When more security results in less security…

I read an article that famed cryptographers at Elcomsoft have discovered a method to brute force RIM Blackberry device passwords.  Usually a Blackberry will only allow 10 failed password attempts before wiping the device.  Elcomsoft discovered if a user enables media card encryption an unlimited offline password attack against the media card can be performed bypassing the 10 guess restriction.

Scary stuff…  I’m a user with Media Card Encryption enabled.  Do I disable encryption OR permanently solder the media card in place so it can’t be removed?

From Computer World:

“A Russian security company upgraded a phone-password cracking suite with the ability to figure out the master device password for Research in Motion’s BlackBerry devices. Elcomsoft said September 29 that before it developed the product, it was believed there was no way to figure out a device password on a BlackBerry smartphone or PlayBook tablet. BlackBerry smartphones are configured to wipe all data on the phone if a password is typed incorrectly 10 times in a row, the company said. Elcomsoft said it figured a way around the problem using a BlackBerry’s removable media card, but only if a user has configured their smartphone in a certain way. For the software to be successful, a user must have enabled the feature to encrypt data on the media card. The feature is disabled by default, but Elcomsoft said about 30 percent of BlackBerry users have it enabled for extra security. The company’s software can then analyze the encrypted media card and use a brute-force method to figure out a password. Elcomsoft said it can recover a seven-character password in less than an hour if the password is all lower-case or all capital letters. The software does not need access to the actual BlackBerry device but just the encrypted media card. The new feature is wrapped into Elcomsoft’s Phone Password Breaker. The software can also recover plain-text passwords used to access encrypted backup files for Apple’s iPhone, iPad, and iPod Touch devices. To crack those passwords, a user does need to have the Apple device in hand.”

Read the full article here at Computer World.

How Big is Your Haystack?

I’m not the world’s biggest fan of Steve Gibson and his Security Now! podcast.  Recently someone notified me of a neat website that Mr. Gibson created.  The website which he calls Haystack is a ‘brute force search space calculator’.

So what IS the “Search Space Calculator” ?

This calculator is designed to help users understand how many passwords can be created from different combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.) and password lengths. The calculator then puts the resulting large numbers (with lots of digits or large powers of ten) into a real world context of the time that would be required (assuming differing search speeds) to exhaustively search every password up through that length, assuming the use of the chosen alphabet.


The Power of GPU’s

There’s been a lot of talk recently about using graphics processing units (GPU) to crack passwords.  This was due to a recent paper published by a researchers from the Georgia Tech Research InstituteLong story short: Make sure your passwords are now a minimum of 12 characters in length.  Optimally, you should choose passwords from a universe of 4 character sets (Uppercase, lowercase, numbers, spec!al ch@racters).

One of the GTRI researchers who authored the paper was interviewed on the Cyber Jungle SU Root #164. The audio file is 25 minutes long.

On another note, the alternative uses of GPU’s won’t be going away anytime soon but could be renamed.  Both large chip makers, AMD and Intel, are working on or have already released hybrid CPU/GPU chips.  Read more here.


Truecrypt 7.0 Released

Truecrypt 7.o has been released.  One of the interesting new features is it takes advantage of Intel’s hardware accelerated AES.  The new Intel i5 and i7 core’s include additional x86 instructions for hardware based AES block ciphering and key generation.  If you take advantage of this there should be no performance disadvantage to running full disk encryption.  I don’t think software encryption is as big a performance hit anymore unless you’re running antiquated hardware in which case you probably can’t afford the new Intel cores anyways.

There’s some other cool new features including Favorites and support for new large sector disks (waiting for these to come down in price).  You can read the full Truecrypt change log here.