Domain: crackpassword.com
Stories and comments across the archive that link to crackpassword.com.
Comments · 6
-
Bigger scope to this solution...
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications.
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
-
Re:Can't hide it
-
Re:The more a phone is Cracked
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ ?
Not my quote please note. It is well known that to avoid the complexity of 1234 most people switch to 1111. This makes PIN codes terrible for exposed data.
If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.
iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device. A six digit PIN would be nice, but would probably be birth dates too hohum.
It's typical for someone with little security experience to miss the fact that the attacker always goes for the weakest link. Having two different codes is likely to make things weaker than having one unless you are very very careful. In this particular case elcomsoft provides standard software which can use just the PIN to bypass all the other security measures. The hint that Apple got the implementation wrong is that the PIN still works after you have done a power on/off cycle. HoHumm indeed.
Samsung has come up with ideas such as facial recognition.
I thought that was cool too. But once I had fooled it with a (bad) photo of me displayed from my iPhone I decided that it was a terrible idea. I'm sure it would have problems with my habit of growing a beard and shaving it off every month or so too.
This is hardly new. The same problems apply to fingerprint readers and have been demonstrated many times. There are a number of solutions to this and it shouldn't be beyond Apple to come up with some of them. E.g. using the camera's focus make sure that the object is at the right distance for a face of its size; e.g. check for correct movement of the face and if the same movement repeats ask for a specific expression. E.g. check for three dimensionality using two separate cameras.
It would be perfectly possible to sell an RFID bracelet with the phone and unlock when within a few CM of it.
Yes, because RFID and NFC tokens can't be hacked, cloned or masqueraded as
... http://www.libnfc.org/ has a nice toolkit there.NFC is just an energy and data transfer standard. There is nothing to stop you implementing proper security behind that (e.g. even a public key challenge response crypto system).
Those are the ideas I can come up with in three seconds of thinking each of which is better than a PIN code.
And probably why you've not got a role in the IT security industry too, I'd wager?
I agree with your assertion that short PINs are a terrible idea, but biometrics are worse. However, there's a huge gap between what a user will accept and what's accepted as good practice. Users will undoubtably choose the lazy option.
Biometrics are really crap in some situations. For example on credit cards in dangerous countries where they can jus
-
Re:someone cracks blackberry security
RIM's stuff is by and large still very, very secure by any comparison and their phones are unique in that regard. So the way I see it, this is both news (being a genuine security hack) and relevant (these phones being the best on the market).
This seems to be misunderstood as either a crack or a break in the security of the BB. It is neither. Elcomsoft is using a crib that they have found to attempt dictionary and/or brute force attacks, nothing more. See this blog post for the specific details about the file they are using. Unless there is something else that they haven't mentioned, this is a garden variety known plaintext attack.
-
Re:Because it's a pain on Linux
Actually, you CAN decrypt it if you know your password and can access the system keystore. Just use this program: http://www.crackpassword.com/products/prs/mswin/e
f s/?r1=rus_eng&r2=aefsdr -
Re:PHB to the max.
And, he is aware that there are about five million products that can crack an access database in 10 seconds? Can you name your company?