Re: Microsoft COFEE, - Alternatively a True Brute Force Attack onRFID

[Allen <netsecurity@sound-by-design.com>]

Funny you should be talking about this just as EFF references an 
article on BoingBoing where the "brute force attack" of choice 
against RFID is a hammer. ;->

As to the Microsoft COFEE brute forcing passwords using tools on 
a USB key, I'd guess there is a lot of FUD involved. I don't 
believe one could shoehorn a Rainbow Table of a reasonable size 
into any current USB key, so one would be reduced to either 
LANMAN attacks or wiping the SAM file of the computer itself 
running ISOLinux. This would destroy the validity of the evidence 
for courtroom evidence purposes as not being able to prove that 
the data was not tampered with.

A true brute force attack against 10 characters and a 66 (U/L 
alpha and numeric plus 4 non-alphanumeric) or so key space at 
15X10^6 keys/second - average decent dual core rate - would take 
about a year assuming that you had a terabyte of storage on a 
portable USB drive with a pre-computed table that might 
conceivably take as little as 3+ years to pre-compute at 15x10^9 
keys/second. Add one more character to the password length or 
increase the key space and pre-computing the Rainbow Table is a 
couple of hundred years or more.

So then what are you left with? You can map the files without the 
password if the disk is not encrypted and get a lot of 
information that way, but forget this if the drive(s) or the 
files are encrypted.

FCCU Linux has almost all the tools one needs and it will fit and 
run from a USB key, so who needs Microsoft?

The takeaway is encrypt the drive/files and use a password of at 
least 12 characters and a key space of U/L alpha, numeric and the 
common other keys and your computer is secure enough for the 
moment. Tomorrow? Who knows.

Allen

BTW, Thanks to "Rainbow Chain Hash Cracking Calculator" by Tom 
Sullivan for the figures on key strength. If you can't find a 
copy of this, I'll send you one.

Adam Shostack wrote:
> My understanding, based mostly on what I've read in the press, is that
> COFFEE is a set of scripts that run existing tools, making it easier
> for law enforcement to do things which are already known to be
> possible.  Note the words "executing 150 seperate commands," which, I
> think, would be odd if this was something other than scripts, but
> appear in a lot of the news stories.
> 
> For example, I believe that there are several freely available
> password cracking tools and some commercial ones. For example, you can
> order John the Ripper to decrypt a system password on some operating
> systems.  I have no idea if a password cracker is included.
> 
> Speaking for me.
> 
> Adam
> 
> On Wed, Apr 30, 2008 at 03:36:28PM -0400, Arshad Noor wrote:
> | It can be "ordered to decrypt system passwords"???  So, I wonder
> | what attackers can do with this...
> | 
> | Arshad Noor
> | StrongAuth, Inc.
> | 
> | "Microsoft revealed its development of a digital forensic analysis toolkit at a security conference yesterday as part of a wider discussion of how technology can be used to fight crime. The Computer Online Forensic Evidence Extractor, or COFEE for short, is a USB thumb drive that contains software capable of executing approximately 150 separate commands. Once plugged in, COFEE can be ordered to decrypt system passwords, display a history of internet activity, and search the system for evidence...."
> | 
> | http://arstechnica.com/news.ars/post/20080429-new-microsoft-law-enforcement-tool-bypasses-pc-security.html
> | 
> | ---------------------------------------------------------------------
> | The Cryptography Mailing List
> | Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
>