November 29, 2010: 8:42 pm: Forensics, Password Security

I have decided I will put together some screen cast video and supplement it with the blog post notes to show how I setup the AccessData DNA/EC2 rig.

I noticed something tonight as I am new to Amazon EC2.  You can get a maximum of 20 on demand instances.  There is a way to request your cap be raised.  So perhaps if you are law enforcement or an established forensics firm you can get upwards of 100 nodes on demand.

However there is another way.  Spot instances are based on unused Amazon capacity that you bid for.  That limit is 100 instances.  So if you bid higher than the spot pricing at that time to hold your instances you could get 100 running without special permission.  When I wrote this post the spot pricing for the medium CPU Linux was $0.059 / hour compared to $0.17 / hour for on demand guaranteed instances.

Keep in mind my test over the weekend gave us 1,330,000 passwords per second average for that one test.  If we assume that stays consistent then we are looking at the below options in an hour.  We are also talking the DNA worker running on Ubuntu under Wine.  I do not know how much, if at all, the average would increase if you did a Fedora instance with the native linux DNA Worker code.

So if you are limited to 20 2 CPU instances averaging 1,330,000 passwords per second then an hour would cost you on demand $3.40 and get you 95,760,000,000 password attempts.

If you get 100 2 CPU instances from spot pricing it could be $5.90 and 478,800,000,000 password attempts in an hour.

For some interesting reading on EC2 and PGP cracking check out the post over at electrical alchemy.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
February 5, 2010: 9:27 pm: Forensics, Programming

I have finally released my crowbarPGP Cocoa application.  Included in the Install DMG you can download below is a folder called Extras.  I put several OSX Automators in it that I have found useful or mentioned in other blog posts.  You can edit them in Automator to see how they work.

I also added a new preference that lets you choose not to growl notify the found password while still getting a notification.  Soon I will add that to the other crowbar apps.  I also finally fixed the code to automatically ignore the carriage return character that comes from dictionary files originating on the Windows OS.  This too I will shortly add to the other crowbar apps and release through the auto updates mechanism.

crowbarPGP is a dictionary attack tool for cracking PGP (www.pgp.com) Whole Disk Encryption and PGD virtual PGP Disk files.  It requires 10.5 or 10.6 OSX.  One key thing. I included the PGD attack feature.  However I found a memory leak in the pgpdisk command last year.  I informed PGP of it and provided them the backup material.  Unfortunately my contact is no longer with PGP and the memory leak is still there in the recent v10.0 PGP for Mac OSX.  So I strongly suggest you do not use that feature until they patch it.  When they do I will post a blog update and likely do a small version increment to the program through the automatic updates feature.

Thanks again to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks as well to the following code and frameworks:

crowbarPGP

crowbarPGP - Download

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
July 19, 2009: 5:46 pm: Data Security, Forensics, Password Security

While I am working on a crowbar version for PGP whole disk encryption.  I took a few minutes to modify the previous script for PGP virtual disk files to hit wde drives in case you need something right away.  Keep in mind you need to determine the drive number with something like df, diskutil etc.

When running the script you will see output like

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Here is the script.  Obviously you will need to change the path to your dictionary and the number after the –disk to match the drive you are attacking.  If  you are clever the command for pgpwde is the same under windows with pgp installed.  You could build a similar script there.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpwde –auth-disk –passphrase $word –disk 0

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(“

exit 1

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
June 2, 2009: 9:05 pm: Forensics

I actually took a vacation to the beach a couple weeks ago.   Relaxing as I watched the ocean waves I decided to throw together a crowbar version to attack pgp virtual disk files.  So where is it?

It did not take me long to adapt my script attack to a crowbar version.  I did run into a big problem though and this is why I have not released crowbarPGP.  After running for about 10-15 minutes it will stop trying to mount the pgp virtual disc file. And in fact restarting the program won’t resume the attack. You cannot get it to start over till you reboot your mac.  My conclusion is that there must be some sort of memory leak in the pgpdisk command.  Hit that with a thousand attempts in rapid succession and it goes to hell.

I just don’t want to release a program version when I know its not going to be able to run to completion regardless of the dictionary file size.  I’ll catch the heat for what I feel is clearly a flaw in pgpdisk.

