REcon 2013: Breaking Apple iCloud

July 3rd, 2013 by Oleg Afonin

I’ve just returned from REcon 2013 held in Montreal, where I talked about breaking iCloud services (everyone: the slides from that presentation are available right here, and the organizers promised a video soon). I spoke about WHY breaking the iCloud, HOW we did it and WHO can use it. I can briefly stop here, and elaborate the points.

Apparently, more than half of REcon participants are using iPhones (I asked). Some of them are even making backups. And some of those who make backups do them over the iCloud. Now that’s a good reason to want to break in, isn’t it? :)

REcon2013

So then I talked a little about how we did it. We used the classic man-in-the-middle attack, intruding into the private domain of a doomed electronic device bought in the nearest iStore on a cold Russian night… Well, except for the “night” part, it was exactly like that.

And then we discussed a little about who can use our tools. “Is it legal?” I expected that question. Always asked, even at underground hackers’ meetings. Well, it’s certainly legal in Russia, and none of our US customers complained either. I mean, we have US Secret Services, the FBI, Army and Navy and multiple police departments all over the US and Canada as our valued customers, and they never suggested we’re doing something wrong, so it must be legal. Right?

Montreal

Montreal is a beautiful city. Loved it! The old town, the pier, the underground city… it’s vivid and relaxed, old and modern at the same time. It so happened they hosted a French music festival right at the doorsteps of our hotel (the 25th FrancoFolies), so I enjoyed a beautiful city during the day and relaxed to wonderful music at night. I’ll be sure to put Montreal onto a shortlist when planning my next trip!

ElcomSoft at CEIC 2013: Kindle Fire HD Hunt Succeeded

June 13th, 2013 by Olga Koksharova

The CEIC 2013 conference is over. We were happy to connect with our partners and customers at our booth during the show hours. We’d like to thank everyone who stopped by, and give our special thanks to those providing valuable feedback and suggestion on our products. (To those who wanted to see our tools settled under a single roof: we’re working on it!)

Elcomsoft booth

Ecomsoft table

IMG_1757

The Contest

At our booth, we had a Treasury Chest raffle demonstrating the concept of brute force recovery. Visitors were asked to unlock a chest by trying three keys one after another. The tricky part: a bowl with a thousand keys only had a single real thing. The chance of winning now seems pretty slim, does it not? Well, we are happy to tell that both prizes were won!

Elcomsoft contest

The first prize, Kindle Fire HD, went to Calgary, Canada. The second Kindle Fire HD went to Alabama. Congratulations to both winners!

Unknown-1

 

The Feedback

We received lots of valuable feedback from our customers and resellers. Rest assured we’ll be working hard to implement these suggestions!

See You Next Year at CEIC 2014!

Meet us next year in Las Vegas during CEIC 2014 show at booth #212! It’s too early to book a flight yet, but make sure to mark the dates: May 19-22, 2014!

Apple Two-Factor Authentication and the iCloud

May 30th, 2013 by Vladimir Katalov

Some time ago, I wrote a blog post on hacked Yahoo!, Dropbox and Battle.net accounts, and how this can start a chain reaction. Companies seem to begin recognizing the threat, and are starting to protect their customers with today’s cutting edge security: two-factor authentication.

A word on two-factor authentication. In Europe, banks and financial institutions have been doing this for decades. Clients needed to enter an extra piece of information from a trusted media in addition to their account credentials in order to authorize a transaction such as transferring money out of their account. For many years, bank used printed lists of numbered passcodes serving as Transaction Authentication Numbers (TAN). When attempting to transfer money out of your bank account, you would be asked to enter a passcode number X. If you did not come up with the right code, the transfer would not execute. There are alternatives to printed TAN’s such as single-use passwords sent via a text message to a trusted mobile number or interactive TANs generated with a trusted crypto token or a software app installed onto a trusted phone.

Online services such as Microsoft or Google implement two-factor authentication in a different manner, asking their customers to come up with a second piece of an ID when attempting to access their services from a new device. This is supposed to prevent anyone stealing your login and password information from gaining access to your account from devices other than your own, verified PC, phone or tablet.

The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage. Passwords are way too easy to compromise. Social engineering, keyloggers, trojans, password re-use and other factors contribute to the number of accounts compromised every month. An extra step in the authorization process involving a trusted device makes hackers lives extremely tough.

