From developer's point of view NVIDIA has always been superior. Ease of use, quality of SDK and drivers, thorough documentation. Apparently, they have invested a lot in developing, promoting and supporting CUDA.

Developing software for ATI cards is (okay — was) a nightmare. In 2009 ATI quietly introduced two changes in their drivers which made previously perfectly functional and compatible applications to crash (if you are curious: with Catalyst 9.2 or 9.3 they've changed names of supporting DLLs bundled with drivers; with Catalyst 9.9 or 9.10 they've probably changed format of underlying binary so that anything compiled and linked in with earlier versions caused a driver to crash). And there was almost no documentation with 1.x ATI SDKs.

But when it comes to pure mathematical performance (that is, not counting memory transactions) ATI cards are faster than NVIDIA counterparts, usually by far. Sometimes by very far. That's why we've been supporting them for more than a year already.

Next week we're going to update two of our applications — Elcomsoft Wireless Security Auditor and Elcomsoft iPhone Password Breaker. Among other things, they will support the use of both NVIDIA and ATI cards at the same time. Although I don't think this is a very common scenario, we've had some questions regarding possibility of such configurations.

Well, the answer is — it works! To verify this we've put GeForce GTX 295 and Radeon HD5970 into the same PC and tried to make this configuration work. This is how it looks before connecting power cables:

And this is how it looks after:

With Windows 7, there were no problems installing drivers for both cards, everything went smooth. We have used Catalyst 10.2 and Forceware 196.75 (it has been removed from website due to problems with fan control; I believe 196.21 will also work just fine).

If you will try to do this yourself, beware of one catch. After you have installed drivers you will see both ATI and NVIDIA cards in Windows Device Manager, but EWSA or EPPB will show only cards from one vendor. To overcome this you'll need to connect monitors to both cards and extend your Windows Desktop onto both of them. If you'll do this, our programs will be able to recognize all cards and you end up with something like this:

In fact, you can use both cards even with Windows XP! This is, however, not so smooth as with Windows 7. Performance for ATI cards is worse in XP, too. The funny thing is that XP seems to be unable to boot with two display drivers installed, so you have to uninstall one driver first, reboot, and then install it again (do not reboot!). Connect second monitor, and our programs will recognize cards from both vendors. If you will try to reboot, you will end up with BSoD and will need to boot in Safe Mode, uninstall one of drivers, and start over. Here's screenshot of EWSA running under XP x64:

NVIDIA will launch their new GPU generation codenamed Fermi on 26th of March. So far, we have no idea what performance we can expect from it — NVIDIA is not disclosing anything. Another issue with Fermi is that it will not be backward-compatible with previous GeForce generations at binary level. This means that many applications (including ours) will not work with Fermi-based GPUs until developers rebuild them for new architecture, test, optimize and verify code. So please do not expect EDPR or EWSA with Fermi support before at least late April.

Your organization probably has a written password policy. Accordingly you also have different technical implementations of that policy across your various systems. Most of the implementations does not match the exact requirements or guidelines given in the written policy, because they cannot be technically implemented.

Requirements that cannot be implemented can be anything from minimum/maximum length and complexity settings to non-measurable requirements such as "never use the same password at work as you use at home" or "do not use any word from any existing language today as whole or part of your password".

In almost any case, there will be differences between the written policy, and the technical implementation of the policy, in any system. Obviously, this really doesn't aid end users in choosing and maintaining good passwords, as there will be various settings forcing them to have different passwords and different change frequencies from system to system.

Most auditors will conduct random samples to verify if the technical implementation equals the written policy. Unfortunately they will usually accept most deviations based on technical issues, as explained by system maintainers. Some auditors may check random accounts for "password last set" and "last logon" information, in order to get a quick impression of the overall account maintenance status, eventually mixing that with at list of ex-employees to verify if their accounts has been disabled and/or removed.

What they won't do is any type of password cracking to sample the compliance of passwords against the technical or the written password policy. From my point of view the results from the audit performed will be pretty close to worthless. You really will have no idea about the real risk level you are facing.

Consider this: If the written and/or technical implementation of a password policy gets changed, it may take months, years and even decades before all accounts has their passwords changed in accordance to the new policy. This is especially true for environments where software for complete account management are not in use. (This is true for most environments i have ever audited through 13+ years).

This is a major reason for why you should do proactive password audits. Doing password audits on your own systems will effectively help you with verifying password compliance against the written password policy. This is the best way of finding the weak spots, such as accounts where the password equals the username (a very common finding everywhere actually). You are simply blind to the risk of bad passwords as long as you don't audit them properly.

