Category Security

Entries 78 Total

Passware Claims To Break FileVault 2 Encryption In 40 Minutes

Feb 1, 12 9:00 PM
Cryptographically secure pseudorandom number g...

Image via Wikipedia

Cnet reported Passware, password recovery company, has claimed that FileVault 2 for Mac could be broken under or around 40 minutes.  In case you have never used Mac before, FileVault 2 is similar to TrueCrypt and Windows’ BitLocker.  These three major popular encryption software help computer users to securely wipe (i.e., format hard drives, partitions, external drives, etc…) and then encrypt hard drives and the likes.

Using encryption technology supposes to be helping computer users to secure their data, but it seems companies such as Passware do have ways around the encryption technology after all.  Nonetheless, since we now know encryption software are vulnerable, we can at least understand that relying on encryption software alone to protect our most precious data might not be enough.  This way we only have ourselves to blame and be angry at when we’re not actually going to the extend to protect our precious data beyond the deploying of encryption software.

To the best of my knowledge, I think most software that are designed to break encryptions (i.e., encrypted data) need to have access to the physical machines before such software can actually decrypt the data.  I wonder will this be the case for Passware’s claim too.  If it’s, then as how it has always been so; computer users best protect their precious data by physically secure their machines better.  This way, hackers have to jump more than one hoop to actually attain your precious data.

In the end, I think security is at best when wise computer users go to the extend in deploying whatever that is necessary to protect their computer data, that’s if such computer data are that important to some folks.  For now, let hope Apple, TrueCrypt, and Microsoft can soon come up with better encryption software so computer users know they can rely on encryption technology to protect their data better.  Let hope Passware isn’t claiming to have the ability to decrypt data from the cloud also, because such a scenario might be horrible for people who rely on encryptions to protect their data in the cloud.  So far, I don’t think this is possible yet.

Source:

Related articles
Leave a Comment

Ghost in the Wires Describes Riveting Details Of A Legendary Hacker Kevin Mitnick

Dec 31, 11 3:45 PM
Kevin Mitnick

Image by Vítor Baptista via Flickr

Kevin Mitnick was a man who had witnessed his reputation preceded him in ways that he could not have ever imagined.  His past reputation was so prolific in unbelievable manner which had myths built higher in stack, and the myths were about how he had stolen software worth more than $300 million, secrets from covert agencies, and much more.  In fact, he was more of a hacker who had taken the challenges to hack into various phone companies and big tech companies, and the successful penetrations of their servers and networks would most likely be his greatest trophies.  Instead of selling his trophies of source codes of various software he had siphoned away from various well known corporations, he kept them as proofs for how he had hacked into what thought to be digital fortresses.

Even after Kevin Mitnick was able to walk out of the prison, he was forbidden by law not to use any communication technology.  According to Wikipedia and I quote, “Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet.”  – source:  http://en.wikipedia.org/wiki/Kevin_Mitnick.  Now Kevin Mitnick is living a lifestyle which in a way is way better than how he had lived before, but he can go on hacking without getting into troubles with the law and getting jailed for.  How?  He is making more money by consulting various companies on computer security and ethically hacking into the companies that hire him for his knowledge.  He is currently running Mitnick Security Consulting LLC as a computer security consultancy company.

Kevin Mitnick has a book out which he tells all about his past experiences of avoiding the law and on the run while he was deeply into hacking phone companies and various other tech giants.  Ghost in the Wires was written by two men team.  Kevin Mitnick had teamed up with bestselling author William L. Simon for the writing of Ghost in the Wires.  In the acknowledgements section, Kevin Mitnick called William L. Simon as Bill Simon if I’m not mistaken.  Within this book, Kevin Mitnick described how he was able to social engineer just about anybody on the other end of the phone so he could gain valuable information to further his hacking activities.  With quick thinking and was able to be uncanny in remembering long phone numbers, Kevin Mitnick had no trouble in combining his social engineering and computing skills together to successfully hack into well known phone companies and tech giants.  In fact, Kevin Mitnick was so successful at social engineering and computer hacking, he was able to manufacture his own fake identities.  The book goes on describing how Kevin Mitnick had to hack social security administration, department of motor vehicles, and others so he could manufacture his own fake identities.  Even fake birth certificates were within Kevin Mitnick’s reach.

Ghost in the Wires has some funny moments that describe how naughty Kevin could be with his hacking skill.  I don’t want to spoil such funny moments for you, and so it’s best that you read his whole book on your own and laugh at how naughty Kevin Mitnick was with his social engineering and hacking skills.  Besides the few hilarious moments, I have to admit Ghost in the Wires shows us that determined hackers can accomplish digital magics which we like to think such tricks cannot be done.  Fortunately for those entities which Kevin Mitnick had hacked into while he was living the life of a fugitive, Kevin Mitnick wasn’t out to sell their secrets and made big profits for himself.  Nonetheless, can we say the same for some hackers of today?  Of course, there might be few hackers who have the same spirit as the old and the new Kevin Mitnick, but I think there might be more crackers than hackers.

