In its next part about iTunes Backups Kiel touches upon Elcomsoft Phone Password Breaker which virtually crunches backup passwords at speed of 35000 passwords per second (with AMD Radeon HD 5970) using both brute force and dictionary attacks, here are some benchmarks.

It seems the paper does not miss out on any nuance about iOS 4 and provides practical advice to either avoid or prevent from the depressing outcomes, such as loss of data. Closer to the end of the paper you will also find several sagacious tips for using the devices within organizations, including passcode management, a so called “first line of defense” which according Kiel’s view “can be matched to existing password policies”, however he inclines to use passwords instead of 4 digit passcodes.

And in conclusion the author discovers that smartphone and tablet security measurements resemble the ones of laptops, because they all belong to mobile devices.  Find out more details in the source itself: http://www.sans.org/reading_room/whitepapers/pda/security-implications-ios_33724
 

Yesterday, we recovered login and password information to Internet Explorer only, but it was yesterday… Now, Mozilla Firefox, Apple Safari, Google Chrome and Opera Web browsers are at your disposal.

Let’s plunge into some figures…

Imagine, just a couple of years ago there was no Chrome at all and now it captivates more than 19% of users and is the third most popular Web browser. Safari appeared first in 2003 under Mac OS and in 2007 under Windows, now it’s the fourth popular Web browser.

A curious scene unfolds before us, IE is constantly losing its followers to the advantage of FireFox and rapidly spreading newcomers like Chrome. However, in spite of all these browser wars, any statistical data can only be relatively true and I’m sure we all use more than one Web browser (I use three at least).

Some of them are at hand because they are default browsers like Safari on iPhones and iPads, some of them are more convenient for Web designing, and some run under Linux and Mac OS X as well.

That’s why we decided to crack other browsers as well. BTW, our CTO Andy Malyshev claims that compared to IE 8 protection all the other browsers were just “a piece of cake”.

Just if you’re curious, different Web browsers store their data (including logins and passwords to web sites) in different formats. In Apple Safari, it is Property List (plist), in versions up to 3.x (incl.), that was just a plain XML which is easy to parse. In Safari 4 and 5, it is in binary form (though organized very similar internally). Encryption is done with DPAPI.

Mozilla Firefox: up to version 3.5, they stored everything in plain text; starting with version 3.5 – in SQLite databases. Everything is encrypted there (yes, in old text files, too) using their own API called Network Security Services (NSS).

In Google Chrome SQLite is used as a storage and DPAPI for encryption.

Opera: proprietary (binary) file format whereas encryption is done with DES.

Now it’s easy to get back account information, logins, passwords and cached forms in all browsers like IE, Apple Safari, Google Chrome, Opera, and Mozilla Firefox, as well as Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail.

However, there is a trick with Mozilla Firefox…if it has a master password, your only prey will be URLs, unless you know the required master password…OR have Elcomsoft Distributed Password Recovery which deals with such passwords.

One more trick with Firefox (quite a tricky browser, isn’t it?) is that unlike the others it should be installed itself, because EINPB refers to some of its dll-files.

As we’ve seen, the tendency is to use several browsers, or better said switching from IE to other ones, which implies some problems with switching some details (such as name, address, or whatever else) cached in your previous Web browser and happily forgotten. This is a frequent scenario – I personally found myself in similar situation a couple of days ago, when I had to reach an online account (which login and password are cached) from another browser and couldn’t…but my situation was even worse because I used different computers. Anyway, this won’t bother you anymore, because EINPB can pull all data from your old browser and gather it in one file. 

So, let us not dampen our joy over browser wars as they are not finished yet and appease our hunger for new browsers (?) We also get influenced by popular opinion, so tell us your browser preferences and maybe we’ll crack them too.

In his book Kevin insists that the best way to really understand how to protect your systems and assess their security is to think from a hacker’s viewpoint, get involved, learn how systems can be attacked, find and eliminate their vulnerabilities.  It all practically amounts to being inquisitive and focusing on real problems as in contrast to blindly following common security requirements without understanding what it’s all about.

Kevin extensively writes on the questions of cracking passwords and weak encryption implementations in widely used operating systems, applications and networks. He also suggests Elcomsoft software, in particular Advanced Archive Password Recovery, Elcomsoft Distributed Password Recovery, Elcomsoft System Recovery, Proactive Password Auditor, and Elcomsoft Wireless Security Auditor, as effective tools to regularly audit system security and close detected holes.

In this guide Kevin communicates the gravity of ethical hacking in very plain and clear words and gives step –by- step instructions to follow. He easily combines theory and praxis providing valuable tips and recommendations to assess and then improve security weaknesses in your systems.

We want to thank Kevin for testing and including our software in his very “digestible” beginner guide to hacking and recommend our readers this book as a helpful tool to get all facts in order.

