BitCracker: Password-cracking software designed to break Windows' BitLocker - The Daily Swig

Posted: 20 Nov 2019 04:08 AM PST

Open source tool leverages graphics processing to decrypt BitLocker-protected units

Image: PortSwigger Ltd

Researchers have outlined their progress in further developing BitCracker, a GPU-powered password-cracking tool built specifically to break BitLocker, the full disk encryption built into Microsoft Windows.

A white paper (PDF) recently published by Elena Agostini, software engineer at Nvidia, and Massimo Bernaschi, director of technology at National Research Council of Italy (CNR), describes BitCracker as a solution designed to "attempt the decryption, by means of a dictionary attack, of memory units encrypted by BitLocker".

BitCracker was first released in December 2015 and has been continually developed since.

Dictionary attack

BitLocker is Microsoft's implementation of full-disk encryption, first released as an upgrade to Windows Vista in 2007. BitLocker is compatible with Trusted Platform Modules (TPMs) and encrypts data stored on disk to prevent unauthorized access in cases of device theft or software-based attacks.

BitLocker To Go works in the same manner for external devices, such as USB drives.

The technology uses 128 bit AES encryption by default, but this can be configured to 256 bits for a heightened level of security.

As BitLocker utilizes high levels of AES encryption, BitCracker relies on high-performance Graphics Processing Units (GPUs) to make a dictionary attack viable.

The software is available to the open source community and accessible via GitHub.

An OpenCL implementation of BitCracker was integrated with the popular, open source password hacking tool John The Ripper, version Bleeding-Jumbo, released last year.

"BitLocker decryption process requires the execution of a very large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them," the researchers explain.

BitCracker has been tested with three Nvidia GPU architectures: Kepler, Maxwell, and Pascal.

LISTEN NOW SwigCast, Episode 2: ENCRYPTION

Bits and pieces

BitLocker uses two different modes of authentication; a user password or recovery mode, in which a user either types in a password to encrypt or decrypt a drive, or uses a 48-digit recovery key generated by BitLocker to access their content.

During encryption, each sector volume is encrypted individually using a Full-Volume Encryption Key (FVEK) and Volume Master Key (VMK), the latter of which is also encrypted and stored in the volume.

If a drive has been encrypted using the user password method, for example, in volume metadata you will find two encrypted VMKs – one encrypted with the user password and one encrypted with the recovery password.

During decryption, BitLocker begins decrypting the VMK, then FVEK, and then the disk itself.

The BitCracker tool focuses on decrypting a VMK key, exposing a password capable of decrypting a device.

A dictionary attack is performed, leveraging GPU performance and power. The SHA-256 standard transforms messages into what is known as "W blocks" before being hashed, and so to speed things up, the team created a precomputation facility for some sets of W words, reducing the number of required arithmetic operations by creating a rainbow lookup table. This cannot be applied to other SHA-256 setups, however.

YOU MIGHT ALSO LIKE Open source tools helps detect security of cloud containers

To further increase the speed of potential attacks, Agostini and Bernaschi were also able to remove MAC computation and comparison.

BitCracker's performance was benchmarked against another popular password cracker, Hashcat, using a Pascal GPU.

The team acknowledges that the comparison is not entirely fair, as Hashcat does not use BitCracker's W-block functions or MAC computation.

However, Hashcat was capable of 3,290 million hashes per second (MH/s), a result the researchers say is "comparable to BitCrackers' best performance on the same GPU."

BitLocker's complex encryption process means that there is a limit to the number of passwords that can be tested at one time.

However, the research paper suggests that with a single high-end GPU, it is theoretically possible that over 122 million passwords could be attempted in only 24 hours.

"The results show that BitCracker may compete with a state-of-the-art password cracker in terms of raw performance on the basic computational kernels whilst it is the only one providing specific shortcuts to speed up the BitLocker decryption procedure," the researchers explain.

Future developments

There are limitations to BitCracker. The tool is currently only able to evaluate passwords of between eight and 27 characters, and users must supply their own input dictionary.

In addition, BitLocker is often used in conjunction with a TPM in enterprise settings rather than relying solely on a user password, so attacks may be limited to consumer setups or perhaps individuals in particular organizations rather than company-wide deployments.

As noted by Reddit user and GitHub contributor Rarecoil, it is also the case that the tool is several years old, and both dictionaries and optimized rulesets have now advanced beyond BitCracker's scope of attack.

Agostini and Bernaschi have also proposed methods to improve BitCracker in the future, including adding a mask mode attack or assigning smart probabilities to input dictionaries to speed up the process.

Microsoft declined to comment on the academics' work.

