Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A Cuckoo's egg"] [Next entry: "NCipher have made product updates"]

How the secret service decodes encrypted evidence



I was emailed by Sean Hull to let me know about a link on slashdot that talks about how the US secret service cracks very strongly encrypted data held on criminals seized computers. The link on slashdot is http://hardware.slashdot.org/article.pl?sid=05/03/28/2026226&tid=172&tid=198&tid=103 but this points to and summarizes an article on the Washington Post website titled "DNA Key to Decoding Human Factor - Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence". This is a very interesting article describing the issues law enforcement officers have decrypting data held on criminal computers that has been encrypted with strong / long encryption keys. The normal problem is that the sun would burn out before any computer on the planet could try and brute force the keys. The U.S. Secret service instead is using clever techniques taking lessons from the search for E.T. They are tying together all staffs desktop computers to crack passwords but are using a special technique of creating custom dictionaries to use in the cracking effort. The system (DNA) searches the criminals hard drive and gets all plain text words and phrases from all clear text files and also from web sites that the cache and browser logs know about.

The technique works because people are sloppy and do not choose strong alpha numeric passwords but instead choose weak ones based on existing knowledge. Quite often a suspect’s password can consist of words based on their interests and coincidentally these words can be found on special interest sites they have visited.

This is an excellent article that describes the U.S. Secret Services efforts. I suppose the lesson to be drawn from this is to choose very strong alphanumeric passwords and use the strongest encryption that is practical for the purpose it is being used for. Do not use words from hobbies, interests or from words you may repeat in other documents or emails. This is not just a lesson for criminals but also for businesses that use encryption. If you want to use encryption successfully they use strong passwords. If you are not a criminal then the U.S. Secret Service is not going to be cracking your encryption keys anyway but competitors might, hackers might or even curious employees might. They might not have access to a network of PC's like this article though.