DNA - Distributed Networking Attack - and Encryption
posted by:Alison Gardner Biggs // 11:48 PM // March 28, 2005 // Digital Identity Management
The U.S. Secret Service is employing a new technique to break encryption on seized hardware. "DNA" links together 4,000 computers which are configured to try different password combinations against a series of encryption keys. Critical to their success is the "human factor" - that most users do not follow recommended advice to pick a strong, alphanumeric or random password. Combining the new computing techniques and information gathered on suspects, encryption is much simpler to break.
Of interest in the story also is just how easy your passwords may be to break: between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.
The full story can be found here .
I am glad that the named agency has the best encryption-cracking software; I'm also convinced of the importance of not utilizing the software in an unconstitutional manner.
I have long been appalled that having a very weak password is requisite to getting a library card at some, perhaps most, of our public libraries. When password selections are limited to four numerals, there are only 10,000 possible passwords.
But what about the library card account numbers? When the account numbers run consecutively, the ambitious cracker could take one account number, even his own, and move in either direction by addition or subtraction. Account information sometimes doesn't get cleared from library computers. Some paper items given at the circulation desk or mailed state a complete account number.
What personal information could possibly end up in the wrong hands? Items include name, address, and contact information; possibly information concerning family members; materials checked out and their due dates; requested materials. Due dates and dates requested materials are ready for pick-up are likely dates of visits to a particular library campus. Reading choices might fuel the emotions of the encroacher.
I doubt that the large public library system in this metropolitan Atlanta county is unique in its safety, security, and privacy vulnerabilities. This type of disclosure can be resented, but the vulnerabilities won't be addressed without attention.
Posted by: tenode at July 2, 2006 08:41 PM
I have learned some relevant information pertinent to my comment above. If there is a rule against augmenting a comment with a second comment, you may direct these remarks to those of your team who might be interested.
I've learned that the library information technology corporation DRA was acquired by SIRSI. DRA restricted PIN code passwords to four numerals, here at least. SIRSI, according to the public library web site, permits up to ten characters. Unfortunately, library account users were not informed by mail that the corporate acquisition had occurred, that old accounts were subsequently purged, or that strong passwords (PINs) up to ten characters in length could be created. It is the preference of the library system, as told to me this morning by Customer Service, to limit a PIN to four numeric characters. Most applicants comply, I am sure. After all, who knows of any problem with such a PIN ?
The requirement to log in by entering one's account number and PIN when one wishes to search the library catalog, aside from being an intellectual freedom issue, results in weak PIN code passwords being typed and transmitted far more often.
The Brian Krebs article explains very well that somewhat sophisticated criminals err by not following common password-creation advice. Sadly, we public library users are instructed by librarians and library administrators to forego strong PIN code passwords. Unsophisticated encroachers can begin with simple methods, such as trying street address number and birth date. If manual trial and error seems too slow, there is reportedly blunt force software available.
Posted by: tenode at July 5, 2006 10:13 AM