passwords no longer safe... thoughts?

[o1001010]

http://cgi.ebay.com/Thinkpad-Supervisor ... dZViewItem

and that guy have 100% feedback

[christopher_wolf]

People have been able to do that for awhile now. The thing is, it requires additional hardware and in-depth technical knowledge of the system.

There are quite a few guides out on the net as to how you can dump, read, then enter the codes for a Supervisor password ; these are mostly specialized for the older IBM Thinkpads and Toshibas given that they had fairly complex setups at the time.

Passwords don't really make anything 100% secure, they just make it such that someone that doesn't have enough patience and dilligence won't crack them in a certain timeframe until the password is changed again, hopefully if one is following good security practices, to something just as, if not even moreso, secure.

[vinny77]

I could get throgh that quite easily.


Nothing new, could have done the same thing 8 years ago.

[christopher_wolf]

I could get throgh that quite easily.


Nothing new, could have done the same thing 8 years ago.

Really?

It is quite difficult even for experienced electrical engineers and, even for the 600 Series, requires clipping up to the Thinkpad in question, hooking that up to another computer, doing a dump of the code from a readout of the Atmel EEPROM (merely finding the right connections on the board is difficult enough), interpret those codes, use a little-known program (starts with an R then some numbers, jog the good old memory? ) and then use IBMPa..oohhh, gee I think I forget the name of the program, with the *correct* scancode and the right address to extract the passphrase, then entering that and *safely* uncoupling the two systems from each other (not to mention the correct power you would have to supply when they were coupled). Even the easiest ways of which I have seen require a minimal setup which is easiest on a breadboad. Should one make a mistake, then one is in danger of frying the EEPROM. There are also many methods out there that, whilst working 8 years ago, would not work on latest Thinkpads.

So no, not an "easy" feat by any stretch of the imagination.

[o1001010]

[censored], why do they have to have that cracking technique on a T42? my machine.
i didn't know it existed untill i saw it today. and it was a shocker to me. frankly i should of expected somehting.

there is still one form of security that is uncrackble. if you have a copy of the old PGP before it got bought, that thing have proven no backdoors. so if you enter a long string of passowrds, i am talking about more than 20 characters, it will take hundred of centuries to crack using brutal force because the encryption contains no known weakness. and the calculation is from using 2 trillion guess per second.

(26 characters + 26 captial letters and 10 numbers)^20 / 60 seconds / 60 minutes / 24 hours / 366 days.


i will post a thread for all your infophobias later

[christopher_wolf]

Mathematically proven unbreakable? There is a difference between that and "no backdoors" which implies software bugs (of which *no* complex application is free of).

The only encryption system that can be mathematically proven to be unbreakable is an OTP, or One Time Pad, provided the follwing conditions are met;

1.) Perfect random numbers are used all the time and, if using a computer to aid in generation, their bit space must be at or larger than the data you are trying to encode. 2^32 can only cover, with no repeats, for 2^32 elements of data.

2.) The pads are used *once and only once* and are known only to the sender and the receiver.

3.) They have to be generated and securely stored for each transaction/individual pair.

In theory, it can be proven unbreakable; in practice, however, it proves it can be otherwise as can *any* other cryptographical method, including PGP. Remember it stands for "Pretty Good Privacy" and not "Absolutely Unbreakable Privacy."

Although the EEPROM dump procedure is slightly more complicated for the T4X Series; you can still use the same programs as they are optimized for Ateml EEPROMs which, what would one guess, are still in Thinkpads. Although other things that are important to the procedure have changed.

[mrpaulin]

I can understand how getting (or setting) the BIOS supervisor password could allow an attacker to clear the security chip, thereby mounting a denial-of-service attack. Ugly, and unrecoverable.
On the other hand, is the passphrase information stored in the security chip itself at risk? That is to say, could an attacker use a technique like this to gain access to a person's CSS-secured Windows login account and/or encrypted data?