The Daily Swig has reached out to the authors of the paper but has not heard back at the time of publication.

17 Top Cybersecurity Tools To Know - Built In

Posted: 19 Nov 2019 10:34 AM PST

Cybersecurity spending grows each year — it reached $114 billion in 2018 and is forecasted to hit $170 billion by 2022 — but "losses due to data exfiltration, stolen IP, and ransomware are accelerating," Steve Nicol, vice president of sales and marketing for Cigent, told Built In.

In other words, increased security spending doesn't always make information more secure.

What accounts for this gap? Well, cybersecurity is complicated. Effective security systems have multiple layers, like an onion. Each layer mitigates a different type of threat and fits with the others to form an intricate barrier between hackers and sensitive data. This barrier is so intricate, though, that it can even bamboozle system administrators, preventing them from making the most of their security arsenal.

Top Cybersecurity Tools

Fortinet's FortiGate
McAfee AntiVirus
Carbon Black's CB Defense
Vircom's modusCloud
Cigent's Bare Metal
NewSoftwares.net's Folder Lock
Portswigger's Burp Suite
Rapid7's Metasploit
CrowdStrike's FalconInsight EDR

Built In recently spoke with three cybersecurity professionals who demystified the tools of their trade. Besides Nicol and with the help of Women in Cybersecurity, two other experts — Rachel Busch, Cigent's director of sales; and Deveeshree Nayak, an information security lecturer at the University of Washington at Tacoma — offered insights about the six key security layers as well as the field's top hardware and software.

Network firewalls

A firewall, Nayak said, is like a house door: an outer layer of security that determines what can enter your system. Her eminently sensible advice: "You want to keep your door closed. It protects you from danger."

Firewall software, which comes preloaded on most Macs and PCs, shields individual devices from malware, viruses and other inappropriate content. Preset firewalls are typically pretty generic, though, so enterprises regularly use hardware firewalls as well. Comprising a $6 billion industry, the latter often can prevent inappropriate communications from coming and going by taking a holistic view of your network, Nicol said.

Fortinet's FortiGate

Company location: Sunnyvale, Calif.

This constantly-updated hardware firewall excels at what software firewalls do: blocking sketchy websites and malware downloads, and scanning even encrypted data for threats. (Some firewalls can't scan encrypted data, even though it constitutes up to 90 percent of all the data devices receive.) Fortigate has technological capabilities far beyond that, too. Its AI-enabled software constantly monitors all the network's active users and applications for threats, and it can recognize and block cutting-edge malware, even when it's never encountered it before.

palo alto networks cybersecurity tools — Palo Alto Networks

Palo Alto Networks's Next-Generation Firewalls

Company location: Santa Clara, Calif.

This company makes an eclectic array of network firewalls. Its hardware ranges from an enterprise-scale solution for large offices to a "ruggedized" device for harsh climates. To complement these, the company also offers virtual firewalls for Cloud-based environments. (Secure as hardware firewalls are, they can't protect remote servers.) These virtualized firewall processors slip threat prevention into Cloud-based development and deployment pipelines, so that DevOps engineers can deploy quickly and frequently without compromising security.

Cisco's Firepower-Equipped Next-Generation Firewalls

Company location: San Jose, Calif.

Cisco's intrusion prevention software, Firepower, is integrated into its next-generation firewalls. Once activated, the software updates automatically every three to five minutes, staying abreast of the latest threats. Take WannaCry, the 2017 ransomware attack that locked more than 200,000 people out of their computers until they paid a ransom. Cisco engineers had created defenses against WannaCry months before it made national news. Firepower also comes in handy when an attack sneaks onto a network by helping enterprises scope and contain the impact.

Antivirus software

For individuals, firewalls and antivirus software constitute the bare minimum of security. At an enterprise level, though, two security layers aren't always enough. "Our clients have had those and still have been hacked," Busch said.

If a firewall is the door to your house, Nayak said, antivirus software might be the door to your bedroom that protects you against threats already in your system by scanning existing files.

"They look for certain signatures of files to identify malware attacks," Nicol said.

Symantec's Norton Antivirus Plus

Company location: Mountain View, Calif.

This Norton family of antivirus softwares have more than 50 million users globally, many of them PC users. Though it has some Mac functionality, this antivirus works best in PC environments, where its machine learning algorithms autonomously identify and neutralize malware and misbehaving apps. Using an emulation protocol, the software even test-opens files on a virtual computer before opening them on users' actual devices, which unearths hidden bugs. This sounds like it could slow operating systems, but the tests finish in milliseconds.

McAfee AntiVirus

Company location: Santa Clara, Calif.

