Soon after releasing the updated version of iOS Forensic Toolkit we started receiving questions about the new product. Did we really break iPhone 5? Does it truly work? Are there limitations, and what can you do about them? We decided to assemble all these questions into a small FAQ. If you’d rather read the full, more technical version of this FAQ, visit the following page instead: Elcomsoft iOS Forensic Toolkit FAQ. Those with non-technical background please read along.
|July 17th, 2013 by Vladimir Katalov|
|July 3rd, 2013 by Oleg Afonin|
I’ve just returned from REcon 2013 held in Montreal, where I talked about breaking iCloud services (everyone: the slides from that presentation are available right here, and the organizers promised a video soon). I spoke about WHY breaking the iCloud, HOW we did it and WHO can use it. I can briefly stop here, and elaborate the points.
Apparently, more than half of REcon participants are using iPhones (I asked). Some of them are even making backups. And some of those who make backups do them over the iCloud. Now that’s a good reason to want to break in, isn’t it?
So then I talked a little about how we did it. We used the classic man-in-the-middle attack, intruding into the private domain of a doomed electronic device bought in the nearest iStore on a cold Russian night… Well, except for the “night” part, it was exactly like that.
And then we discussed a little about who can use our tools. “Is it legal?” I expected that question. Always asked, even at underground hackers’ meetings. Well, it’s certainly legal in Russia, and none of our US customers complained either. I mean, we have US Secret Services, the FBI, Army and Navy and multiple police departments all over the US and Canada as our valued customers, and they never suggested we’re doing something wrong, so it must be legal. Right?
Montreal is a beautiful city. Loved it! The old town, the pier, the underground city… it’s vivid and relaxed, old and modern at the same time. It so happened they hosted a French music festival right at the doorsteps of our hotel (the 25th FrancoFolies), so I enjoyed a beautiful city during the day and relaxed to wonderful music at night. I’ll be sure to put Montreal onto a shortlist when planning my next trip!
|June 13th, 2013 by Olga Koksharova|
The CEIC 2013 conference is over. We were happy to connect with our partners and customers at our booth during the show hours. We’d like to thank everyone who stopped by, and give our special thanks to those providing valuable feedback and suggestion on our products. (To those who wanted to see our tools settled under a single roof: we’re working on it!)
At our booth, we had a Treasury Chest raffle demonstrating the concept of brute force recovery. Visitors were asked to unlock a chest by trying three keys one after another. The tricky part: a bowl with a thousand keys only had a single real thing. The chance of winning now seems pretty slim, does it not? Well, we are happy to tell that both prizes were won!
The first prize, Kindle Fire HD, went to Calgary, Canada. The second Kindle Fire HD went to Alabama. Congratulations to both winners!
We received lots of valuable feedback from our customers and resellers. Rest assured we’ll be working hard to implement these suggestions!
See You Next Year at CEIC 2014!
Meet us next year in Las Vegas during CEIC 2014 show at booth #212! It’s too early to book a flight yet, but make sure to mark the dates: May 19-22, 2014!
|May 30th, 2013 by Vladimir Katalov|
Some time ago, I wrote a blog post on hacked Yahoo!, Dropbox and Battle.net accounts, and how this can start a chain reaction. Companies seem to begin recognizing the threat, and are starting to protect their customers with today’s cutting edge security: two-factor authentication.
A word on two-factor authentication. In Europe, banks and financial institutions have been doing this for decades. Clients needed to enter an extra piece of information from a trusted media in addition to their account credentials in order to authorize a transaction such as transferring money out of their account. For many years, bank used printed lists of numbered passcodes serving as Transaction Authentication Numbers (TAN). When attempting to transfer money out of your bank account, you would be asked to enter a passcode number X. If you did not come up with the right code, the transfer would not execute. There are alternatives to printed TAN’s such as single-use passwords sent via a text message to a trusted mobile number or interactive TANs generated with a trusted crypto token or a software app installed onto a trusted phone.
Online services such as Microsoft or Google implement two-factor authentication in a different manner, asking their customers to come up with a second piece of an ID when attempting to access their services from a new device. This is supposed to prevent anyone stealing your login and password information from gaining access to your account from devices other than your own, verified PC, phone or tablet.
The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage. Passwords are way too easy to compromise. Social engineering, keyloggers, trojans, password re-use and other factors contribute to the number of accounts compromised every month. An extra step in the authorization process involving a trusted device makes hackers lives extremely tough.
At this very moment, two-step authentication is being implemented by major online service companies. Facebook, Google and Microsoft already have it. Twitter is ‘rolling out two-factor authentication too.
A recent story about a journalist’s Google, Twitter and Apple accounts compromised and abused seems to have Apple started on pushing its own implementation of two-factor authentication.
Two-Factor Authentication: The Apple Way
Apple’s way of doing things is… different. Let’s look at their implementation of two-factor authentication.
|February 25th, 2013 by Vladimir Katalov|
It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.
Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time. Read the rest of this entry »
|February 21st, 2013 by Vladimir Katalov|
Apple iCloud is a popular service providing Apple users the much needed backup storage space. Using the iCloud is so simple and unobtrusive that more than 190 million customers (as of November, 2012) are using the service on regular basis.
Little do they know. The service opens governments a back door for spying on iOS users without them even knowing. ElcomSoft researchers discovered that information stored in the iCloud can be retrieved by anyone without having access to a physical device, provided that the original Apple ID and password are known. The company even built the technology for accessing this information in one of its mobile forensic products, Elcomsoft Phone Password Breaker, allowing investigators accessing backup copies of the phone’s content via iCloud services.
|February 14th, 2013 by Vladimir Katalov|
Major security breaches occur in quick succession one after another. Is it a chain reaction? How do we stop it?
- January 2012: Zappos hacked, 24 million accounts accessed
- June 2012: 6.5 Million encrypted LinkedIn passwords leaked online
- July 2012: 420,000 Formspring passwords compromised in security breach
- July 2012: Yahoo! Mail hacked
- August 2012: Dropbox hacked, user accounts database leaked.
- August 2012: Blizzard Battle.net hacked, user accounts leaked.
- September 2012: Private BitTorrent tracker hacked, passwords leaked by Afghani hackers
- September 2012: Over 30,000 usernames and passwords leaked from private torrent tracker RevolutionTT
- September 2012: IEEE admits password leak, says problem fixed
- November 2012: Adobe Connect Security Breach Exposes Personal Data of 150K Users
- November 2012: Security breach hits Amazon.co.uk , 628 user id and password leaked
- November 2012: Anonymous claims they hacked PayPal’s servers, leaks thousands of passwords online
- December 2012: 100 million usernames and passwords compromised in a massive hack of multiple popular Chinese Web sites
- January 2013: Yahoo! Mail hacked (again).
- February 2013: Twitter breach leaks emails, passwords of 250,000 users
|February 7th, 2013 by Olga Koksharova|
A few days ago, we received the following communication from an obsessed password researcher and our long-standing friend (quoted with his permission):
There are reports in some of the largest newspapers here in Norway of teenagers (or young male adults) hacking Apple accounts of teenage girls through the “lost password” function by correctly answering the reset questions such as the victims’ names and birthdates. I’ve found at least one who is using Elcomsoft Phone Password Breaker to illegally download and extract images & videos of teenage girls like this, and then offering them for sale online.
Due to laws and regulations, it is hard for the police to investigate these cases (logs that connect people to IP addresses are only stored for 21 days at ISPs here).
Relevant news stories (in Norwegian, use google translate):
Example forum where this is being discussed:
Perhaps I could get a statement from you/Elcomsoft on this, and that you/I will offer our assistance to the Norwegian police if needed?
This news is disturbing. We’re always concerned when our products end up in the wrong hands. Elcomsoft works in IT security for more than 15 years already and it has always been our aim to explain users hidden rocks, and we are always assist law enforcement in their workflow both with our tools and our advice.
However, the bad guys can also take advantage of available tools – including tools made by our company. We have to admit that that once you let the genie out of the bottle there’s no way back.
We are concerned and very disappointed with what has happened in this very case. If only we could, we’d be happy to help users safeguard their iCloud accounts against this type of attack. Unfortunately, Apple has an inherent problem at the level of data authentication, so there’s actually very little that can be done except not using the iCloud at all or faking registration details with Apple.
iCloud stores huge amounts of information. Access to this information is provided to either iOS devices linked to the account, or to anyone who uses a Web browser and supplies the correct Apple ID and password. Of course there is also transport layer security (via the use of HTTPS communication protocol), and only three attempts to enter a password are allowed before the account is locked. But this is nothing more than anyone does. Here at ElcomSoft, we strongly believe that outsourcing the storage of personal information to a cloud bears significant risks. It is essential for the consumer to understand exactly the risks involved. Many corporations with concise security policies already ban cloud storages such as Apple iCloud from their networks (e.g. IBM).