[christopher_wolf]

I can understand how getting (or setting) the BIOS supervisor password could allow an attacker to clear the security chip, thereby mounting a denial-of-service attack. Ugly, and unrecoverable.
On the other hand, is the passphrase information stored in the security chip itself at risk? That is to say, could an attacker use a technique like this to gain access to a person's CSS-secured Windows login account and/or encrypted data?

No, that is different. The data for the System Supervisor Password on the BIOS is stored on an Atmel EEPROM, 24RF08 on most Thinkpads through the 600 Series, and can be accessed this way. The Embedded Security Subsystem as well as the TPM module has a completely seperate way to store and retrieve encryption parameters for hardware-based encryption and decryption. It has its own Atmel TPM (the only other maker of such certified TPM modules that I have seen is National Semiconductor). For some T23 models, before the TCPA standard that the current TPMs conform to, they had a security subchip that did data encrypted storage and communication and that was it; after that, there are two versions of the TPM. The latest version, is present on *all* the T4X Series Thinkpads and follows the overall TCG spec.

That said, it is pretty difficult to crack it and, physically, it will make the mobo stop working if you mess around with the chip such as removing it. Although there is a software set that potentially has the ability to access it as well as reset the TCPA (a copy of the "Rest Security Chip" function already on Thinkpads with CSS and ESS). On the T43/p, R52 (shares thesame planar as the T43 and T60/p), near as I can tell, the functions are integrated somewhat.

It is possible, but far more difficult than just getting the supervisor password for the BIOS, as if that wasn't already difficult enough. Given that the data for encrypted data is, itself, encrypted in the hardware. Which means, once you can even think of doing a dump of the EEPROM without some security mechanism breaking/corrupting everything (I have seen examples of such ROMs do this even unintentionally), you have to figure out how you will decode the stored encryption data which you will need to *then* decrypt the data that was encrypted by the chip in the first place. This is one of the biggest obstacles to it and simply because they added another layer of encryption, based on hardware.

So it is possible, but far more difficult to do on the later Thinkpad (T4X Series, T6X Series, R5X Series, R6X Series, X6X Series) than it would be on a Thinkpad with the older forms of the security subsytem/chip that only gained trusted boot abilities nearing the more modern Thinkpads, which indicates a close tie with the BIOS.

Although this can't be done remotely, it requires some tools and physical handling of the Thinkpad; so it rules out any internet based attacks, unless the user was *really* gullible and followed many instructions.

That includes the security subsystem as, without hardware and software mods, there is no way you are getting to that data. So as long as the Thinkpad is in the protection of the operator, it is extremely safe if all the safeguards are put up. Just like an OTP encryption system where both pads must be kept safe, protect your Thinkpad and it will protect you and your sensitive information.

[o1001010]

it's funny how that forum have both supervisor and hd password cracker.

i am still going to make a mega security post, well, about how i protect my system, right after i pass my security+ certification.

and chris, you know a lot about passwords and stuff, how you come by it?

[egibbs]

As "reasonably" secure as the security chips are, if you parse the original subject line it is correct. Passwords are no longer secure, and have not been for a while. Dictionary attacks, rainbow tables, and social engineering have reduced passwords to the status of the little lock on your bathroom door - it keeps people from just walking in but can be easily defeated by someone willing to expend even minimal effort.

The later TP models all have the ability to set passphrases, which can be secure if chosen carefully. But I wonder what percentage of users really use a 24 or more character high entropy passphrase?

Ed Gibbs

[carbon_unit]

They don't really have a HD password cracker. The only way they can get the HD password is if it is the same as the supervisor password. Otherwise you are out of luck.

[o1001010]

they use a HD dictionary attack

and both my supervisor and hd passwords are 20+ characters

the key is pass-sentense

i love my thinkpad and it's my baby

that is a decent pass-sentense, with the space

[egibbs]

But "1 love my 1st Thinkpad named jlWqut and it's my bAby" is better.