McAfee has been a household name since the 1990s thanks to its popular antivirus software and its colorful founder. But while the man and his company have parted ways, the former continues to offer innovative protection (for PC devices) against ransomware, spyware and other threats. McAfee also bundles its antivirus software into multi-layer security packages for enterprises, which feature tools like endpoint detection and response software.

bitdefender cybersecurity tools — Bitdefender

Bitdefender's Antivirus Plus

Company location: Bucharest, Romania

Bitdefender's premium antivirus software offers a grab bag of security features in one antivirus product. Besides protecting against ransomware and other malware, (in Autopilot Mode, it can handle these threats without user input), it also offers other features like a password wallet, a designated ultra-secure browser for online banking and phishing protection. This premium antivirus also comes with 200 MB of daily access to a VPN, which lets users connect securely to even the most dubious public WiFi networks.

endpoint detection and response software cybersecurity tools — Endpoint Detection and Response Software

Endpoint Detection and Response (EDR) software

This souped-up software checks file signatures for signs of malignancy, but also monitors behavior. "A good EDR system can detect suspicious activity running on an endpoint," said Nicol — whether that endpoitn is a PC, a Mac or a server.

EDR is especially important, Busch explained, when a hacker has entered a system. For the hack to have serious impact, the hacker must be able to siphon information out of your network. But EDR software can essentially quarantine compromised devices, so no new intel can be sent or received. That cuts off hacks at the knees.

Even in less serious situations, EDR monitoring makes unusual activity visible to system administrators. That can be essential to flagging moles and much more. It's pricey, though, so EDR is typically only used by major companies.

carbon black cybersecurity tools — Carbon Black

Carbon Black's CB Defense

Company location: Waltham, Mass.

This EDR tool continuously scans enterprise networks, even tracking the activity of devices (or endpoints) while they're offline. When its predictive models sense early signs of a threat, it tracks the problem to its source and highlights all the potentially affected endpoints along the way. The software also allows administrators to isolate issues in various ways. By sequestering specific computers, for instance. Or banning a problem app from the network. CB Defense comes with built-in antivirus, too, which means it can jump on attacks from hackers and malware alike.

crowdstrike cybersecurity tools — CrowdStrike

CrowdStrike's FalconInsight EDR

Company location: Sunnyvale, Calif.

This company's FalconInsight EDR monitors network activity in real time, all the time. It stores activity data, too; within five seconds, administrators can use powerful search functionality to review the activity that occurred in a specific five-second window or over the course of an entire year. Administrators rarely need to run manual searches, though; this SaaS tool flags threats on its own and suggests targeted response solutions that contain and shut down intrusions. It's also not prone to what CrowdStrike terms "silent failure," which occurs when attackers lurk on a network for multiple days.

sentinel one cybersecurity tools — Sentinel One

Sentinel One's ActiveEDR

Company location: Mountain View, Calif.

Some EDR software prioritizes visibility (the displaying of all the threats across a network to centralized system administrators), but this software prioritizes speed. When it confronts a threat, it doesn't merely upload data to the cloud on the threat's exact dimensions and wait for a human to respond. Instead, it equips each individual device with decision-making AI. The trained algorithms investigate, document and ultimately neutralize threats. They then send rigorously contextualized incident reports to a central repository for human review. This outsourcing of threat-hunting to AI frees up security personnel to focus on outlier threats and macro-level patterns.

Anti-phishing tools

Phishing is all about persuading people to click on malicious links by promising that those links are benign — even important. It happens primarily through messaging platforms like email and chat apps, whose built-in spam filters block most generic phishing attempts from generous Nigerian princes and the like.

Targeted phishing attempts, though, can be harder to block. Generic spam is often sent out to thousands of people at once, while a targeted phishing email might be sent only to one user from an author posing as a trusted friend or institution.

"Some [cyberattacks] are so targeted, and they look so real," Busch said.

For instance: "We see hackers now… go on your Facebook page and see this weekend you were at a children's hospital event. They'll buy a domain similar to that and say, hey, thank you so much for coming this weekend. Here's a link to your receipt or pictures from the event or please sign up."

Neutralizing that type of scam, which can trick even tech-savvy CEOs, requires special anti-phishing tools.

Vircom's modusCloud

Company location: Montréal, Quebec, Canada

This Cloud-based, enterprise-level spam filter is a SaaS offering, which means no hardware and no update installation. Users simply sign up online for an array of email protection services, including domain-level email encryption and a backup inbox to use during server outages. One essential feature is an anti-phishing layer that's designed to prevent personalized attacks. It scans emails for domain spoofing and checks link safety in real time.

trustedsec cybersecurity tools — TrustedSec

TrustedSec's Ethical Phishing

Company location: Strongsville, Ohio

This information security consulting team assesses enterprise-level cybersecurity by running targeted phishing campaigns. Sort of. Rather than actually stealing or corrupting sensitive information, they track which employees click on risky links and attachments and assess the workforce's overall security savvy. (In addition to email phishing, they also attempt network break-ins via phone call, SMS and personal encounters.) The company's work helps clients check the effectiveness of their cybersecurity training and the robustness of their breach response protocols.

