in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

iPhone Worm Password Cracked By Data Security Company

You've probably heard the news by now that there is an iPhone worm making its way out of Australia.  Initially, it started out as a prank.  However, many security professionals pointed out that this code can be modified to do some real harm.

Now, those fears have come true, with a second iPhone worm out in the wild.  This one will also affect only those iPhones that have SSH installed and that have neglected to change the root password, "alpine."  This new worm behaves like a real bot, regularly checking back with its master for additional commands and updates.  It sounds like someone took the original code and just made updates to it.

What does this have to do with data encryption?  Absolutely nothing...and yet, maybe everything.  It certainly could be construed as an example on why password-protection is not as good as encryption, and why some effort should be given when creating passwords.

Password for Second (Modified) iPhone Worm - New Password Is "ohsh**t"

One of the things the new worm does is change the root password, from "alpine" to something else.  Why would the hackers do this?  So you won't be able to remove the virus.  However, Paul Ducklin, over at Sophos, has found the new password to be "ohshit."

It looks like Mr. Ducklin used a hex editor to do some sleuthing, and then used a password cracker to find the password via brute force.

I often point out how password-protection is worthless when it comes to protecting your sensitive files.  Hex editors can be used to reveal the passwords, depending on the situation: for example, passwords protecting Microsoft Word files can be viewed using a hex editor.  In those instances where a password to a file cannot be seen (something other than Word), it could be modified using the hex editor, also allowing easy access.  In this iPhone worm instance, it allowed the analysis of how the new worm operates.

Using A Password Cracker

The new password for accessing the root account is quite...prosaic.  I would imagine that it had taken less than a couple of hours to figure out the password using a dictionary attack.  If the people behind this worm had really been serious, they would have made that password a little more complicated.

I mean, no numbers?  No capitalized letters? At least?  Password-wise, these iPhone botnet-masters are wannabes.

This, though, actually highlights another weakness when it comes to password-protection.  Generally, when it comes to password-protection, there is no limit on how many times the wrong password can be entered.  Hence, a brute-force attack can be carried out: all possible combinations are tried until something "clicks."

Granted, depending on the password, it may take forever to figure it out.  However, most people, including our hackers above, don't give password security much thought.  How does this compare with encryption?  After all, encryption software also uses passwords for access.

The difference lies in the implementation.  With a solution like full disk encryption, typing the correct password reveals, if you will, the encryption key and allows the information to be decrypted.  It's this encryption key that's really protecting your data.   Hence, one can put in a limit on how many wrong guesses of the password can be made before you dictate that the encryption key not be revealed, ever.

At that point, anyone who really, really wants to read your data would have to guess at the encryption key, which would take centuries to figure out with current state of the art technology.  You, however, as owner of the data, would just need to present the string of characters forming the encryption key to decrypt the information.  So, under encryption, the use of a password is for mere convenience; it's not there to protect anything, unlike password-protection, where the password is the protection (maybe).


Related Articles and Sites:
http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/

 
<Previous Next>

Data Encryption Software Not Used? How Does 5 Years Of Credit Protection Suit You?

Full Disk Encryption: AZ Attorney General Also Investigating Health Net

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.