1. ezrunner's Avatar
    okay so biggest lesson here


    USE A COMPLEX password

    8lAcK8eRry98!o
    09-29-11 02:40 PM
  2. sam_b77's Avatar
    A chip off extraction usually involves removing the memory chip from the processor using a tool like a hot air gun, and then using a card reader to dump the data. Cellebrite is just developing the software to decode said dump.
    Why go to all that trouble? Just put a gun to the phone owner's head and ask for their password.
    The thing is that on other platforms you dont even need to go to the trouble of getting the password. There are neat little hacks and backdoors. The password is relevant only to safeguard the phone from someone else randomly accessing the data if you leave the phone lying on a table or something.
    Last edited by sam_b77; 09-29-11 at 03:18 PM.
    09-29-11 03:07 PM
  3. hornlovah's Avatar
    If the NSA wanted to get the data on my phone they can and have the means. You will never stop law enforcement from attempting to obtain data on electronic devices where it is within the law.
    I'm not so sure I agree with that. Theoretically it's possible to brute force anything, but you can set up a passcode that can entered in a few seconds that makes a brute force attack virtually unachievable with current technology. Even at the rate of hundreds of trillions of attempts a second. Google "password haystack gibson", disconnect from the internet, and play with that tool. Whether or not a judge can compel you to divulge your passcode hasn't been firmly established by U.S. courts yet.

    What you want to prevent is drive by hackings. Law enforcement will not be able to take apart your phone at a traffic stop to obtain your information with a hot air gun.

    Nobody ever said BB was impervious, but it is really difficult to get into the phone and those who have the tools are the same people who can take your computer with a warrant and do forensic analysis.
    Yup, I said a chip off extraction was a " laborious process that involves specialized equipment." Oh, and some one said the Blackberry's "security is still 100%" in this thread.
    09-29-11 03:26 PM
  4. hornlovah's Avatar
    Why go to all that trouble? Just put a gun to the phone owner's head and ask for their password.
    The thing is that on other platforms you dont even need to go to the trouble of getting the password. There are neat little hacks and backdoors. The password is relevant only to safeguard the phone from someone else randomly accessing the data if you leave the phone lying on a table or something.
    Agreed that BlackBerry is the most secure platform. We just need to stay informed and make adjustments to any new developments when necessary.
    sam_b77 likes this.
    09-29-11 03:31 PM
  5. avt123's Avatar
    Why go to all that trouble? Just put a gun to the phone owner's head and ask for their password.
    Hmm I don't know...Maybe because putting a gun to someone head (threatening to kill them with a weapon) and stealing their data is less of a crime then...just stealing data.

    The majority of BB users will probably never get hacked... All this is pointing out is that for those who have those options enabled is that they can be hacked, not that they will be.

    For everyone getting worked up about this, calm down and just use the steps to prevent this.
    Last edited by avt123; 09-29-11 at 03:36 PM.
    09-29-11 03:32 PM
  6. This_is_a_username's Avatar
    This is a non-issue. RIM can't fix the hole, because you can't stop brute force attacks like this. As far as I know all encyrption/decryption algorithms can be bruted forced. The variable is how long it will take. For those users who have sensitive information appropriate best-practices have to be applied to the password to make render the brute force approach a non-issue.

    If you have very sensitive information and you put the password 'A' on your phone, this is not RIMs issue. They gave you the tools to be as secure or non-secure as you want. You can also forgo the use of the media card and keep this information within the device memory.

    Stop blaming RIM when this is not RIMs issue.
    Having worked in IT security for more than ten years, most of the time with a world-class (Canadian) cryptographic software vendor (not RIM ;-), I feel compelled to make a clarification on what could have been done to counter the scenario described by Elcomsoft.