Encryption tools

Encryption essentially encodes data, making it harder for outsiders to access. You've probably heard the term "plaintext" — that's unencrypted data. Once encrypted, it becomes "ciphertext," and users need a key to decode it. Typically a password, it could also be a physical key or a fingerprint.

As Nicol explained, there are two main types of encryption: software encryption and hardware encryption. Software encryption is more selective, encrypting individual files and folders. Hardware encryption involves encrypting an entire device. As more and more enterprises move to the Cloud, however, hardware encryption has become less practical. The downside is that while software encryption is certainly better than nothing, according to Nicol, "hardware [encryption] is far more difficult to hack."

newsoftwares.net cybersecurity tools — NewSoftwares.net

NewSoftwares.net's Folder Lock

Company location: Beaverton, Ore.

Folder Lock software can encrypt files, but it can also "lock" them. Doing so hides files from the Windows operating system so users need a password to access and open them. On its own, the lock feature functions as snoop protection; it's even stronger paired with encryption. On Folder Lock, users can encrypt and/or lock files, folders and entire drives; the software also allows for encrypted Cloud storage. In a way, it's "shredding" feature functions as irreversible encryption. A kind of hyper-deleting tool, it keeps even forensics software from piecing a deleted file back together.

Apple's latest MacBooks

Company location: Cupertino, Calif.

A prominent example of hardware encryption is TouchID-enabled MacBooks and MacBook Minis. First released in 2018, they contain hard drives that are encrypted by default and can be decrypted only via the owner's fingerprint. At setup, Apple's TouchID technology encrypts and stores users' identifying biodata (read: fingerprint) in a T2 security chip (read: in designated security hardware). The chip is physically separated from the hard drive, which makes it virtually immune to malware. It's even more secure when paired with encrypted hardware.

Cigent's Bare Metal

Company location: Fort Myers, Fla.

Bare Metal was designed for the core paradox of encryption: People encrypt essential information rather than just deleting it, because they need to refer to it later. But when they refer to it, they have to unencrypt it, leaving it vulnerable.

Bare Metal essentially functions as a lookout in these situations. If a threat is sensed, it locks down the important decrypted file and stashes it in the computer's firmware. Once that happens, even discovering the sensitive file's existence requires authentication.

Penetration testing software

Penetration testing software essentially tests all the security tools above. Does your security system have enough layers? Do those layers actually work? Penetration testing is often handled by human experts rather than software. But Nayak said some software also plays a key role in penetration testing, and can even run certain tests autonomously.

portswigger cybersecurity tools — Portswigger

Portswigger's Burp Suite

Company location: Knutsford, Cheshire, United Kingdom

Burp Suite's vulnerability scanner autonomously crawls enterprise web presences in search of 100 common security holes — things like volatile content, cross-site scripting and SQL injections. The software relies on a mix of static and dynamic techniques for its tests, which means it peruses underlying JavaScript and observes the application in action. Administrators can schedule recurring Burp Suite scans, each of which culminates in detailed visual maps of an application's strengths and weaknesses.

Rapid7's Metasploit

Company location: Boston, Mass.

Rapid7's Metasploit does the tech equivalent of turning dirt into gold by transforming hacks into cybersecurity improvements. The software connects to a constantly-updated database of "exploits," or successful real-world hacks. Users can run automated simulations of any of these on their enterprise networks to see how their defenses respond to realistic threats that evade antivirus programs and spread aggressively. For IT teams, it's good practice in containing breaches. It also helps them identify and prioritize network vulnerabilities.

open web application security project cybersecurity tools — Open Web Application Security Project

Open Web Application Security Project's ZAP

Company location: Bel Air, Md.

This free and open-source software scans web applications both passively and actively. The passive scanner monitors every request and response that's sent to an app, in the process flagging suspicious messages. The active scanner conducts automated penetration testing, which attacks the app to test its reaction. That can be a complex process; users can, for instance, use a "fuzzing" feature to identify vulnerabilities too nuanced for an autonomous scan. But don't be intimidated — the hundreds of volunteers who created ZAP designed it to work for cybersecurity newbies, too.

Images via Shutterstock, social media and company websites.

Search This Blog

Android Full Encryption