Developing software for ATI cards is (okay — was) a nightmare. In 2009 ATI quietly introduced two changes in their drivers which made previously perfectly functional and compatible applications to crash (if you are curious: with Catalyst 9.2 or 9.3 they’ve changed names of supporting DLLs bundled with drivers; with Catalyst 9.9 or 9.10 they’ve probably changed format of underlying binary so that anything compiled and linked in with earlier versions caused a driver to crash).

Well, with the release of Catalyst 10.4 drivers ATI is again at it. This time problem only affects users who have display adapters from different vendors in their computer. Applications utilizing ATI Stream will work on such configurations just fine with Catalyst 10.3, but once you upgrade to 10.4, applications will crash with faulting module being aticaldd.dll, a part of ATI Display driver. Kinda embarrassing, I would say. Regression testing is really something one with millions of users should consider.

Users of our software relying on ATI hardware accelerations (as well as any other ATI Stream enabled applications) should not update to 10.4 if ATI Readeon is not the only card in their computer.

The brute-force attack consists of two parts:

1. Trying digits and latin letters
2. Trying national characters depending on code page set in Windows.

Before this time these parts were hardcoded in the program. The new version of Advanced Office Password Recovery has an option to customize the preliminary brute-force attack. 

Look to the directory where AOPR is installed. There is "attacks.xml" file inside. The first section of this file is the language map:

The codes are Windows language identifiers. You can link any LID to your custom name.

The next section contains predefined charsets:

All charsets are in unicode so you can define any national characters here.

And the final section is "documents". All parts of this section has comments about document types. You can define the "common" charsets and charsets that are related to system language. Each "attack" record defines password length and charset.

In this XML file you can simply change the standard preliminary attack and define the custom charsets for your language. I hope this will help to recover your Office passwords faster.

Well, that reminded me of a very funny stupid CAPSoff Campaign…

In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.

An implementation is really simple: all you have to do is set the ES_PASSWORD style for the given Edit control.

Does that feature add some security? Yes, I think so. Though it does not protect from keyloggers. Besides, the content of the masked edit control (i.e. the password) can be easily read by other software: e.g. look at Behind asterisks feature available in Proactive System Password Recovery – with it, you can "unmask" all controls in all programs currently running, and even enable disabled (grayed out) buttons and menu items.

However, Nielsen says that password masking causes more errors, and second, even reduces the security. I can see the first point: yes, if you don’t see what you type, it is easier to make a typo. But all well-designed programs (like PGP) have an option to [un]mask the password field, or at least ask you to enter the password twice (I doubt you can make exactly the same typo two times).

The second point is much harder to understand:

"The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security."

True? Yes, definitely. But no connection to password masking. I don’t feel uncertain when entering something into the masked box, really. And most users select short/simple passwords anyway, and/or write them down – regardless the usability issues discussed here

I see another problem, though – related to non-US keyboards. You may have the keyboard layout switched to other (than default) language… Or the CapsLock switched on. However, well-designed systems will bring your attention about layout and CapsLock (e.g.: Windows logon prompt).

And finally… Most (if not all) email clients and instant messengers have an option to "remember" the passwords (and yes, it is convenient – you don’t have to enter it every time when you connect). And if the password is saved, you can see the asterisks only (in program options, or in ‘connection’ window), so you feel secure – someone who get the physical access to your computer will be able to get your mail and connect to your IM account, but cannot get your password. Right? Wrong. Unfortunately, most programs save the plaintext passwords, or use ‘snake-oil’ encryption, and so can be easily extracted by programs like Advanced Mailbox Password Recovery and Advanced IM Password Recovery. The only (good) exceptions are ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype – they save not the password itself, but its hash (which is really hard – and sometimes impossible – to recover the plaintext from). This (stroring the passwords) IS the real security problem. Password masking is NOT.

New statistics* shows disaster recovery (DR) is getting more attention, and more upper level execs become involved with DR issues. Ideally, each company should have an emergency plan in case of power/system failure, loss of access, outside attack, sabotage or else – called DRP (disaster recovery plan) or even DRRP (disaster response and recovery plan). DRP is only a part of risk management practices which ensure emergency preparedness and risk reduction and include such initiatives as regular data backups, stocking recovery software, archiving, etc. – these activities are reflected in PMI and NIST standards.

Contrary to risk management DRP is meant for providing clear-cut instructions in case of emergency, indicating activities required to recover the critical data or services and optionally people responsible for these activities (if not mentioned in other directives) , and thus should be clear and concise, take a look at the DRP diagram. There are two main recovery objectives.

First is the recovery time objective meaning how long a business can continue to function without the critical data or services. And the survey results* show the recovery time objectives are currently reduced to 4 hours.

Second one is the recovery point objective which stands for from what time can an organization recover damaged or lost data, which practically means how often an organization should back up their data and how much info they are prepared to lose. In this respect Symantec survey* demonstrates that more than a third of virtual environments do not back up their data on a regular basis, explaining this by absence of good automation.

