Slashdot Mirror

← Back to Stories (view on slashdot.org)

How the Secret Service Cracks Encrypted Evidence

Posted by timothy on from the throw-at-wall-see-what-sticks dept.

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

17 of 658 comments (clear)

  1. Still won't work. by khasim · · Score: 2, Informative
    The average person has a vocabulary of only about 25,000 words.

    Even allowing for a 10 character word length and 4 randomizations per word (letters, numbers, spaces) that's still under a million variations.

    From the article:
    Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.
    So that's less than 25,000 seconds to crack your password.

    416 minutes

    approximately 7 hours

    People just cannot memorize enough randomness to defeat that kind of attack.
  2. Re:In other words.. by Homology · · Score: 2, Informative
    If your password is something you've ever written on your computer, its likely they'll crack it? Interesting.... moral of the story: dont use words found in the dictionary as your password. Inject spaces or numbers or punctuation into the word if you do.

    You can use dictinary words to generate strong passphrases that are fairly easy to remember. Check out How long should my passphrase be for a comparions of length of passphrase with physcial security.

  3. How To Make Easy Random Passwords by cliffjumper222 · · Score: 4, Informative

    This might not be new to some, but it's quite easy to create random passwords that you can remember, although, I suppose you could argue that they are not completely random. Anyway, here goes:

    1. Think of a sentence that you can remember, e.g., "My two lovely kids Spike and Mary eat noodles every day!"
    2. Take the first letter of each word and use some common substitutions: "M2lkS&Mened!" - Bingo, not only is it a pretty random collection of letters but it includes numbers, upper case and lower case mixed and even punctuation. All lovely stuff to blunt brute force password attacks.
    3. When you type it in, say the sentence to yourself in your head. It's really quite easy to remember that way. Also, you can even just about get away with writing it down (in an office environment) and not many people will understand it. Of course, I don't recommend this but people are people.
    4. Don't forget to dump the sentence every few months or so and make up a new one. It's no big deal, they're easy to remember.

    Hope that helps some.

  4. Re:Do you have to give up passwords? by MoTec · · Score: 2, Informative

    Now, IANAL or anything... But from what I understand, a Judge can basically subpoena your password from you. If you refuse to disclose it you can be found in contempt of court and jailed.

    Of course you can claim to have forgotten it, what with the trauma of the arrest and all.

  5. Re:if the govt can crack, so can terrorists by Anonymous Coward · · Score: 1, Informative

    You realize that the internal number matrices used in AES were chosen by the NSA. Wonder why that is? :)

    Still think AES is so secure??

  6. Re:Isn't the effectiveness now compromised? by X0563511 · · Score: 4, Informative

    Yes, you can mandate that users can only choose strong passwords.

    Windows 2000 and up, go into the Local Security Policy (in mmc). Look for "Require Strong Password" (or similar, its been a while).

    Why nobody uses it, I don't know.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  7. Re:256-bit encryption? by Rolan · · Score: 2, Informative

    Remember that P-3 that landed in chicom airspace back in 2000/2001, supposedly hammers were used to beat the interior of that bird all to hell when the pilot realized they weren't going to make it to a safe landing area.

    No supposedly, it was. Aircraft with sensitive data or equipment on them always have one of two pieces of simple hardware nearby. Either a sledge hammer, or a regular hammer (for smaller craft). Sometimes several of them. In case of landing somewhere unfriendly, swing repeatedly. On aircraft, where applicable, there's typically an easy way to erase/ruin any data, magnetic storage medium, film, etc.

    Ground locations that might be "taken over" and have classified data/equipment have at least: 1 55 gal drum, some liquid that burns well, and a lighter. The above can be replaced with an easy to access incinerator (sometimes both are present). There is a very specific burn procedure that people that work there tend to have to memorize. They start with the most sensitive and keep burning until the lunch order is gone or they're disabled and can't.

    --
    - AMW
  8. Also available under MacOS X by Anonymous Coward · · Score: 1, Informative

    It's called FileVault. Your home directory is an encrypted (AES, I think) sparse disk image that is transparently mounted at ~ upon login. Nifty, since they can't even get your browser cache, etc. without knowing your login password (or your emergency systemwide backdoor password that you can set). Plus it's so easy to use, you don't even look "suspicious" doing so. I think the NSA securing your Mac OS X box guide even recommends it.

  9. Re:OMG! by temojen · · Score: 2, Informative

    Or lock the pages. UID 0 processes can do this in Linux; I assume it works in windows too (with a different API).

  10. Re:Acronym passwords are a good compromise by John-D · · Score: 4, Informative

    No, those are all horrible. If it is based on a real word, it will be tried first.

    Any good cracking program will substitute $ for S, 4 for A, 3 for E, 7 for L, so on and so on.
    This problem is even easier if (like most places, hopefully not microsoft) your IT dept still uses NTLM passwords for window auth. The password algorithm breaks your character into 2 7-char halves and generates a hash via DES. So your great 12 char password is really one 7 character and one 5. The 5 character part will be broken in under 1 hour ( I broke the NP4UL! portion of your password as I typed this; 7minutes, 27 seconds). Even worse are "policies" that enforce 8 character passwords under Windows. Guess how long it takes to 'break' a 1 character password. Those passwords halves are also non-salted and only DES. DES is made to be fast. look up some of the magic you can do with the MMX registers to make DES really fast in certain circumstances - where you are breaking about 60 or more password halves at once.
    So if you have a list you are in luck because you can now compare the hash of the half you just broke with all the other halves in the list. Then you may save it off into a database to look up next time you are cracking passwords. Pre-calculation and other methods (so-called Rainbow tables) make cracking these passwords even easier.

