Russian Software Company Says Its App Can Crack BlackBerry Security 78
AZA43 leaps into the ranks of accepted submitters, writing "Russian security software vendor Elcomsoft has released an app that it claims can determine BlackBerry handheld passwords. The software supposedly hacks the BlackBerry password via an advanced handheld security setting that's meant to encrypt data stored on a user's memory card. And a hacker doesn't even need to have the BlackBerry to determine a password, just the media card."
Re:someone cracks blackberry security (Score:5, Informative)
news at 11...big freaking deal...
You act like this is either unimportant or not news. I'm not sure which.
Fact is while there's a lot of FUD floating around regarding things like RIM "caving in" and dropping BIS servers in questionable countries, there haven't actually been very many actual real-life exploits for the phones or their communications. Blackberry phone remains the only ones on the market that encrypt all data traffic by default and that encryption can't be disabled. If you're on BIS or if you're on BES, your unencrypted web traffic, e-mail traffic (even POP3) is encrypted at the device. That's still worlds ahead of the other devices.
There's reports that one exploit exists that can decrypt Password Keeper data from a phone backup on a PC. There's this report that discusses recovery of phone unlock passwords. There's the widely discussed and misunderstood reports about RIM dropping BIS MDS servers in unfriendly countries and what that allows (hint: it has zero to do with Blackberries not in those countries).
RIM's stuff is by and large still very, very secure by any comparison and their phones are unique in that regard. So the way I see it, this is both news (being a genuine security hack) and relevant (these phones being the best on the market).
So stuff your ignorant sarcasm.
Re: (Score:2)
Re: (Score:1)
quote you:
So stuff your ignorant sarcasm.
quote end...
Yep...stuff me, that will solve all issues right there.
unlike you, I actually know something about it, but then again, would you even care?
You write...RIM's stuff is by and large, very secure...etc... yep.. you do live in a cubicle of security beliefs don't you? Do I really care? Nope...not really..just trying to inform the likes of ya. Take the information any way you like it. I get my burger edgeways.
Re: (Score:2)
would you even care?
Yes.
just trying to inform the likes of ya.
Inform away. So far you've got zero information content in either of your posts. Mine summarizes the known exploits and security topics. Yours don't. Feel free to drop the newsburger edgestuff at 11 nonsense and communicate with us. Drop down to the lesser language of English and educate me.
Re: (Score:2)
Pics. Or it didn't happen.
Slapping your epenis around with ol Psycho isn't terribly entertaining. You know something? Tell us.
Re: (Score:1)
Re:someone cracks blackberry security (Score:4, Interesting)
RIM stuff is largely security by obscurity at this point however, very few people have seemingly tried to pull their stuff apart, and the few that have didn't find good things, see the pwn2own contest from this year for one such example.
Android, iphone and even windows mobile devices are much easier to target because they are largely based on existing systems which are well understood... RIM are using a totally obscure black box that requires significant investment of time to reverse engineer. This doesn't mean it's secure, it just means that hackers will need to spend more time to find holes in it. On the other hand, it means that whitehats will also require more time to reverse engineer the system, whereas its highly possible that blackhats have already stolen the sourcecode.
Most devices provide the option to run a VPN between the handset and a server under your control, only RIM require that there be a server under their control sitting in between.
Most devices (RIM included) can also boot up and start talking to the network without requiring any user input, therefore the keys used for this encryption must be stored on the device somewhere, just waiting for someone appropriately skilled and motivated to work out how to extract them...
Re: (Score:2)
RIM's stuff is by and large still very, very secure by any comparison and their phones are unique in that regard. So the way I see it, this is both news (being a genuine security hack) and relevant (these phones being the best on the market).
This seems to be misunderstood as either a crack or a break in the security of the BB. It is neither. Elcomsoft is using a crib that they have found to attempt dictionary and/or brute force attacks, nothing more. See this blog post [crackpassword.com] for the specific details about the file they are using. Unless there is something else that they haven't mentioned, this is a garden variety known plaintext attack.
In Soviet Russia... (Score:2)
Do Russians contribute anything useful? (Score:3, Insightful)
Re: (Score:1)
They provide entertaining plane/sub/ etc disasters. Oh, and putin does stuff like lying about finding ancient vases etc when he goes swimming. He's like that bearded Iranian twat. But without the beard.
Re: (Score:1)
Have you seen that picture of him riding the shark though? A guy who could harness a wild shark and ride it around the sea, is probably badass enough to happen upon an ancient vase. Even more likely to do so because he would be traveling at shark speed through the water, rather than human speed.
I wonder what would happen (Score:2)
if Putin crossed paths with Chuck Norris
Re: (Score:2, Funny)
Mod parent up. (Score:2)
Kaspersky?
Talk about getting pwned.
Re:Do Russians contribute anything useful? (Score:4, Funny)
Are there any Russians that contribute something positive to the world of software?
Tetris alone puts them way ahead of most countries.
Re: (Score:2)
they have pinouts for everything!
http://pinouts.ru/ [pinouts.ru]
Re: (Score:3, Insightful)
One might view the testing and breaking of security as a valuable contribution. How else will companies like RIM learn?
Re: (Score:1)
Unfortunately, RIM has two CEOs, and it appears it takes them twice as long as everybody else to learn things.