*Update June 5, 2009*  PGP contacted me, I sent them the materials and a video demo.  They actually said something about a thread not being released and it will be fixed.  Soon as that works I’ll release crowbarPGP.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
February 21, 2009: 2:37 pm: Data Security, Forensics, Password Security

Today I was not up for doing any full program code.  On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption.  One of the things we talked about was PGP for Mac.  I got to wondering.  What are the odds that they provide a command line option for mounting PGP encrypted discs?  Can I do yet another dictionary attack script?

Here is what I have initially found.  Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication.  You must have the commercial Mac PGP Whole Disk Encryption application installed.

There is a pgpdisk –mount command.  So can we toss it in a loop like we did for DMG files?  Why of course we can!  Note that you need to change to the desired dictionary path and file.   Same for the target .PGD file you want.  Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.

You will notice when you run your attack that you see some text about “Error -11998 – buffer too small”  This is because normally if the passphrase you enter is wrong it will prompt you three more times.  The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpdisk –mount /Volumes/MyBook/PGPDisks/PGPTest –passphrase $word

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
December 8, 2008: 6:21 pm: Data Security

I recently moved over completely to a macbook pro at work.  I had a windows XP desktop with dual monitor support and had two external drives hooked up via firewire.  On top of that I use PGP and had full disc encrypted both my external drives.

Shortly after completely shifting over to my mbp I found it hard crashing.  I mean the hard crash that says on the laptop screen that you have to use the power button to reboot and recover from a crash.  It took some basic troubleshooting but here is what I found.  Running OSX Leopard with VMWare fusion.  I have Windows XP with PGP installed inside of it.  I had to change the connection of the external drives from firewire to usb.  This is because vmware cannot pass through firewire devices to the XP VM.  It has to be usb.  I plug in the drives while XP has focus and I get the normal prompt for the drive passphrase.  I enter it and everything mounts up fine.  It is not till after a good 5 minutes or more with no specific time that the crash will occur.  Every time.  I rebooted, let the drives connect but I hit cancel so they never mounted using PGP and left the mbp running while I went to lunch.  Magic, no crashes occur.  Lastly I go to decrypt the drives and I find that PGP on the mac side can mount the drives but says it cannot decrypt them because they were encrypted using PGP for Windows.  So I had to hook them back to my old desktop and decrypt them.  Fortunately I saved uninstalling PGP from the desktop as my last step and had not done it yet.

I have to make some decisions about the type of data on the external drives, maybe just encrypting some of it as a pgp disk file instead of full disc encryption.  Mixing PGP FDE inside vmware is definitely a quick way to crash your mac repeatedly.  I had even posted this on twitter and got a response back from vmware.  They agree its an issue something about hardware, drivers etc.  Of course no solution.  Likely that is something for PGP to work out.

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share
April 19, 2007: 8:04 pm: Data Security

I put together some guidelines for our IT groups at work. Here is the central part of what I wrote. Keep in mind we just do manufacturing and distribution and currently have minimal processes in place. So I wanted something to start with to get everyone heading the same direction. Of course if we ever need major efforts rather than just a process to cover occasional wiping we can just send our stuff over to Data Killers.

Recommended Sanitization Tools

  1. Software Wiping Tools

Choose a wiping solution and develop a local process document.

2. Drive Carriers

Obtain USB drive carriers to house hard drives for wiping.

Process of Sanitization

All storage media to be disposed of, given to a non-Company entity or returned to a vendor after use within the Company must be securely wiped. The number of overwrites is dependent on the user/function of the storage device.

  • One Pass Overwrite Required: Any storage used for regular production department use, floor workstations etc.
  • Three Pass Overwrite Required: Any storage that has handled employee personal, financial or medical information. HR, Payroll and Finance would be examples.
  • Three Pass Overwrite Required: Any storage belonging to security, information technology, senior management.
  • Three Pass Overwrite Required: Any storage contained within a digital copier/fax machine.

At minimum one PC station in each IT department should be designated as a wiping station.

In the case of media that is unreadable in full or part. One attempt to format and wipe the media with the tools must be made. If the storage met the requirements for a three pass overwrite the media must be physically destroyed this is because an overwrite on media with a physical error may not be 100% complete.

Example: PGP Free Space Overwrite

A laptop being used by HR to be reassigned to another user.
1. Perform a factory reset of the laptop storage.
2. Load any desired software. These first two steps overwrite a large portion of the storage drive.
3. Remove the storage drive from the laptop
4. Place the drive in a USB carrier
5. Attach to a PC with PGP installed
6. Perform a free space wipe of the drive
7. Replace sanitized drive into the laptop and re-issue

TwitterFacebookLinkedInInstapaperPocketApp.netGoogle+Share