topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:18 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Legitimate app breaks popular encryption - EFS, BitLocker, TrueCrypt ...  (Read 21874 times)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
In the current Windows Secrets newsletter EFDD can crack popular encryption, even with tough random passwords:

Conventional wisdom has been that files protected with good encryption can’t be cracked.

But a new, $300, wizard-driven app can unlock BitLocker-, PGP-, and TrueCrypt-encrypted files, folders, and drives — no matter how strong a password you’re using.

It’s the sort of story that could keep you up at night. Last month, Elcomsoft released the Elcomsoft Forensic Disk Decryptor (EFDD; more info), a program that opens encrypted files without trying to guess your password or attack it with brute force (Wikipedia info). In fact, the actual password is effectively irrelevant. A long, random string such as bS2f#[voIT+?@=Uq3a,.B provides no better protection against EFDD than would "password" or "12345."

See http://windowssecret...tion-systems/#story1 for the full story.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Thanks for the link.

Thought the following bit was worth quoting.

From the article:
Cracking passwords is the most common way to unlock encrypted files, but it isn't the only way. The keys to decrypting your darkest secrets might be floating around in RAM from the last time you opened an encrypted file. Or perhaps, if Windows ran out of physical RAM, they're sitting in your swap file. They could also be hiding in your hibernation file — assuming that you hibernate your PC.

EFDD (or a similar app) searches those areas for possible keys. It then tries any keys it finds on your encrypted files.
Sometimes it works; sometimes it doesn't.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
@ewemoa - Thanks for posting that quickly... My heart sunk a bit and my stomach dropped when I first read the description. It sounded like they'd effectively gotten around the encryption entirely. Glad to hear that it's still password-based... Phew!
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Yeah, nothing to see here, really.

This has been doable for quite a while, and even outside Sekrit Forensikz, there's freely available tools to do it. The Elcomsoft program just makes it a bit more convenient (even the Firewire-DMA attack that can be used on a computer that has been locked isn't new).

Also note that this doesn't recover your passphrase - it recovers the raw encryption key. That is obviously enough to get at your data, but in no way leads to disclosure of the passphrase itself :)
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being  $300 lighter if they don't do their homework before reaching for their plastic.
 8)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being  $300 lighter if they don't do their homework before reaching for their plastic.
 8)
To be fair, the product is probably more targeted at government agencies - those tend to like high pricetags and support and all that kinda stuff :)
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Sory guys, I'm actually smiling about this. Encryption has long been spun as a magic bullet replacement for physical security to 'appologise' for people that can't keep track of their shit.

Oh deer... I left my laptop at the ___. What ever shall we do... Not to worry! It's [cue the super hero background music] Encryptified! Yeah!!!

Gag.

Perhaps this (is a good thing) will get people to start thinking seriously about the equally important other layers of security.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Oh deer... I left my laptop at the ___. What ever shall we do... Not to worry! It's [cue the super hero background music] Encryptified! Yeah!!!
Well, as long as you either don't use hibernation, or you use full-disk/system-partition encryption (and don't have firewire ports), you're safe. (OK, I'm not 100% sure about pagefile, but the key should be kept in unpagable memory).
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being  $300 lighter if they don't do their homework before reaching for their plastic.
 8)
To be fair, the product is probably more targeted at government agencies - those tend to like high pricetags and support and all that kinda stuff :)


Like I said: wannabe hackboys. ;D

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Perhaps this (is a good thing) will get people to start thinking seriously about the equally important other layers of security.

Systems people...they're so cute when they tell you their dreams... ;D

---------
P.S. I agree. :Thmbsup:

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Yeah, nothing to see here, really.

This has been doable for quite a while, and even outside Sekrit Forensikz, there's freely available tools to do it. The Elcomsoft program just makes it a bit more convenient (even the Firewire-DMA attack that can be used on a computer that has been locked isn't new).

  I remember something similar to this back in the Amiga days.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
« Last Edit: November 08, 2015, 01:28 PM by bit »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
You could always throw a few Alt Codes into the password.

↑↓→←↔  :)

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
« Last Edit: November 08, 2015, 01:27 PM by bit »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
That's way cool. I immediately searched the web for "Alt Codes for Japanese characters", which led me to http://forum.wl.igg....thread.php?tid=58061, which led me to this. But although others are saying there "It works", it's not working for me so far. Am I missing some sort of character set download?

I think it's more like the person who wrote has missed explaining some intermediate step.  None of that works for me, as soon as I release the Alt key the character corresponding Alt+0253, (ý), or Alt+0254, (þ) is drawn.

It seems like there needs to be a "sticky" setting so that when you've typed the Alt Code it waits for the next keypress before displaying the character.

Found this here but it doesn't work either:
2952_600.jpg

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
« Last Edit: November 08, 2015, 01:25 PM by bit »

pilgrim

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 316
  • Cogito ergo ?
    • View Profile
    • Pilgrim's Page
    • Donate to Member
I had a look at the second link and tried ALT+02531 which resulted in this:

What the hell that is I have no idea but the font is showing as Shona Bangla?

I found the font but I'm damned if I can find that character.
I spent 25 years training to be an eccentric then I woke up one morning and realised that I'd cracked it.
I've not had to try since.

I wonder what happens if I click on thi

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
« Last Edit: November 08, 2015, 01:25 PM by bit »

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
I had a look at the second link and tried ALT+02531 which resulted in this:

Looks like a dust bunny with crab claws... Awesome!

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
I wonder why all the funky-characters stuff ended up in this thread?

While it'll screw up dictionary-based attacks, FYI it will do nothing to mitigate against the attack originally posted about.
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
I wonder why all the funky-characters stuff ended up in this thread?

While it'll screw up dictionary-based attacks, FYI it will do nothing to mitigate against the attack originally posted about.

+1. Every time I see a trick like that I keep thinking back to that famous XKCD strip that points out how most of what gets suggested to make passwords "more secure" does little other than make them difficult for humans to use and remember. Computers have no problem dealing with them however.

password_strength.png
8)

pilgrim

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 316
  • Cogito ergo ?
    • View Profile
    • Pilgrim's Page
    • Donate to Member
Anyone ever come across THIS?
I spent 25 years training to be an eccentric then I woke up one morning and realised that I'd cracked it.
I've not had to try since.

I wonder what happens if I click on thi

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Anyone ever come across THIS?
Not an all bad idea, but see 40Hz' post above - the xkcd post is somewhat controversial, but I agree with the gist of it.

Also, you can rule out a whole bunch of the symbols on the card, since (even when including non-alphanumeric characters) you don't wants passwords that are too short.
- carpe noctem

CWuestefeld

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,009
    • View Profile
    • Donate to Member
that I keep thinking back to that famous XKCD strip that points out how most of what gets suggested to make passwords "more secure" does little other than make them difficult for humans to use and remember.

I'm following this approach now. To generate the pass phrases, see http://passphra.se/

In using this, I've been stunned at how many web sites (a) don't allow spaces in passwords, or (b) enforce silly maximum lengths on passwords.

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member

  I use a nifty app called PINs that generates passwords generated either with built-in templates including military grade or your own templates.  You can also manually set how many characters to use.  It then saves it into a database that's also encrypted and will copy/paste your login sequence with a keyboard combination.  I've been using it for years and years, and they still keep it updated.  It has all kinds of bells and whistles too.....