At this very moment, two-step authentication is being implemented by major online service companies. Facebook, Google and Microsoft already have it. Twitter is ‘rolling out two-factor authentication too.

A recent story about a journalist’s Google, Twitter and Apple accounts compromised and abused seems to have Apple started on pushing its own implementation of two-factor authentication.

Two-Factor Authentication: The Apple Way

Apple’s way of doing things is… different. Let’s look at their implementation of two-factor authentication.

Read the rest of this entry »


iCloud backups inside out

February 25th, 2013 by Vladimir Katalov

It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.

Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time. Read the rest of this entry »


iCloud: Making Users Spy on Themselves

February 21st, 2013 by Vladimir Katalov

Apple iCloud is a popular service providing Apple users the much needed backup storage space. Using the iCloud is so simple and unobtrusive that more than 190 million customers (as of November, 2012) are using the service on regular basis.

Little do they know. The service opens governments a back door for spying on iOS users without them even knowing. ElcomSoft researchers discovered that information stored in the iCloud can be retrieved by anyone without having access to a physical device, provided that the original Apple ID and password are known. The company even built the technology for accessing this information in one of its mobile forensic products, Elcomsoft Phone Password Breaker, allowing investigators accessing backup copies of the phone’s content via iCloud services.

Read the rest of this entry »


Yahoo!, Dropbox and Battle.net Hacked: Stopping the Chain Reaction

February 14th, 2013 by Vladimir Katalov

Major security breaches occur in quick succession one after another. Is it a chain reaction? How do we stop it?

  • January 2012: Zappos hacked, 24 million accounts accessed
  • June 2012: 6.5 Million encrypted LinkedIn passwords leaked online
  • July 2012: 420,000 Formspring passwords compromised in security breach
  • July 2012: Yahoo! Mail hacked
  • August 2012: Dropbox hacked, user accounts database leaked.
  • August 2012: Blizzard Battle.net hacked, user accounts leaked.
  • September 2012: Private BitTorrent tracker hacked, passwords leaked by Afghani hackers
  • September 2012: Over 30,000 usernames and passwords leaked from private torrent tracker RevolutionTT
  • September 2012: IEEE admits password leak, says problem fixed
  • November 2012: Adobe Connect Security Breach Exposes Personal Data of 150K Users
  • November 2012: Security breach hits Amazon.co.uk , 628 user id and password leaked
  • November 2012: Anonymous claims they hacked PayPal’s servers, leaks thousands of passwords online
  • December 2012: 100 million usernames and passwords compromised in a massive hack of multiple popular Chinese Web sites
  • January 2013: Yahoo! Mail hacked (again).
  • February 2013: Twitter breach leaks emails, passwords of 250,000 users
Read the rest of this entry »

Norwegian Teenagers Hacking iCloud Accounts

February 7th, 2013 by Olga Koksharova

A few days ago, we received the following communication from an obsessed password researcher and our long-standing friend (quoted with his permission):

There are reports in some of the largest newspapers here in Norway of teenagers (or young male adults) hacking Apple accounts of teenage girls through the “lost password” function by correctly answering the reset questions such as the victims’ names and  birthdates. I’ve found at least one who is using Elcomsoft Phone Password Breaker to illegally download and extract images & videos of teenage girls like this, and then offering them for sale online.

Due to laws and regulations, it is hard for the police to investigate these cases (logs that connect people to IP addresses are only stored for 21 days at ISPs here).

Relevant news stories (in Norwegian, use google translate):

http://www.aftenposten.no/okonomi/Stjeler-bilder-av-unge-jenter-fra-Apples-nettsky-7109783.html

http://www.aftenposten.no/okonomi/Sporet-nettkriminell-til-liten-nytte-7110318.html

Example forum where this is being discussed:

www.anonib.com/nor/res/14621.html
<…>

Perhaps I could get a statement from you/Elcomsoft on this, and that you/I will offer our assistance to the Norwegian police if needed?

 

This news is disturbing. We’re always concerned when our products end up in the wrong hands. Elcomsoft works in IT security for more than 15 years already and it has always been our aim to explain users hidden rocks, and we are always assist law enforcement in their workflow both with our tools and our advice.

