basic tips for online passwords: 

• They do not have to be as strong as offline passwords 
• They should not coincide with any other your passwords used in the Internet or elsewhere
• They should not be guessable after gathering info about you:
  1. never equal your personal info (name, birthday, car number, postal address…)
  2. never equal any general info about you (your likes/dislikes, haves/have nots…)

According to Finnish security company F-Secure, patching 48.9% of all targeted attacks conducted this year involved a malicious PDF file attached to a legitimate-looking e-mail, a huge change from 2008, when PDFs made up just 28.6% of targeted attacks.

But security model of PDF encryption/protection is not going to change, [un]fortunately. It is still very easy to remove restrictions (from printing, copying etc) from PDF files. Moreover, Advanced PDF Password Recovery can clean PDF files from Form elements, digital signatures and JavaScript code (the last item is the most important, because the scripts inside PDFs may contain malicious code). The open password is harder to break: only if 40-bit encryption is used (obsolete, but still popular due to compatibility reasons), such protection can be removed almost instantly, thanks to Thunder Tables.

Better/improved encryption (128-bit RC4) has been introduced in Acrobat 5 a long time ago; in next version, AES encryption has been added — so only brute-force and dictionary attacks were applicable, and recovery speed was low. However, we have found that Adobe Acrobat 9 Is a Hundred Times Less Secure compared to version 8). Moreover, GPU acceleration is now possible, so achieving even better recovery speed.

Surprisingly, Adobe has responded in their blog: see Acrobat 9 and password encryption. Here is what they said:

The current specification for password-based 256-bit AES encryption in PDF provides greater performance than the previous 128-bit AES implementation.

First, that’s not true (if you don’t trust me, make some bench. Second, the encryption (of the file’s data) is not related to password verification routine. You can use the strongest zillion-bit algorithm, but simple and fast password checking function, and so passwords can be effectively cracked (well, recovered ) in a reasonable time.

Last but not least (also from Adobe’s blog):

256-bit AES encryption is widely known to be stronger than 128-bit AES.

Of course it is. But first, it’s a pure marketing issue: 128 bit is more than enough (well, for next dozen years). Second, the password is still the weakest link.

And so, the crucial difference between Advanced Office Password Recovery (AOPR) and Advanced Office Password Breaker (AOPB) lies in TIME needed for getting your data back.

The two programs have opposite approaches for decrypting the document contents. So, how do they work? Microsoft Office converts each password to its own encryption key. And so we can either search for the correct password itself or find the document encryption key. Accordingly, AOPR tries all possible passwords (using brute force/mask/dictionary attacks) to find the right one, whereas AOPB takes the document encryption key that you can use to decrypt the document and get your data back.

Since ElcomSoft developed special technology that uses precomputed tables for Word and Excel (Thunder Tables ™) with 40-bit encryption keys, it takes seconds to find Word and Excel encryption keys.

Find program differences reflected in the table:

You see, it’s all about time. If you have time, you can use AOPR to recover lost password. If you have no time, use AOPB and attack the encryption key and decrypt your document instantly.

Chief technology officer in D-link says: "We are excited to be the first in the market to implement captcha into our routers, providing yet another layer of security to our customers".

No doubt, captcha is a wonderful spam filter for mails and a reliable obstacle to unauthorized access in the web, but is it as good for routers as for the web? Dan Goodin from the Register says that SourceSec Security Research bloggers easily found a way to change router settings, even avoiding the necessity to pass the captcha test. The new feature still allows gaining password’s salted MD5 hash and captcha image’s input from the GetRequest. The Register (we too) suggest using strong passwords instead. And of course, you should take care about the strength of your WPA/WPA2 password as well; Elcomsoft Wireless Security Auditor will help.