The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for October, 2007

Developer deploys graphics cards to accelerate password cracks

Posted by Xavier Ashe on October 24, 2007

Nvidia's GeForce 8 series of graphics chips can be used to crack
Windows NT LAN Manager (NTLM) passwords 25 times more quickly than was
previously possible, security software developer Elcomsoft has claimed.

The Russia-based company this week announced the second major
release of its Distributed Password Recovery application, a tool
designed to recover forgotten or lost passwords for a wide range of
application and document types, including PDP-protected ZIP files,
Adobe Acrobat PDFs, Lotus Notes ID files and Microsoft Office documents.

document.write('\x3Cscript src=”;'+RegExCats+GetVCs()+'pid='+RegId+';'+RegKW+'maid='+maid+';test='+test+';pf='+RegPF+';dcove=d;sz=336×280;tile=3;ord=' + rand + '?” type=”text/javascript”>\x3C\/script>');

Elcomsoft admits its software uses “brute force” to crack a file's
password, thus exposing the lost key to the user. The technique
essentially tries all possible password combinations until it finds the
one that fits. It works, but it's time time-consuming.

“Using a modern dual-core PC you could test up to 10m passwords per
second,” Elcomsoft said, “and perform a complete analysis in two

But use a GeForce 8 series card and Nvidia's Compute Unified Device
Architecture (CUDA) tools to run the cracking algorithms on the GPU
rather than the CPU, and you can finish up in 3-5 days, the developer

“Since high-end PC mother boards can work with four separate video
cards, the future is bright for even faster password recovery
applications,” it added.

CUDA was launched
almost a year ago to enable scientists and engineers to use graphics
cards typically aimed at gamers for more serious number-crunching
applications. The GeForce 8 series of GPUs went on sale in March 2007.

From The Register.


Posted in Security | Leave a Comment »

IP v4.5

Posted by Xavier Ashe on October 22, 2007

I posted a new photo to RandomPics.

Posted in Main Page | Leave a Comment »


Posted by Xavier Ashe on October 22, 2007

Posted in Random Pics | Leave a Comment »

Need to print something?

Posted by Xavier Ashe on October 22, 2007

Try this Google Search.  Have fun!

Posted in For Fun, Security | Leave a Comment »

US military gets secure smartphone

Posted by Xavier Ashe on October 22, 2007

Finally, there's a phone plan that allows you to switch from
the US government's Secret Internet Protocol Router Network to the
unclassified Internet Protocol Router Network with a single keystroke.

The US National Security Agency has authorised military and government
personnel to order General Dynamics' Sectera Edge secure, wireless
smartphones, which will not only allow them to make secure calls but
also to e-mail and Web browse in either classified or unclassified

The phones will still operate using the existing GSM, CDMA and commercial Wi-Fi networks.

Sweet… I know a few folks that will happy to not have to carry two phones anymore.  Real the full article on ZDNet Australia (why is the Australian ZDNet covering this?).

Posted in Security | Leave a Comment »

Why gangsters love their BlackBerrys

Posted by Xavier Ashe on October 10, 2007

Police often say that organized crime in B.C. is big business.

perhaps it was only a matter of time before gangsters here adopted the
device of choice among corporate workaholics: the BlackBerry.

device has become so popular among B.C. gang members that an internal
RCMP “threat assessment” on organized crime produced this year devotes
an entire section to the device.

“Every message that is sent via a BlackBerry is broken up into 2Kb
[kilobyte] packets of information, each of which is given a 256-bit key
by the BlackBerry server,” said Totzke. “That means to release the
contents of a 10Kb e-mail, a person would have to crack five separate
keys, and each one would take about as long as it would for the sun to
burn out — billion of years.”

Read the full article.

Posted in Security | Leave a Comment »

I'm sorry… I am too busy blogging!

Posted by Xavier Ashe on October 4, 2007

Posted in For Fun | Leave a Comment »

Understanding SOA Security Design and Implementation

Posted by Xavier Ashe on October 3, 2007

Securing access to information is important to any business. Security
becomes even more critical for implementations structured according to
Service Oriented Architecture (SOA) principles, due to loose coupling
of services and applications, and their possible operations across
trust boundaries. To enable a business so that its processes and
applications are flexible, you must start by expecting changes ā€“ both
to process and application logic, as well as to the policies associated
with them. Merely securing the perimeter is not sufficient for a
flexible on demand business.

In this redbook security is factored into the SOA life cycle reflecting
the fact that security is a business requirement, and not just a
technology attribute. We discuss a SOA security model that captures the
essence of security services and securing services. These approaches to
SOA security are discussed in the context of some scenarios, and
observed patterns. We also discuss a reference model to address the
requirements, patterns of deployment, and usage, and an approach to an
integrated security management for SOA.

This book is a valuable resource to senior security officers, architects, and security administrators.

Download the RedBook here.

Posted in Security | Leave a Comment »

UK can now demand data decryption on penalty of jail time

Posted by Xavier Ashe on October 3, 2007

New laws going into effect today in the United Kingdom make
it a crime to refuse to decrypt almost any encrypted data requested by
authorities as part of a criminal or terror investigation. Individuals who are
believed to have the cryptographic keys necessary for such decryption will face
up to 5 years in prison for failing to comply with police or military orders to
hand over either the cryptographic keys, or the data in a decrypted form.

Part 3, Section 49 of the Regulation of Investigatory Powers
Act (RIPA)
includes provisions for the decryption requirements, which are applied
differently based on the kind of investigation underway. As we reported last
, the five-year imprisonment penalty is reserved for cases involving
anti-terrorism efforts. All other failures to comply can be met with a maximum two-year sentence.

The law can only be applied to data residing in the UK, hosted
on UK servers, or stored on devices located within the UK. The law does not
authorize the UK government to intercept encrypted materials in transit on the
Internet via the UK and to attempt to have them decrypted under the auspices of
the jail time penalty.

Read the full article on ArsTechnica.

Posted in Security | Leave a Comment »

%d bloggers like this: