I was emailed by Sean Hull to let me know about a link on slashdot that talks about how the US secret service cracks very strongly encrypted data held on criminals seized computers. The link on slashdot is http://hardware.slashdot.org/article.pl?sid=05/03/28/2026226&tid=172&tid=198&tid=103 but this points to and summarizes an article on the Washington Post website titled "DNA Key to Decoding Human Factor - Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence". This is a very interesting article describing the issues law enforcement officers have decrypting data held on criminal computers that has been encrypted with strong / long encryption keys. The normal problem is that the sun would burn out before any computer on the planet could try and brute force the keys. The U.S. Secret service instead is using clever techniques taking lessons from the search for E.T. They are tying together all staffs desktop computers to crack passwords but are using a special technique of creating custom dictionaries to use in the cracking effort. The system (DNA) searches the criminals hard drive and gets all plain text words and phrases from all clear text files and also from web sites that the cache and browser logs know about.
The technique works because people are sloppy and do not choose strong alpha numeric passwords but instead choose weak ones based on existing knowledge. Quite often a suspect’s password can consist of words based on their interests and coincidentally these words can be found on special interest sites they have visited.
This is an excellent article that describes the U.S. Secret Services efforts. I suppose the lesson to be drawn from this is to choose very strong alphanumeric passwords and use the strongest encryption that is practical for the purpose it is being used for. Do not use words from hobbies, interests or from words you may repeat in other documents or emails. This is not just a lesson for criminals but also for businesses that use encryption. If you want to use encryption successfully they use strong passwords. If you are not a criminal then the U.S. Secret Service is not going to be cracking your encryption keys anyway but competitors might, hackers might or even curious employees might. They might not have access to a network of PC's like this article though.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "A Cuckoo's egg"] [Next entry: "NCipher have made product updates"]
March 2005
- Comments, spam and statistics spiders - 03/03/2005 by 03/03/2005
- Amis Blog has an interesting entry on multiple listeners - 03/04/2005 by 03/04/2005
- Sean Hull has started a weblog based around Oracle and open source - 03/05/2005 by 03/05/2005
- Alex has a new presentation on hardening Oracle client PC's - 03/06/2005 by 03/06/2005
- Howard Rogers has started a new Oracle forum - 03/07/2005 by 03/07/2005
- Frank has an example on simple J2EE form based authentication - 03/08/2005 by 03/08/2005
- Google desktop search - 03/09/2005 by 03/09/2005
- Jonathan Lewis on Row Level Security - 03/10/2005 by 03/10/2005
- Sean Hulls weblog site is back up - 03/11/2005 by 03/11/2005
- A GUI default password checking tool - 03/14/2005 by 03/14/2005
- The JHeadstart blog talks about J2EE authentication and authorization with JHeadstart - 03/19/2005 by 03/19/2005
- Jonathan Lewis on Row Level Security - part 2 - 03/22/2005 by 03/22/2005
- Kevin Mitnik: New book "The art of intrusion" - 03/26/2005 by 03/26/2005
- Ben talks about 10g flashback - 03/28/2005 by 03/28/2005
- A Cuckoo's egg - 03/30/2005 by 03/30/2005
- Mark Rittman talks about Fine Grained Access Control - 03/31/2005 by 03/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