However, the bad guys can also take advantage of available tools – including tools made by our company. We have to admit that that once you let the genie out of the bottle there’s no way back.

We are concerned and very disappointed with what has happened in this very case. If only we could, we’d be happy to help users safeguard their iCloud accounts against this type of attack. Unfortunately, Apple has an inherent problem at the level of data authentication, so there’s actually very little that can be done except not using the iCloud at all or faking registration details with Apple.

iCloud stores huge amounts of information. Access to this information is provided to either iOS devices linked to the account, or to anyone who uses a Web browser and supplies the correct Apple ID and password. Of course there is also transport layer security (via the use of HTTPS communication protocol), and only three attempts to enter a password are allowed before the account is locked. But this is nothing more than anyone does. Here at ElcomSoft, we strongly believe that outsourcing the storage of personal information to a cloud bears significant risks. It is essential for the consumer to understand exactly the risks involved. Many corporations with concise security policies already ban cloud storages such as Apple iCloud from their networks (e.g. IBM).

As for Elcomsoft Phone Password Breaker, the tool is most definitely not intended to commit crime. The use of the tool requires the correct user credentials (Apple ID and password) and/or the device itself in order to get access to the data. Unfortunately, it is difficult to stop intruders from exploiting all the tools available to forensic and law enforcement customers to extract as much data as they can.

In this particular case, what seems to be happening is teenage hackers are using their classmates’ names, dates of birth and answers to “secret” questions to “recover” (or, actually, reset) their iCloud passwords. This type of attack is called “social engineering”, and it does not take much for teenagers to guess (or know) the answer to teenage girls’ “security” questions.

Due to what’s been done, the usual advice of “choosing a long, complex password” and “not sharing it with strangers” will not work, as the vulnerability targeted here lies in the way Apple authenticates account holders.

Our recommendations here could be as follows. iPhone and iPad users should be doing the following from the very beginning:

  1. Avoid using iCloud services to back up information from the phone. As ElcomSoft demonstrated multiple times, information stored in the iCloud is NOT secure, and is prone to eavesdropping and spying upon without the user even knowing.
  2. Choose secure verification questions *and* provide unexpected or illogical answers. This will make it difficult for anyone to “recover” your password by guessing the right answer.
  3. Choose a secure device password, a long and complex one, which is NOT a 4 digit passcode which can be cracked within half an hour, the longer password the better – train your memory if you want to keep your privacy! Brute forcing the device password is very slow which makes a real problem for the intruder, if it’s long.
  4. Choose a secure Apple ID password, long and complex. Never key in your Apple ID on laptops and computers you don’t trust and even if you do so, make sure the computer is totally under your control which practically means never leaving it unprotected or unattended.
  5. Choose login names that aren’t obvious, which is not your name and surname in all their variations. This will make it harder to guess.
  6. Never use the same password as one protecting your email account!
  7. Link your Apple ID account only to an e-mail account also protected with a secure password and control questions with unexpected answers.
  8. Never re-use passwords, this is extremely dangerous thing today, when new databases with passwords are made public after every new hack.
  9. Do not jailbreak your iPhone unless you clearly understand all consequences. Why should you willingly unsecure it?
  10. Finally, do not use iCloud.

We regularly hear most people care about security only when it touches their financial side of life. However, today in the age of information technologies losing one’s identity may lead to a number of sequential mischiefs, as a lot of information is interconnected and its threads are running to numerous endpoints that are not always securely protected. Unfortunately, security and convenience don’t walk together, so you have to balance between security and convenience.

ElcomSoft Breaks Passwords Faster with NVIDIA Tesla K20 Acceleration

February 5th, 2013 by Olga Koksharova

We have just updated Advanced Office Password Recovery and Distributed Password Recovery with NVIDIA Tesla K20 support, enabling world’s fastest password recovery with NVIDIA’s latest supercomputing platform. Elcomsoft Advanced Office Password Recovery removes document restrictions and recovers passwords protecting Microsoft Office documents, while Elcomsoft Distributed Password Recovery can quickly break a wide range of passwords on multiple workstations with near zero scalability overhead.