In summary, Ghost in the Wires was a great read for me.  The writing style was down to earth.  I’d moments of laughter as how Kevin Mitnick had coyly tricked the adversaries through his social engineering and computer hacking skills.  The book was written with everyday people in mind, and so even the readers who could not understand the technical details might not have to miss much.  In fact, reading Ghost in the Wires, I thought I was reading a thriller novel or watching a thriller film.  Honestly, it was great to finally read what Kevin Mitnick had to say for himself in his very own book.  I found his details were riveting.  Especially how he had described his encounters with law enforcement.  Hard to forget moments were how law enforcement officials convinced the judge that Kevin Mitnick could start a nuclear war by whistling into a pay phone and how Kevin Mitnick himself would think the judge at one point thought he could connect to the Internet in prison through a laptop which had not a connection to the Internet (she did not allow Kevin Mitnick the use of a laptop to review the evidences that pertained to his case with a lawyer).

Related articles
Comments (1)

With The Release Of Reaver, Now Anyone Can Exploit Wi-Fi Protected Setup Flaw Freely; Reaver Releases As Open Source Software

Dec 30, 11 12:16 PM
English: Internet wireless router

Image via Wikipedia

Just recently, I had touched on how easy it’s for hackers to exploit and acquire PINs from routers that have Wi-Fi Protected Setup feature enabled (Wi-Fi Protected Setup PIN Method Has Flaw, Allowing Hackers To Deploy Brute Force Attack For Valid PIN Number In Lesser Time Than Before), because there has always been a flaw which associates with this particular feature, consequently allowing hackers to deploy brute force attacks and correctly guess PINs in less time than ever before.  It’s not a surprised for us to see someone has already had a tool which could hack a router for Wi-Fi Protected Setup PIN.  In fact, someone is releasing such a tool to the public already.  So, in a way, we can say once the exploits are known, smart hackers who write their own codes usually can come up with new tools to penetrate the flaws of most computer systems.  In this case, it’s no different, because the folks at Tactical Network Solutions has had such a tool known as Reaver which they probably use to do their own penetration tests on their own networks and clients, as a way to stay ahead of the curve so they can prevent their own networks and clients from being hacked.

Since the Wi-Fi Protected Setup exploit has been discussed publicly, the folks at Tactical Network Solutions are now releasing Reaver to the open source community, and this means anyone can download it and start using it.  Of course, like any tool, bad people can use it to break into other people’s networks, or good people can use it to do penetration tests on their own networks so they will know how resilient their networks would be against certain hack attacks.  The folks at Tactical Network Solutions also release Reaver as a commercial version which they claim it would be even more feature rich than the open source version.

Basically, once Reaver allows the hackers to attain the correct Wi-Fi Protected Setup PINs, the hackers can further more use Reaver to recover WPA/WPA2 passphrase in 4 to 10 hours range.  As long the owners of the routers/networks aren’t yet disabling Wi-Fi Protected Setup feature, no matter if the owners change their WPA/WPA2 passphrase to anything, the hackers will always be able to recover WPA/WPA2 passphrase using Reaver.  This is quite serious, because Reaver is just a tool where anyone can download and use freely.  So, if the manufacturers of most routers aren’t going to patch the flaw, then it’s really up to the users of such routers to disable the Wi-Fi Protected Setup feature.

It seems to me that the folks at Tactical Network Solutions suggest that once hackers guess the Wi-Fi Protected Setup PINs correctly, hackers can take control of the routers.  Worse, I think hackers can also insert themselves into the middle of the compromised networks to listen and sniffing and recording, consequently reading the network traffics for plain text data.  Of course, they can also read the encrypted data in encrypted form only, but hackers who have the will to decrypt the encrypted data might also have tools that allow them to decrypt encrypted data in time.

In summary, if your router hasn’t yet had Wi-Fi Protected Setup feature disabled, it’s currently an easy target for just about anyone who has the will to download Reaver and use it for hacking your router.  Usually, if someone hacks your router, they might have an even more insidious intention than just stealing your bandwidth.  Perhaps, they might use your bandwidth to do some serious hacking against some big corporations, and you would be the one to take the blame.  After all, once the hackers done with what they had to do, they could always clean up their trails and leave almost no trace of theirs behind.  The authorities would have a hard time to believe your story as in “It wasn’t me,” kind of thing.  So, I recommend you to turn off Wi-Fi Protected Setup feature at all cost and wait till the manufacturer who produces your router to come up with a patch that can address this particular exploit.

Sources:  https://threatpost.com/en_us/blogs/attack-tool-released-wps-pin-vulnerability-122911,
http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html,
http://code.google.com/p/reaver-wps/

Related articles
Comments (3)
Follow

Get every new post delivered to your Inbox.

Join 135 other followers