In a disaster recovery situation a formula “time is money” gets its critical point, as you have limited time not only to restore and get in order your data, but also to find necessary means for this. Hopefully, the DRP specifies all necessary contacts and services to help you avoid taking unwise steps in a rush.

Another time-dependent problem appears to be testing and absence of necessary resources for regular tests. According to the report results the most popular reason why companies are unwilling to do testing is because of a lack of resources in terms of people’s time (48 % respondents)*.

Relying on their previous studies Symantec claims lack of resources is a general problem throughout many years. I agree with them that introducing tools for easy regular audit and recovery minimizes human involvement and reduces the need to turn to third party services. What I’m also driving at is that our tools are good both for regular password audit and urgent data recovery, e.g. Elcomsoft System Recovery or Advanced EFS Data Recovery.

*Symantec’s fifth annual IT Disaster Recovery survey

** The IT disaster recovery plan

I bet it was more than once that you had to fill out a sort of name-company-position-email-telephone-whatever form when registering or subscribing to something. Do you think about preserving privacy of your information when leaving such data on someone’s website? It is a common experience which gradually became an axiom that anything you leave in the Internet sooner or later becomes public. Hopefully you do not try your fortune and do not use your registration data anywhere in your passwords. Besides, when registering please be careful about your “secret questions” and your secret answers, because most of your answers (like mother’s maiden name, favorite football team…) can be guessed in different ways. 

The term phishing must be familiar to you as it became sort of buzz word, but still the meaning is that fake websites (usually copies of some popular existing ones) are being created to gather personal data like names, telephone numbers, e-mail addresses and sensitive information like passwords or credit card numbers. But they are not necessarily site-duplicates; it can be an absolutely new and original website which gathers users’ info under color of download resource or any service opportunity. 

There is no such term as overcautiousness regarding user authentication. A password like GxOxD#P$@$w0rD may be good enough for a PDF file with 128-bit encryption, but bad for an online account for several reasons: first, an online account password can be tried for any other your accounts and/or protected files (what if you used the same one?); second, you can easily forget such a difficult password yourself, while there is no need to make it so complex because there are no programs for online passwords’ recovery (provided they are not captured by the turned-on AutoComplete of your web browser, in this case our AIEPR easily finds it). Thus, a normal password for an online account could be like PisO’Kake!

What’s worth remembering is that in particular Internet systems (fortunately, their number seems to decrease, but still they are) your password is being sent through the Internet totally unprotected, which means it is not a problem to capture it. In such cases passwords’ managers like KeePass (keepass.info) can help – they keep passwords in an encrypted file, which opens only if you know master password and this one (contrary to online passwords) must be highly secure. 

Please be careful with your online passwords and make them different from those that you use for protecting your files. Again, remember everything you leave in the Internet is no longer yours, at least not only yours, this is the sad truth. 

To sum up, I’ve outlined some basic tips for online passwords: 

• They do not have to be as strong as offline passwords 
• They should not coincide with any other your passwords used in the Internet or elsewhere
• They should not be guessable after gathering info about you:
  1. never equal your personal info (name, birthday, car number, postal address…)
  2. never equal any general info about you (your likes/dislikes, haves/have nots…)

According to Finnish security company F-Secure, patching 48.9% of all targeted attacks conducted this year involved a malicious PDF file attached to a legitimate-looking e-mail, a huge change from 2008, when PDFs made up just 28.6% of targeted attacks.

But security model of PDF encryption/protection is not going to change, [un]fortunately. It is still very easy to remove restrictions (from printing, copying etc) from PDF files. Moreover, Advanced PDF Password Recovery can clean PDF files from Form elements, digital signatures and JavaScript code (the last item is the most important, because the scripts inside PDFs may contain malicious code). The open password is harder to break: only if 40-bit encryption is used (obsolete, but still popular due to compatibility reasons), such protection can be removed almost instantly, thanks to Thunder Tables.

Better/improved encryption (128-bit RC4) has been introduced in Acrobat 5 a long time ago; in next version, AES encryption has been added — so only brute-force and dictionary attacks were applicable, and recovery speed was low. However, we have found that Adobe Acrobat 9 Is a Hundred Times Less Secure compared to version 8). Moreover, GPU acceleration is now possible, so achieving even better recovery speed.

Surprisingly, Adobe has responded in their blog: see Acrobat 9 and password encryption. Here is what they said:

The current specification for password-based 256-bit AES encryption in PDF provides greater performance than the previous 128-bit AES implementation.

First, that’s not true (if you don’t trust me, make some bench. Second, the encryption (of the file’s data) is not related to password verification routine. You can use the strongest zillion-bit algorithm, but simple and fast password checking function, and so passwords can be effectively cracked (well, recovered ) in a reasonable time.

Last but not least (also from Adobe’s blog):

256-bit AES encryption is widely known to be stronger than 128-bit AES.

Of course it is. But first, it’s a pure marketing issue: 128 bit is more than enough (well, for next dozen years). Second, the password is still the weakest link.