GPU-accelerated password recovery dramatically reduces the time required to break long and complex passwords, offering more than 20-fold performance gain over CPU-only operations (compared to a quad-core Intel i7 CPU). NVIDIA’s latest Tesla K20 platform further increases the performance, delivering a nearly 1.5x performance increase compared to the use of a dual-core NVIDIA GeForce GTX 690 board.

A workstation equipped with an NVIDIA Tesla K20 unit can crunch as many as 27500 Office 2007 passwords per second, or 13500 passwords per second in the case of Microsoft Office 2010. In comparison, the next-best solution, a dual-core GeForce GTX 690 board, can try some 19000 Office 2007 or 9000 Office 2010 passwords per second.

The updated Elcomsoft Advanced Office Password Recovery and Elcomsoft Distributed Password Recovery now fully support the latest NVIDIA supercomputing hardware, enabling users to gain unrestricted access to many types of documents in far less time.

Déjà vu

December 24th, 2012 by Vladimir Katalov

The story about PGP becomes really funny.

Three and a half years ago (in April 2009) our company took part in InfoSecurity Europe in London. I should confess that London is one of my favourite cities; besides, I love events on security — so that I was really enjoying that trip (with my colleagues). But something happened.

Read the rest of this entry »


ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers

December 20th, 2012 by Vladimir Katalov

BitLocker, PGP and TrueCrypt set industry standard in the area of whole-disk and partition encryption. All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto.

Normally, information stored in any of these containers is impossible to retrieve without knowing the original plain-text password protecting the encrypted volume. The very nature of these crypto containers suggests that their target audience is likely to select long, complex passwords that won’t be easy to guess or brute-force. And this is exactly the weakness we’ve targeted in our new product: Elcomsoft Forensic Disk Decryptor.

The Weakness of Crypto Containers

The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool. Such as Elcomsoft Forensic Disk Decryptor.

Retrieving Decryption Keys

In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack. If the computer is off, Elcomsoft Forensic Disk Decryptor can retrieve decryption keys from a hibernation file. It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.

“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”

It is essential to note that Elcomsoft Forensic Disk Decryptor extracts all the keys from a memory dump at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.

Using forensic software for taking snapshots of computers’ memory is nothing new. The FireWire attack method existed for many years, but for some reason it’s not widely known. This method is described in detail in many sources such as http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf or http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation

The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links. One can take direct control of a PC or laptop operating memory (RAM) by connecting through a FireWire. After that, grabbing a full memory dump takes only a few minutes. What made it possible is a feature of the original FireWide/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external FireWire devices. Direct Memory Access (DMA) is used to provide that access. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or even logged on. There’s no way to protect a PC against this threat except explicitly disabling FireWire drivers. The vulnerability exists for as long as the system is running. There are many free tools available to carry on this attack, so Elcomsoft Forensic Disk Decryptor does not include a module to perform one.

If the computer is turned off, there are still chances that the decryption keys can be retrieved from the computer’s hibernation file. Elcomsoft Forensic Disk Decryptor comes with a module analyzing hibernation files and retrieving decryption keys to protected volumes.

Complete Decryption and On-the-Fly Access

With decryption keys handy, Elcomsoft Forensic Disk Decryptor can go ahead and unlock the protected disks. There are two different modes available. In complete decryption mode, the product will decrypt everything stored in the container, including any hidden volumes. This mode is useful for collecting the most evidence, time permitting.

In real-time access mode, Elcomsoft Forensic Disk Decryptor mounts encrypted containers as drive letters, enabling quick random access to encrypted data. In this mode files are decrypted on-the-fly at the time they are read from the disk. Real-time access comes handy when investigators are short on time (which is almost always the case).

We are also adding True Crypt and Bitlocker To Go plugins to Elcomsoft Distributed Password Recovery, enabling the product to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.

Unique Features

The unique feature of Elcomsoft Forensic Disk Decryptor is the ability to mount encrypted disks as a drive letter, using any and all forensic tools to quickly access the data. This may not seem secure, and may not be allowed by some policies, but sometimes the speed and convenience is everything. When you don’t have the time to spend hours decrypting the entire crypto container, simply mount the disk and run your analysis tools for quick results!

More Information

More information about Elcomsoft Forensic Disk Decryptor is available on the official product page at http://www.elcomsoft.com/efdd.html

RSS for posts
RSS for comments
Subscribe
ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter
    follow me on Twitter