    They (Elcomsoft) apparently have been able to extract the key(s) used to encrypt user data sitting on said memory card.
    OK - no problem with that, as long as that key itself remains securely encrypted as well.
    But they apparently were able to decrypt that key using a simple bruteforce attack, trying out all kinds of combinations.
    And this is where they should have failed.
    Why? - Because using a sufficiently "secure" symmetric encryption algorithm (be it AES, or 3DES or IDEA* or CAST** ... you name it) and a key length of 128 bits or more would have posed a computationally intractable problem to Elcomsoft, since trying out all possible 2^128 combinations (about 10^39, i.e. roughly equal to the number of atoms in the known universe) would have required them to literally compute beyond the end of our civilisation or such...
    To make a long story short: Where's the problem??
    It is the software architects/product managers/software testers/quality assurance people/whoever at RIM forgetting to use what is called a "salt".
    This is a (pseudo-)randomly generated number used to pad the user's passphrase in order to arrive at a lengthy string, most of which is (pseudo-)random which could then be hashed to get a 128-bit (or longer) key which would be used to encrypt those key(s) used to encrypt the user data.
    The salt values would be generated and stored on the BB, never allowed to leave it and quite securely protected by the user's passphrase.
    This, along with some extra measures, is just nothing fancy and has been among security best practices literally for ages (i.e. decades).

    It is just a quite big oversight by RIM to let this flaw get through their QA processes!
    Frankly speaking, I am a bit scared by this, as the "salting" technique is so basic that every software developed dealing with encryption and secure coding practises ought to know it and apply it even without this being explicitely specified. Now I am really left wondering about the internal processes at RIM; maybe it was just a one-time occurrence...

    Cheers,

    Henry.

    * greetings to Xuejia Lai, IDEA's co-inventor and a former colleague of mine ;-)
    ** greetings to Carlisle Adams, CAST'S co-inventor and a former colleague of mine ;-)
    Last edited by This_is_a_username; 09-29-11 at 03:44 PM.
    hornlovah and TRlPPlN like this.
    09-29-11 03:35 PM
  7. sam_b77's Avatar
    Hmm I don't know...Maybe because putting a gun to someone head (threatening to kill them with a weapon) and stealing their data is less of a crime then...just stealing data.

    The majority of BB users will probably never get hacked... All this is pointing out is that for those who have those options enabled is that they can be hacked, not that they will be.

    For everyone getting worked up about this, calm down and just use the steps to prevent this.
    The gun part was metaphorical
    09-29-11 03:47 PM
  8. avt123's Avatar
    The gun part was metaphorical
    Lol no doubt...

    Guns do bring fast results though.
    09-29-11 03:50 PM
  9. hornlovah's Avatar
    The salt values would be generated and stored on the BB, never allowed to leave it and quite securely protected by the user's passphrase.
    This, along with some extra measures, is just nothing fancy and has been among security best practices literally for ages (i.e. decades).
    Some Blackberry users share their media card with other devices. How do other vendors store salted removable media passwords so that they can be accessed by another device?
    09-29-11 04:08 PM
  10. This_is_a_username's Avatar
    Some Blackberry users share their media card with other devices. How do other vendors store salted removable media passwords so that they can be accessed by another device?
    Sharing data is a requirement completely different from protecting them

    Well, I guess other vendors rely on no security at all or having users share the passphrases used to encrypt the data without leveraging salts.

    The only practical alternative that comes to my mind is using asymmetric cryptography with keys typically embedded in digital certificates (e.g. X.509 or PGP certs).
    Unfortunately I don't know much about RIM's implementation of end-to-end email encryption and BlackBerry's functionality in this respect, but to my knowledge they use digital certificates for all of their BES users, in order to allow them to securely exchange messages. I believe at least BES users could theoretically take advantage of the mechanism I describe; I don't know about all others, though.

    Provided this assumption is correct, the keys enclosed in those certificates could technically be used to persistently encrypt data residing on flash memory, as well (bar certificate extensions potentially mandating key usage just for email encryption). The encryption keys (and only they) would have to be explicitly encrypted for each "recipient" of the data to be shared. In other words, the recipients would have to be known and those people would have to have their personal certificates (with asymmetric keys inside) distributed to the data owner (could be done through simple address book lookup leveraging the BES infrastructure) before those data could be encrypted and the card removed from the BB for distribution.
    These requirements could potentially be too cumbersome or even unfeasible in some scenarios. But security is often opposed to user friendliness...
    Last edited by This_is_a_username; 09-29-11 at 04:42 PM.
    09-29-11 04:26 PM
  11. iN8ter's Avatar
    Right so we should not sweep this under the rug and hang RIM for a vague security flaw, while the Androids you carry deserve accolades for having so many security leaks?? Your logic or lack thereof astounds me.
    I don't require top security. I can care less what the Androids have. I use mine primarily to play music and surf the web. I don't even use the SD card on it, and all of my data is in cloud storage so unless Microsoft and Google's entire cloud is vulnurable, I can assume I'm "reasonably" safe.

