Author Topic: Legitimate app breaks popular encryption - EFS, BitLocker, TrueCrypt ... (Read 23481 times)

Carol Haynes · « **on:** February 06, 2013, 07:37 PM »

In the current Windows Secrets newsletter EFDD can crack popular encryption, even with tough random passwords:

Conventional wisdom has been that files protected with good encryption can’t be cracked.

But a new, $300, wizard-driven app can unlock BitLocker-, PGP-, and TrueCrypt-encrypted files, folders, and drives — no matter how strong a password you’re using.

It’s the sort of story that could keep you up at night. Last month, Elcomsoft released the Elcomsoft Forensic Disk Decryptor (EFDD; more info), a program that opens encrypted files without trying to guess your password or attack it with brute force (Wikipedia info). In fact, the actual password is effectively irrelevant. A long, random string such as bS2f#[voIT+?@=Uq3a,.B provides no better protection against EFDD than would "password" or "12345."

See http://windowssecret...tion-systems/#story1 for the full story.

ewemoa · « **Reply #1 on:** February 07, 2013, 04:18 AM »

Thanks for the link.

Thought the following bit was worth quoting.

From the article:

Cracking passwords is the most common way to unlock encrypted files, but it isn't the only way. The keys to decrypting your darkest secrets might be floating around in RAM from the last time you opened an encrypted file. Or perhaps, if Windows ran out of physical RAM, they're sitting in your swap file. They could also be hiding in your hibernation file — assuming that you hibernate your PC.

EFDD (or a similar app) searches those areas for possible keys. It then tries any keys it finds on your encrypted files. Sometimes it works; sometimes it doesn't.

Renegade · « **Reply #2 on:** February 07, 2013, 05:00 AM »

@ewemoa - Thanks for posting that quickly... My heart sunk a bit and my stomach dropped when I first read the description. It sounded like they'd effectively gotten around the encryption entirely. Glad to hear that it's still password-based... Phew!

f0dder · « **Reply #3 on:** February 07, 2013, 06:36 AM »

Yeah, nothing to see here, really.

This has been doable for quite a while, and even outside Sekrit Forensikz, there's freely available tools to do it. The Elcomsoft program just makes it a bit more convenient (even the Firewire-DMA attack that can be used on a computer that has been locked isn't new).

Also note that this doesn't recover your passphrase - it recovers the raw encryption key. That is obviously enough to get at your data, but in no way leads to disclosure of the passphrase itself

40hz · « **Reply #4 on:** February 07, 2013, 06:51 AM »

Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being $300 lighter if they don't do their homework before reaching for their plastic.

f0dder · « **Reply #5 on:** February 07, 2013, 06:56 AM »

Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being $300 lighter if they don't do their homework before reaching for their plastic.

-40hz (February 07, 2013, 06:51 AM)

To be fair, the product is probably more targeted at government agencies - those tend to like high pricetags and support and all that kinda stuff

Stoic Joker · « **Reply #6 on:** February 07, 2013, 06:59 AM »

Sory guys, I'm actually smiling about this. Encryption has long been spun as a magic bullet replacement for physical security to 'appologise' for people that can't keep track of their shit.

Oh deer... I left my laptop at the ___. What ever shall we do... Not to worry! It's [cue the super hero background music] Encryptified! Yeah!!!

Gag.

Perhaps this (is a good thing) will get people to start thinking seriously about the equally important other layers of security.

f0dder · « **Reply #7 on:** February 07, 2013, 07:03 AM »

Oh deer... I left my laptop at the ___. What ever shall we do... Not to worry! It's [cue the super hero background music] Encryptified! Yeah!!!
-Stoic Joker (February 07, 2013, 06:59 AM)

Well, as long as you either don't use hibernation, or you use full-disk/system-partition encryption (and don't have firewire ports), you're safe. (OK, I'm not 100% sure about pagefile, but the key should be kept in unpagable memory).

40hz · « **Reply #8 on:** February 07, 2013, 07:07 AM »

Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being $300 lighter if they don't do their homework before reaching for their plastic.

-40hz (February 07, 2013, 06:51 AM)
To be fair, the product is probably more targeted at government agencies - those tend to like high pricetags and support and all that kinda stuff

-f0dder (February 07, 2013, 06:56 AM)

Like I said: wannabe hackboys.

40hz · « **Reply #9 on:** February 07, 2013, 07:09 AM »

Perhaps this (is a good thing) will get people to start thinking seriously about the equally important other layers of security.
-Stoic Joker (February 07, 2013, 06:59 AM)

Systems people...they're so cute when they tell you their dreams...