    Regular crypt passwords under Linux are almost as bad, except the salt makes them much more resistent to pre-calculation.
    MD5 passwords under Linux are much more robust if you choose a moderately hard password; as all of the characters in your password count towards the hash, and MD5 is SLOW compared to DES.

    My advice is to generate a random password and use that. Include non-printables (alt + numpad). Avoid real words. Write it down and keep it on you until you remember it; 3-4 uses for me usually does the trick. Play with John The Ripper - it does ntlm passwords now.

    PS If you use samba, its passwords are also stored in NTLM format; so you should use a different password than your standard MD5 Linux login.

  11. Re:Acronym passwords are a good compromise by provolt · · Score: 2, Informative

    I don't really think that 'leeticizing' a dictionary word is a very good scheme. Most of the good password cracking tools check for that. Most of them will check for common things like changing 's' to '$' or changing 'a' to '@'. It's really just another substitution (like going through the various capitalization schemes). It may slow down the programs, but not in a significant way.

    I agree that it is better to do this than to not do it, but using dictionary words (or simple substitutions based on dictionary words) is just a bad idea.

  12. Re:Isn't the effectiveness now compromised? by ikkonoishi · · Score: 2, Informative

    I write my passwords down in a custom cryptogram system. It takes me a while to decode them, but after doing it a few times, I tend to remember them better.

  13. Re:It's like social engineering, without the perso by anthony_dipierro · · Score: 2, Informative

    Unless it's from a self-employment activity!

    Illegal income, such as money from dealing illegal drugs, must be included in your income on Form 1040, line 21, or on Schedule C or Schedule C-EZ (Form 1040) if from your self-employment activity.

    http://www.irs.gov/publications/p17/ch13.html

  14. Re:Passwords?! by hazem · · Score: 2, Informative

    Not in America. As the parent pointed out, you're no longer permitted to lock your baggage when you check it.

  15. Other sources of IRS income... by grafikdude · · Score: 2, Informative
    Other sources of income according to the IRS From the IRS website at= http://www.irs.gov/publications/p17/ch13.html
    Other income sources (this is for real)
    • Bribes If you receive a bribe, include it in your income.
    • Kickbacks You must include kickbacks, side commissions, push money, or similar payments you receive in your income on Form 1040, line 21, or on Schedule C or Schedule C-EZ (Form 1040), if from your self-employment activity.
    Example
    You sell cars and help arrange car insurance for buyers. Insurance brokers pay back part of their commissions to you for referring customers to them. You must include the kickbacks in your income.
    • Illegal income Illegal income, such as money from dealing illegal drugs, must be included in your income on Form 1040, line 21, or on Schedule C or Schedule C-EZ (Form 1040) if from your self-employment activity.
    • Pulitzer, Nobel, and similar prizes. If you were awarded a prize in recognition of accomplishments in religious, charitable, scientific, artistic, educational, literary, or civic fields, you generally must include the value of the prize in your income. However, you do not include this prize in your income if you meet all of the following requirements.
      • You were selected without any action on your part to enter the contest or proceeding.
      • You are not required to perform substantial future services as a condition to receiving the prize or award.
      • The prize or award is transferred by the payer directly to a governmental unit or tax-exempt charitable organization as designated by you.
      • See Publication 525 for more information about the conditions that apply to the transfer.
    • Stolen property. If you steal property, you must report its fair market value in your income in the year you steal it unless in the same year, you return it to its rightful owner.
    --
    This is not here.
  16. Re:Passwords?! by Captain_Chaos · · Score: 2, Informative

    ... asterix ...

    Must ... resist ... urge ... to .. correct ... joke ...

    Oh what the hell... It's asteriSK! Asterix is the hero of a famous belgian comic book...

  17. TSA-approved locks by swb · · Score: 3, Informative

    They now have TSA-approved locks which have some kind of TSA symbol on them that identify them as "OK". There's a master key for the key locks and the combination locks.

    Prior to this I used tie wraps (the good ones with the metal in the latching end) through the lock holes on the zippers. I stashed an ancient wire cutters in an outer pocket for opening at my destination.

    I don't know 'secure' these really are, but I suppose it makes it just hard enough that the crackheads working in baggage will choose someone else's luggage to rifle. I'm sure the master key component of the TSA-approved locks is trivial as well.

    But as someone said above, if someone wants it, they'll just rip the fscking thing open. But it should be good enough. People have long complained about pilfering from luggage, but the complaints REALLY went up when the TSA banned luggage locking. IMHO most of the luggage pilfered was unlocked to begin with, and once everyone's was, it was open season for luggage handlers to steal, so a trivial amount of locking ought to deny them the easy opportunities.