As for Elcomsoft Phone Password Breaker, the tool is most definitely not intended to commit crime. The use of the tool requires the correct user credentials (Apple ID and password) and/or the device itself in order to get access to the data. Unfortunately, it is difficult to stop intruders from exploiting all the tools available to forensic and law enforcement customers to extract as much data as they can.
In this particular case, what seems to be happening is teenage hackers are using their classmates’ names, dates of birth and answers to “secret” questions to “recover” (or, actually, reset) their iCloud passwords. This type of attack is called “social engineering”, and it does not take much for teenagers to guess (or know) the answer to teenage girls’ “security” questions.
Due to what’s been done, the usual advice of “choosing a long, complex password” and “not sharing it with strangers” will not work, as the vulnerability targeted here lies in the way Apple authenticates account holders.
Our recommendations here could be as follows. iPhone and iPad users should be doing the following from the very beginning:
- Avoid using iCloud services to back up information from the phone. As ElcomSoft demonstrated multiple times, information stored in the iCloud is NOT secure, and is prone to eavesdropping and spying upon without the user even knowing.
- Choose secure verification questions *and* provide unexpected or illogical answers. This will make it difficult for anyone to “recover” your password by guessing the right answer.
- Choose a secure device password, a long and complex one, which is NOT a 4 digit passcode which can be cracked within half an hour, the longer password the better – train your memory if you want to keep your privacy! Brute forcing the device password is very slow which makes a real problem for the intruder, if it’s long.
- Choose a secure Apple ID password, long and complex. Never key in your Apple ID on laptops and computers you don’t trust and even if you do so, make sure the computer is totally under your control which practically means never leaving it unprotected or unattended.
- Choose login names that aren’t obvious, which is not your name and surname in all their variations. This will make it harder to guess.
- Never use the same password as one protecting your email account!
- Link your Apple ID account only to an e-mail account also protected with a secure password and control questions with unexpected answers.
- Never re-use passwords, this is extremely dangerous thing today, when new databases with passwords are made public after every new hack.
- Do not jailbreak your iPhone unless you clearly understand all consequences. Why should you willingly unsecure it?
- Finally, do not use iCloud.
We regularly hear most people care about security only when it touches their financial side of life. However, today in the age of information technologies losing one’s identity may lead to a number of sequential mischiefs, as a lot of information is interconnected and its threads are running to numerous endpoints that are not always securely protected. Unfortunately, security and convenience don’t walk together, so you have to balance between security and convenience.
|February 5th, 2013 by Olga Koksharova|
We have just updated Advanced Office Password Recovery and Distributed Password Recovery with NVIDIA Tesla K20 support, enabling world’s fastest password recovery with NVIDIA’s latest supercomputing platform. Elcomsoft Advanced Office Password Recovery removes document restrictions and recovers passwords protecting Microsoft Office documents, while Elcomsoft Distributed Password Recovery can quickly break a wide range of passwords on multiple workstations with near zero scalability overhead.
GPU-accelerated password recovery dramatically reduces the time required to break long and complex passwords, offering more than 20-fold performance gain over CPU-only operations (compared to a quad-core Intel i7 CPU). NVIDIA’s latest Tesla K20 platform further increases the performance, delivering a nearly 1.5x performance increase compared to the use of a dual-core NVIDIA GeForce GTX 690 board.
A workstation equipped with an NVIDIA Tesla K20 unit can crunch as many as 27500 Office 2007 passwords per second, or 13500 passwords per second in the case of Microsoft Office 2010. In comparison, the next-best solution, a dual-core GeForce GTX 690 board, can try some 19000 Office 2007 or 9000 Office 2010 passwords per second.
The updated Elcomsoft Advanced Office Password Recovery and Elcomsoft Distributed Password Recovery now fully support the latest NVIDIA supercomputing hardware, enabling users to gain unrestricted access to many types of documents in far less time.
|December 24th, 2012 by Vladimir Katalov|
The story about PGP becomes really funny.
Three and a half years ago (in April 2009) our company took part in InfoSecurity Europe in London. I should confess that London is one of my favourite cities; besides, I love events on security — so that I was really enjoying that trip (with my colleagues). But something happened.