---------
P.S. I agree.

Tinman57 · « **Reply #10 on:** February 07, 2013, 01:50 PM »

Yeah, nothing to see here, really.

This has been doable for quite a while, and even outside Sekrit Forensikz, there's freely available tools to do it. The Elcomsoft program just makes it a bit more convenient (even the Firewire-DMA attack that can be used on a computer that has been locked isn't new).
-f0dder (February 07, 2013, 06:36 AM)

I remember something similar to this back in the Amiga days.

bit · « **Reply #11 on:** June 06, 2013, 06:59 PM »

4wd · « **Reply #12 on:** June 06, 2013, 09:15 PM »

You could always throw a few Alt Codes into the password.

↑↓→←↔

bit · « **Reply #13 on:** June 07, 2013, 12:31 AM »

4wd · « **Reply #14 on:** June 07, 2013, 03:08 AM »

That's way cool. I immediately searched the web for "Alt Codes for Japanese characters", which led me to http://forum.wl.igg....thread.php?tid=58061, which led me to this. But although others are saying there "It works", it's not working for me so far. Am I missing some sort of character set download?
-bit (June 07, 2013, 12:31 AM)

I think it's more like the person who wrote has missed explaining some intermediate step. None of that works for me, as soon as I release the Alt key the character corresponding Alt+0253, (ý), or Alt+0254, (þ) is drawn.

It seems like there needs to be a "sticky" setting so that when you've typed the Alt Code it waits for the next keypress before displaying the character.

Found this here but it doesn't work either:

bit · « **Reply #15 on:** June 07, 2013, 07:52 AM »

pilgrim · « **Reply #16 on:** June 07, 2013, 08:17 AM »

I had a look at the second link and tried ALT+02531 which resulted in this: ৣ

What the hell that is I have no idea but the font is showing as Shona Bangla?

I found the font but I'm damned if I can find that character.

bit · « **Reply #17 on:** June 12, 2013, 05:00 PM »

Edvard · « **Reply #18 on:** June 12, 2013, 07:13 PM »

I had a look at the second link and tried ALT+02531 which resulted in this: ৣ
-pilgrim (June 07, 2013, 08:17 AM)

Looks like a dust bunny with crab claws... Awesome!

f0dder · « **Reply #19 on:** June 13, 2013, 12:14 AM »

I wonder why all the funky-characters stuff ended up in this thread?

While it'll screw up dictionary-based attacks, FYI it will do nothing to mitigate against the attack originally posted about.

40hz · « **Reply #20 on:** June 13, 2013, 06:29 AM »

I wonder why all the funky-characters stuff ended up in this thread?

While it'll screw up dictionary-based attacks, FYI it will do nothing to mitigate against the attack originally posted about.
-f0dder (June 13, 2013, 12:14 AM)

+1. Every time I see a trick like that I keep thinking back to that famous XKCD strip that points out how most of what gets suggested to make passwords "more secure" does little other than make them difficult for humans to use and remember. Computers have no problem dealing with them however.

pilgrim · « **Reply #21 on:** June 13, 2013, 06:40 AM »

Anyone ever come across THIS?

f0dder · « **Reply #22 on:** June 13, 2013, 09:34 AM »

Anyone ever come across THIS?
-pilgrim (June 13, 2013, 06:40 AM)

Not an all bad idea, but see 40Hz' post above - the xkcd post is somewhat controversial, but I agree with the gist of it.

Also, you can rule out a whole bunch of the symbols on the card, since (even when including non-alphanumeric characters) you don't wants passwords that are too short.

CWuestefeld · « **Reply #23 on:** June 13, 2013, 11:51 AM »

that I keep thinking back to that famous XKCD strip that points out how most of what gets suggested to make passwords "more secure" does little other than make them difficult for humans to use and remember.
-40hz (June 13, 2013, 06:29 AM)

I'm following this approach now. To generate the pass phrases, see http://passphra.se/

In using this, I've been stunned at how many web sites (a) don't allow spaces in passwords, or (b) enforce silly maximum lengths on passwords.

Tinman57 · « **Reply #24 on:** June 13, 2013, 04:58 PM »

I use a nifty app called PINs that generates passwords generated either with built-in templates including military grade or your own templates. You can also manually set how many characters to use. It then saves it into a database that's also encrypted and will copy/paste your login sequence with a keyboard combination. I've been using it for years and years, and they still keep it updated. It has all kinds of bells and whistles too.....