    I'm not going to add encryption overhead to my device just so I can stop someone from getting my music files and umm... One picture I use as an avatar in my IM clients.

    Most of the applications I use on my phone store data kept on the phone encrypted (at least 128-bit), so that isn't an issue.

    I don't think I have to worry about someone hacking my WP7 device storage just yet, and I don't even use the HD2 much these days, if at all.

    Why are you so bitter?

    Don't answer that...
    Last edited by N8ter; 09-29-11 at 04:42 PM.
    09-29-11 04:37 PM
  12. samab's Avatar
    09-29-11 05:01 PM
  13. sam_b77's Avatar
    I don't require top security. I can care less what the Androids have. I use mine primarily to play music and surf the web. I don't even use the SD card on it, and all of my data is in cloud storage so unless Microsoft and Google's entire cloud is vulnurable, I can assume I'm "reasonably" safe.

    I'm not going to add encryption overhead to my device just so I can stop someone from getting my music files and umm... One picture I use as an avatar in my IM clients.

    Most of the applications I use on my phone store data kept on the phone encrypted (at least 128-bit), so that isn't an issue.

    I don't think I have to worry about someone hacking my WP7 device storage just yet, and I don't even use the HD2 much these days, if at all.

    Why are you so bitter?

    Don't answer that...
    If its all the same to you, I will answer that.
    So you don't need security. Great. Neither do I. I don't work for any intelligence network that I should need it. I can have my frnds use my phone and I'm not worried about the data on the device.
    But aren't you even a little concerned that an Android can be remotely hacked and information like credit card data etc can be taken away? A lot of people keep their passwords, PINs, credit card numbers on their phones. While it may be seem stupid to some, most people are unaware that phones pose a security risk and store the data on the phone. If this was brought to their notice, would they still keep the data on the phone? And if they were told about a platform that has not been hacked remotely,would they not choose that over Angry Birds?
    I'm interested in your answer to the extent that I'm curious how people would choose something which has a known and major security flaw and then convince themselves that its not important?
    And no I'm not bitter.I have the best phone in the market for me.
    09-29-11 10:35 PM
  14. katiepea's Avatar
    yeah it's easy to assume security is probably last on the list for a vast majority of smartphone users, me included, i'm not worried about it, i'm well aware of the risks, they seem minimal. i've had my credit card information stolen at a gas station by someone swiping the card through a reader, credit card fraud is rampant and there's no use in taking extreme precautions against it, if someone uses your information, you get your money back, you file a claim, it's not even that much of a hassle, it's happened to me several times, never from electronic means. i'd guess this is how most people feel, because the freedom of doing what you want out weighs security.

    android allows a lot of freedom, this comes at a security risk, it's pretty well documented, people know android is less safe, and it has twice the marketshare as it's closest competitor. i just don't think people care, or have that much reason to, you're talking about populations which put all of their information up willingly for the public to see anyway, facebook has 800 million users and is widely considered to be the biggest breach of privacy ever mounted.
    Last edited by katiepea; 09-29-11 at 10:53 PM.
    09-29-11 10:48 PM
  15. i7guy's Avatar
    In my case the freedom of doing what i want goes hand in hand with security. Just like I lock my doors when I leave the house and don't leave the keys or keyless fob in the car, in this digital age I protect myself to the best I can without impeding me freedom to do what i want when I need to do it.
    09-29-11 10:53 PM
  16. katiepea's Avatar
    pretty good point, the biggest security risk there is is leaving your phone somewhere or losing it, and there's nothing a company can do for you there, other than offer remote wipe, which everyone has built in now i think.
    09-29-11 11:19 PM
  17. phonejunky's Avatar
    Wow is all I can say after reading this article. Technology is catching up.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-30-11 12:41 AM
  18. Laura Knotek's Avatar
    The reason I don't encrypt my media card, is because I would like to back it up on my computer by plugging it in directly. There is nothing there, other than some embarrasing pictures of me with my thumbs in my ears, that I care about anyone else seeing. lol
    Same here. I wouldn't consider encrypting the media card anyway. I like to be able to use it with my PC card reader. I mostly have music on my card, not pictures, anyway. All of my pictures would be safe for viewing on "family- oriented" sites.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-30-11 12:50 AM
  19. qbnkelt's Avatar
    Anyone using poorly chosen passwords should really expect to have vulnerabilities. Same as using the same password for all your credit cards or bank accounts. Being lazy can cause all kinds of trouble.
    Simply don't choose Device Password as the option. Simple enough.

