How the Secret Service Cracks Encrypted Evidence

tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."

It's like social engineering, without the person

[Phoenixhunter]

Sounds pretty logical to me.

Re:It's like social engineering, without the perso

[Rosyna]

Which kind of makes much hard for conspiracy theories that the FBI/NSA/Secret Service require all these back doors into encryption software and/or operating systems. What's the point when humans are still the weakest link?

I feel pretty safe under Fedora.

[cfalcon]

I use the built in crypto in Fedora (the device level encryption passed to a loopback file mounted under /enc). I doubt that, absent a key sniffer, my passwords would *ever* be discovered. I have some english words in them (most are long phrases with nonsense punctuation thrown in at several places), so I guess that could be some kind of issue. But overall, I feel pretty secure.

Of course, I'm not actually defending any data that the government would care about, so it's all moot ;)

(Unless the government has a pressing need to read my private journal about me bitching about how I can't get a date. In that case, those spooks are outta luck!)

Comment removed

[account_deleted]

Comment removed based on user account deletion

So, to interpret this article:

[reality-bytes]

The U.S. Secret Service is having success with breaking keys using dictionary-attacks.

Now, reading between the lines:

The U.S. Secret Service has just perfected a brilliant new method of brute-forcing 256-bit keys in a matter of minutes using the same processing power as a pocket calculator.

Therefore the previous dictionary-attack system can safely become public knowledge.

Private Dictionaries

[Doc+Ruby]

It's becoming increasingly clear that human language facility is mostly a giant system of cross references. Sometimes those references attach to other experiences outside the language network, like other sensations and actions. But the language itself is a highly flexible collection of weighted references. There's no intrinsic "meaning" to the words and other language elements, just our shared experiences, including our experience of language itself. These private dictionary attacks are an extremely sophisticated attack on the very human space of personal language constraints.

Re:It's like social engineering, without the perso

[Shadow+Wrought]

What's the point when humans are still the weakest link?

Especially when all they have to do is offer them chocolate before they bust them;-)

Acronym passwords are a good compromise

[Rei]

You don't have to use random passwords to be secure. Slightly modified acronym passwords tend to be almost as good as completely random passwords, and people tend not to mention the phrase that the acronym is from very often.

For example, a password 'JWfimf#aIgtVae' is about as good as random; and yet, it's simply an acronym for "Juffo-Wup fills in my fibers and I grow turgid. Violent action ensues." with a hash sign thrown in for good measure. Any Star Control II fan would have an easy time remembering it after just a couple uses.

Re:Passwords?!

[tlhIngan]

There's always 24445 as a valid combination that can be spoken as 1-2-3-4-5... (One 2, Three 4s, 5).

People always seem to stumble on that when they ask for my combination and I tell them that. Then I show them the correct combination and a light dawns on their heads...

Re:Isn't the effectiveness now compromised?

[khrtt]

A friend of mine ran crack over /etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.

On VAX VMS you had to pick a password from a list of randomly generated "pronouncable" strings, if I recall correctly. On many properly-managed UNIX installations the crack program is used to check the user's passwords and will not allow you to use a crackable one. Is there as option to allow only hard passwords on Windows? I honestly don't know...

On the whole, soft password problem seems like a healthy n00b-usability-over-security type thing.

Re:Still won't work.

[Homology]

People just cannot memorize enough randomness to defeat that kind of attack.

Erh, yes they can : The Diceware Passphrase Home Page

Re:256-bit encryption?

[bofkentucky]

You've never seen the "shoot here to destroy" stickers that Uncle sam sticks on his computers, usually they are just slightly off center of the hard drive spindles, not sure how a multi-disk box gets tagged, but its probably in a similar manner.

Remember that P-3 that landed in chicom airspace back in 2000/2001, supposedly hammers were used to beat the interior of that bird all to hell when the pilot realized they weren't going to make it to a safe landing area.

Re:no shit

[pla]

And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor

Not everyone does that... Personally, I open a text editor, enter well-mixed gibberish until I find a key sequence that "feels" comfortable to type, then type it over and over until my fingers remember it.

I couldn't actually tell you my passwords, and could swear to that in court without perjuring myself... "I" simply don't know them. But I can type them with no problem.


Also, another trick that I recommend everyone adopt for their own security... Memorize three "good" passwords (as in, more-or-less indistinguishable from a string of random characters). Use one for public purposes (ie, normal websites), one for normal moderate security use (normal user accounts at work and home), and reserve the last one for root/admin accounts and online financial sites.

Now, that alone will do better than nothing, but one further very easy to remember step will make each one very nearly as good as a separate random string for every single one - Pick an arbitrary character (or two) of your password, and replace them with something about the place you use it. For example, you might change the fourth and seventh characters for the last two letters in the name of the site or machine.

Combining those, you have a basically secure password that you can easily remember, and having one use of it compromised reveals absolutely nothing. Only someone that knows at least two of them has any shot at all of guessing the rest, and even then, only within one of your three classes of password.


Of course, personally, I've simply memorized how to type around two dozen "good" passwords. But for those who don't feel quite so paranoid, the above works rather well.

OMG!

[temojen]

Unlike other distributed networking programs, such as the Search for Extra Terrestrial Intelligence Project -- which graphically display their number-crunching progress when a host computer's screen saver is activated -- DNA works silently in the background, completely hidden from the user. Lewis said the Secret Service chose not to call attention to the program, concerned that employees might remove it.

"Computer users often experience system lockups that are often inexplicable, and many users will uninstall programs they don't understand," Lewis said. "As the user base becomes more educated with the program and how it functions, we certainly retain the ability to make it more visible."

Wait... Secret Service employees have administrator rights? This is just wrong. Their IS department should know better.