In fact, i would say that any auditor that is not capable of performing such an audit upon request is simply not good enough. Their audit will not provide the necessary input needed for you to make real-life risk assessments and perform the necessary steps to reduce the risk accordingly.

Good luck with your next password audit!

Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://Twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com. Comments and questions are of course welcome!

Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com.

In case you do not know, iTunes routinely makes backups of iPhones and iPods being synced to it. Such backups contain a plethora of information, essentially all user-generated data from the device in question. Contacts, calendar entries, call history, SMS, photos, emails, application data, notes and probably much more. Not surprisingly, such information manifests significant value for investigators. To make their job easier there are tools to read information out of iTunes backups, one example of such tool being Oxygen Forensic Suite (http://www.oxygen-forensic.com/). Such tools can not deal with encrypted backups, though.

Starting with iTunes 8.2 and iPhoneOS 3.0 (that is, June 2009) it became possible to protect iTunes backups with a password. After you specify protection password, no backup data leaves or enters device unencrypted. That is, contacts, emails, photos, etc. are encrypted on the device, transmitted encrypted over USB cable, and saved encrypted on hard disk. Apparently, such backups exhibit much less value for investigators.

This is where our tool comes into play. Given a password-protected backup, it can run various password recovery attacks, trying thousands passwords per second. Unquestionably, it supports multi-core CPUs, extended CPU instructions, and acceleration using GPU cards (only NVIDIA for the moment, ATI and friends coming in a month or two). Technologically, the product is pretty cool (and it’s going to become better).

However, this is an early beta and it obviously lacks some functionality. You cannot pause/resume recovery. You are limited to wordlist-based attacks only. It is no way bug-free and it will expire on March, 15 after all. Still, you are invited to give it a try. You can download it at http://www.elcomsoft.com/eppb-beta.html.

Please submit your feedback to iphone at elcomsoft.com or use "Help ➯ Send feedback…" menu command from within program itself. Bug reports are welcome, so are suggestions and feature requests. Top contributors will receive iTunes gift certificates, free software licenses and discounts.

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456″, followed by “12345″, “123456789″, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567″, “12345678″, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

Remarkably, on guys’ returning there was no need to ask them about their trip, it was clearly seen on their fresh faces they are full of new ideas which is the most intrinsic value of all.

So, here is a photo-reportage…

Andrew Belenko is making his speech on the opening day

Vladimir, Dmitry, Andrew and Yurii at Tian’anmen

Dmitry Sklyarov is lecturing… as always

Andrew, Vladimir and Sprite, cigarette-break

Guess what?

CCFC photo session

Sometimes it is like in a fairy tale

Dmitry, Vladimir and Andrew and the Great Wall of China

Would you like centipede?…

Wires again…

A low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary has been recently unveiled. The so-called WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in about 20 minutes. Want to pay less, do it for $17 and wait 40 minutes to see the results.

Another notable feature is the use of the dictionary that has been set up specifically for cracking Wi-Fi Protected Access passwords. While Windows, UNIX and other systems allow short passwords, WPA pass codes must contain a minimum of eight characters. Its entries use a variety of words, common phrases and "elite speak" that have been compiled with WPA networks in mind.

WPA Cracker is used by capturing a wireless network's handshake locally and then uploading it, along with the network name. The service then compares the PBKDF2, or Password-Based Key Derivation Function, against the dictionary. The approach makes sense, considering each handshake is salted using the network's ESSID, a technique that makes rainbow tables only so useful.

Everything seems to be perfect, but for the fact that there exists another alternative to crack WPA passwords which allows to reach the same speed. Just instead of installing a 400-CPU cluster, it’s possible to set 4 top Radeons or about two Teslas and try Elcomsoft Wireless Security Auditor.

Our team was lucky to participate in this great event organized by the Government of Russia. It was the first time that we had the opportunity to take part in this exhibition, hope not the last one I’d like to share my opinion and overall impression of this event.

Actually, from the very beginning things went on smoothly, we were supplied with everything that was ordered (pleasant surprise for this country). Though we didn’t have much space at our stand, we were supposed to organize our booth very nicely, thanks to my colleagues, of course so our booth, compared to all those enormous, two-storeyed stands, managed to attract the attention not only of gapers, but of security specialists and/or our potential clients as well. Here are some pics from the show:

Our booth. Looks nice, doesn't it?!

Alexander Shplatov (Elcom’s senior programmer ) with our collection of awards and letters of thanks:

Hard working process =)

The entire view of the exhibition:

All in all, the show was really great, including the demonstration of military high-tech special technical equipment and weapons

Thanks to everybody who took interest in our soft and visited us at INTERPOLITEX 2009!

Hope we will reap the benefits of our participation in this show in the near future!