And "1 l0v3 My Th1nkp8d named jlWqut & 1t'5 m1 b8by" is better still.

But pretty soon you reach the point of ridiculosity.

Ed Gibbs

[o1001010]

not really because that will slow down your typing speed and if someone is good at it, they can pick it up.


if you mix in numbers that will give you 62 ^x characters instead of 52 ^x. but a longer pass-sentense x will still beats numbers and the slow typing speed.

[christopher_wolf]

Well, not even typing speed can save one sometimes. Research has been done such that the investigating researchers were able to reconstruct passwords and passphrases from the sounds that the keyboard makes whilst the user is typing it in.

[egibbs]

And some people actually silently mouth the letters or numbers as they are typing in a difficult password or opening a combination lock (I've caught myself doing the latter). A lipreader can pick them up.

Ed Gibbs

[jdhurst]

I may move this slightly off-track, but here are my thoughts on passwords:

1. On a ThinkPad, if you are concerned about security, implement a hard drive password. These are extremely secure because almost no one can reset them. IBM generally will not for example. If anyone thinks breaking a hard drive password is easy, let him / her speak up here.

2. On other passwords, Cain can break most passwords easily. I broke E Gibbs first password in about 3 minutes. That needs 3 Gb of tables. The tables for special characters takes about 21 Gb of disk space. You can buy the tables on DVD for relatively small dollars today.

... JD Hurst

[christopher_wolf]

Breaking a HDD password isn't easy in the slightest and is, at the very least, as difficult as cracking the BIOS passphrase.

I also find that many people seem to think that stuff like Zip, RAR, or Word passwords will protect their files; this is anything but secure. Given the surge in computing power and storage density we have seen over the years, as well as general trends in social engineering, it is really no longer viable to have even a secure password. The security of the system as a whole is only as strong as the weakest link.

I also still contend that a Thinkpad that has all its security features engaged, is a secure system if and only if the operator keeps it close, applies strong passwords with high entropy, and thinks a little more about downloading and running certain programs without caution. Just that extra 1 or 5 minutes has the potential to save one much pain later on as well as increase the security level of the system overall.

For the tables, you could code a little program to make up very large tables to go through; a benefit, somewhat slight though, would be that you could cause it to follow certain trends from a file and then write out a set of passwords based on that.

[o1001010]

the thing from security plus says that a successful windows password is not a mixed one like h@xOr, but rather a long one that is more than 14 characters long because if the password is longer than 14 characters the windows does not use LM hash to store it. LM hash are very easily hackable

[egibbs]

If you are really paranoid about security (which can be a good thing, especially if you are paid to be so) then you need to remember that passwords are just one layer in a multi-layered defense.

The first layer is physical security. If someone has access unfettered to your equipment for an extended period of time - hours or days, the game is pretty much over before it began. You need to put physical systems in place that prevent unauthorized access or limit access time to less than what would be required to do any real damage.

The second layer is operational security - things like policies prohibiting one person from being in the server room by themself, password (or pasphrase) aging, prohibiting shared accounts like "Administrators" or "Vendors," regular audits of logs, safeguards to prevent people taking sensitive data home to work on it, etc.

Network security is critically important, but you need to remember that there is usually more than one network. I wonder how many machines with strong, high entropy passphrases are sitting on unsecured wi-fi networks when the user brings them home or connects to that access point in the President's Club while they wait for their flight?

Putting strong passwords on the hardware has a place even though many can be broken - if you are doing the other things right an attacker won't have time or opportunity to get through them.

You also need to consider data security. Sensitive data should be encrypted not just just while it's sitting idle, but when in use, in transit, in backup, etc. There should be controls to limit the ability of users to copy, change or delete it to only that required for their job. There should be logs of who accesses it, and what they do with it.

People (not me) can and do make a living at this stuff, and there is a lot to learn and know. The consequences of a screw-up can be huge - just ask AOL, or the VA, or Ernst & Young, or Accenture, or General Electric, or Equifax, etc., etc.