Re:Do Russians contribute anything useful? (Score:5, Funny)
Re: (Score:1)
I am former Soviet, Israeli, Canadian, currently in Europe building and selling/deploying software systems that analyze and integrate retail operations within store chain (integrate stores into a chain) and between stores and suppliers/manufacturers. It's hard business to compete with Oracle, SAP, MS in this field as well as with a number of smaller providers, including Russian 1C (1S), which is supported by Russian government, even their owner is a 'comptroller general' for a very large part of Russian Fed
Re: (Score:3)
Re: (Score:2)
It seems like the only time I read about anything Russians do with computer tech, it involves botnets, stealing passwords, and ripping off peoples bank accounts. Are there any Russians that contribute something positive to the world of software?
No, of course not, you stupid retard. All Russians are criminals, right?
How are you not ashamed of publicly admitting that you don't read anything is beyond me, though.
Re: (Score:1)
Re: (Score:2)
They do. There are a lot of Russian programmers working here in the US contributing quite heavily and positively to "the world of software". It's just that good news aren't as exciting.
Engineer is really a third rate profession in an oil and gas rich country like Russia. Everyone wants to be a boss of some kind and to sit just a wee bit closer to the pipe. A few companies that manage to pull together good talent generally either work for the local market (because US is impossible to get into if you're not a
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:3)
Racist? Errrm...okay, I give up, how does casting aspersions on Russians constitute racism?
The GP though should give the Russians a break. First the Tsars, then Stalin, and now Putin. Russkies do have a knack for finding the least capable people to run the country. Having a government which is the moral equivalent of La Cosa Nostra isn't a recipe for success. The Russkies should be hailed for still trying to succeed in spite of their leaders.
Re: (Score:2)
Yeah good points. I'll add Nginx to the list. Jeez - that webserver software has been killing it in terms of capabilities (and market growth) for about 4 years. All thanks to a solid Russian OSS developer named Igor Sysoev.
And if you want to dig a little deeper, the GiST index system for Postgres which enables GIS, spherical projections (for astronomy) and all kinds of other amazing solutions in Postgres - thanks to two great (and amazingly smart) guys also in Russia. http://www.sai.msu.su/~megera/postgres/ [sai.msu.su]
Sergey Brin? (Score:3)
http://en.wikipedia.org/wiki/Sergey_Brin [wikipedia.org]
Re: (Score:2)
Re: (Score:1)
rarlabs, akella, http://l10n.gnome.org/languages/ru/ [gnome.org]
Re: (Score:2)
If they disclose the vulnerability instead of just exploiting it than it's useful. Also, Russians are very good at IT in general, [wikipedia.org] you just only hear about the hackers as they are the ones to make the news.
Re: (Score:1)
Isaac Asimov's Three Laws of Robotics. Initially, I found the simplistic algorithm to be strangely fascinating; in hindsight,
I realized the exposure was my first experience with the idea of programming--something I still find strangely fascinating.
From: ...Are there any Russians that contribute something positive to the world of software?
--
"God, please stop me before I code again."
Not reliable... (Score:5, Interesting)
Re: (Score:1)
I don't think so. The Troubador password may have 5,748,511,570,879,116,626,495 possible requirements if brute forced, but it does not require pure brute forcing. A modified dictionary attack would quickly crack a one word password like that because people use certain patterns. For example, the capital letter usually only appears at the first position and numbers and symbols are appended to the end of the word. Additionally, "troubador" is likely to appear on some expanded word lists (in fact the comic
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
The real question, however, is will any such attack against Blackberries be successful before RIM is out of business? Hmmm, come to think of it this is sort of like TKIP but on a macro level.
I wonder how they managed that... (Score:1)
Isn't this the sort of thing that hashing is supposed to solve?
Re: (Score:2)
Re: (Score:3, Informative)
The password is not stored in any form, of course. But if there's encrypted data on the card, and that data can be decrypted using only the password, then you can just try every possible password until you find one that doesn't result in gibberish. This is called a known-plaintext attack [wikipedia.org].
Puzzling (Score:1)
Re: (Score:2)
Dunno. Here in South Africa, everybody has a BB. In an average week I probably see 3 people posting their new BBM number on facebook. Just because the US all went iPhone doesn't mean the rest of the world particularly agrees.
In other news (Score:5, Funny)
In other news "Other Russians Say They Cracked BlackBerry Years Ago" but kept mum about, for "financial and business reasons". ;)
Same key? (Score:2, Interesting)
Pure speculation here:
Since this only works with media encryption enabled, I'm guessing this is an alternative cipher attack. They can't directly obtain the Blackberry device password, but they can break the media encryption (perhaps because it is a much weaker cipher). The media encryption key is likely the same as or derived from the device password, allowing an expedited attack on that.
Moral of the story: If you derive a key for a weak cipher from a key used for a strong one, make sure you use an irrev
Blast to the past: Dmitry Skylarov (Score:4, Informative)
Let's try not posting this as an Anonymous Coward by mistake.
This is the same company that employed Dmitry Skylarov, one of the first people to be arrested under the DMCA for breaking the encryption on Adobe's eBook format.
http://en.wikipedia.org/wiki/Dmitry_Sklyarov [wikipedia.org]
Notthing to see here... (Score:3)