    For those who don't care about security....interesting to see the comments when you find that your hard credit rating is compromised because information on your device was stolen.

    Want to go blithely through life not caring about security, fine. There are those of us who care more about our data than we care about games and having super specs. Not having an over muscled device does not compromise my credit rating. Having a device with well publicised and easily available hacks does.
    09-30-11 04:03 AM
  20. Rootbrian's Avatar
    Is this the same story from the beginning of the month?

    http://forums.crackberry.com/news-ru...kberry-644431/
    Right on, duplicate thread, same news, just additional information. All the software does is attack the backups, not the device itself.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-30-11 05:10 AM
  21. T�nis's Avatar
    I've always used the Device Password mode of encryption because I've wanted the option of being able to view my encrypted files in other BlackBerry devices. In light of this information, I've changed my BlackBerry's encryption mode to Device Password & Device Key. Sure, if the device wipes or goes potty in the bed the encrypted media files on my micro sd card will be useless, but that's what computer backups are for. I'll just reload them to my blackberry/micro sd card from my computer. Also, I use Strongest as my encryption setting, and my password is at least 21 characters long.
    09-30-11 06:32 AM
  22. T�nis's Avatar
    If you have device locked by password and media card encrypted using 'Device Password' options, then your password CAN be recovered in a short time.

    There is impossible to fix that vulnerability. RIM need to remove this option (encrypt using device password) from list.
    Although in light of this news, I've switched my BlackBerry device's encryption mode to Device Password & Device Key, it's not a good idea for RIM to remove the Device Password option for two reasons:

    1. The Device Password option provides an option for the average user to use encryption while not losing his media card files when his device fails; and (more importantly)

    2. The Device Password option allows advanced users (like myself) to have the option of temporarily selecting this option when it becomes necessary or desireable to move the media card to a different BlackBerry.

    Here's what I mean. Though I'm currently using the Device Password and Device Key mode which will not permit me to view encrypted media card files in another BlackBerry, if I want to move the card to another BlackBerry I can temporarily select Device Password, move the card to the other device, and once the card and all its encrypted files are accessible in the other BlackBerry (upon entering the card's password), I can then reapply the Device Password & Device Key setting making the card (again) impervious to Elcomsoft's media card attack. The Device Password encryption mode is still an important option, and it should not be removed by RIM!
    Buzz_Dengue and i7guy like this.
    09-30-11 11:31 AM
  23. i7guy's Avatar
    This is why a solid operating system is important. As said previously Android o/s seems to have daily reports of security breaches.

    Hackers using QR codes to push Android malware | ZDNet

    Regardless of whether your opinion is Blackberry phones are hard to hack because the o/s is solid, or nobody cares to hack them, I don't want to have to worry even the most innocuous of actions could get a trojan installed on my phone in a drive by fashion.

    edit: even though this appears to be a nuisance hack that could cost some money if you have prem. sms enabled, what is to stop someone from installing a worse type of malware.
    Last edited by i7guy; 09-30-11 at 02:00 PM.
    09-30-11 01:57 PM
  24. katiepea's Avatar
    What's to stop someone? Well not being an ***** mostly. I've never had malware on my phone, and never had a virus on my pc, 95% of malware is user ignorance, and malware exists on all platforms

    Posted from my CrackBerry at wapforums.crackberry.com
    09-30-11 03:39 PM
  25. Foreverup's Avatar
    09-30-11 03:53 PM
107 1234 ...
LINK TO POST COPIED TO CLIPBOARD