back to article Russian trouble makers find Quicken backdoor

A Russian firm that provides password-recovery services says it has found a backdoor in the encryption mechanism that Quicken uses to secure password-protected files, a feature that makes millions of users of the personal finance program more vulnerable to government spooks or other highly determined snoops. Elcomsoft, which …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I'm not surprised.

    I used to work tech support for a company that makes tax preparation software for professional accountants. The managers had a program for cracking passwords on our tax return files, which we occasionally used for customers who couldn't access a return. I'd wager it's fairly common in the industry.

  2. David Eddleman

    Trouble makers?

    Are you bloody insane? These people aren't troublemakers, they've found a backdoor and have notified people of it, rather than exploit it for their own use.

    The culprits here are Intuit, who put the backdoors in there in first place. Administrative-placed backdoors are nothing but bad.

  3. Chris

    Not too shocking

    This isn't too shocking. Given the computing power of equipment of the last few years or so, and the ease and cost of building your own cluster (or, for non-ethical companies, renting a botnet to act as a cluster) and running a distributed program to run the factorization necessary to crack a password, it was only a matter of time.

    This is one of the reasons I'm completely against biometrics used as passwords. Typed passwords can (and often are in enterprise settings) changed frequently. Knowing this month's password doesn't help you next month or next year. Biometrics, on the other hand, never change. You cannot change your fingerprint. So you will be using the same password forever. Isn't that exactly what security professionals explicitly tell us NOT to do? In other words, biometrics will make our data LESS secure.

    One other thing to consider about biometrics is that they act exactly the same as passwords do now, except the "password" is a number based on the biometric data instead of text you typed in. From that point, it's exactly the same -- the input mechanism sends the password to the program, and the program stores it or compares it against the stored hash. So in order to crack a biometric, all someone needs to do is get a copy of the password hash and run the same exact factorizations they currently do. Once they have the correct number, they just need a way to input it into the system (bypassing the biometric reader).

    Having said all that, do I have an answer or even a suggestion? Unfortunately, no, I do not. And while I know it's appropriate to come to the table with answers instead of just negative opinions, I have no idea what can be done. It seems that we will always be playing catch-up in the persistent-password arena. The only thing I can see, and it certainly is not a good workaround, it to use ridiculously long hashes (RSA-16834, anyone)? But even those will eventually be cracked by more powerful computers or clusters. Perhaps the answer is something like SecurID, a token which changes every minute or so. The problems with that are: A) cost, B) receiving the signal, and C) dependence on one company.

  4. Steven Knox

    Generalities are ALWAYS wrong.

    "Administrative-placed backdoors are nothing but bad." Tell that to the fella who has his past 10 years' financial data in Quicken, has forgotten his password, and is now being audited. Data management is always a compromise between convenience and security. I think Intuit did a pretty good job; the only failure I see is that they underestimated the speed with which cracking technology has advanced. But it also looks as if they're willing to admit that and work to improve their products.

    "...biometrics will make our data LESS secure." Certainly biometrics-only solutions will; but several solutions I've seen allow you require the biometric AND a password. I don't know a lot about the internal workings, but I'd guess that an ideal would be to encrypt the biometric data with a long secure hash based on the password, so that everytime you change your password the biometric data is re-encrypted, making old copies useless.

  5. Alan Donaly

    There isn't any way to secure.

    I don't know how many times this has to be

    proven to people there is no way to safeguard

    data on computer the only way to make it safe is

    to store it somewhere else. If you need it and

    you can't get it it's useless so password recovery

    is essential people complain about this are missing

    the point again, permanently locked up data is

    not secure it's lost the fact you can blame the user

    still doesn't make it secure it's still lost. You wouldn't

    call a program that crashed and burned taking your

    data with it secure would you so why this specious

    pretense that you should have no way to recover

    lost passwords it's the same.

  6. Paul van der Lingen

    Careful with that 'backdoor' reference

    headlines like this may offend Otto Stern - we know how easily offended he is..

  7. Anonymous Coward
    Anonymous Coward

    Backdoors

    There was a little website (that has now disappeared) that listed backdoors and weaknesses to well known encryption programs.

    Those ranged from ridiculous (from 4 character passwords to encryption key padding)

    It took my safe company a whole day of really hard work (I watched) to open my safe, when I forgot the password that I set. It would have been much easier to enter a backdoor password, but that would defeat the whole point of having a secure safe. If the backdoor password would be known to the engineers of the company, 100% that it would be known to the criminal element. They (the criminals) have access to all the codes, it would seem – I have seen with my own eyes a disk containing the software to program car keys for all the major car manufacturers.

    I am sure, however, that the safe company –does- have as backdoor password for the safe, but only the top level engenders would know it (and, obviously the security services)

    P.S. as an interesting side note, my clients are often horrified at the ease with which I get into computers (a guy is on lunch, but I need to do something on his PC, so outcomes a CD, and within a couple of minutes, I know his Windows Password) – Office and application passwords are even easier – it is amassing what “secrets” are held in internet explorer, for example ;-)

  8. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    Where's the problem?

    I don't see where the problem is with this.

    So a backdoor exists - so what? It sounds like it was well engineered, and non-trivial to access.

    Ultimately no password on a file should be considered secure, if you don't want people to look at your data then make sure they can't get at it! This is a *file* password backdoor, not a *system* backdoor, so it's useless if you haven't got the file. And if someone who shouldn't has got a file, you've already failed.

    Just because some people are incapable of physically and electronically securing their systems, or leave disks, tapes and laptops lying around is no reason to have data consigned to a black hole.

    It's far worse to lose access to data you have a legitimate reason (and legal necessity) to get into due to loss of a password (not just forgotten; death, dismissal, sabotage etc. can all be reasons), so a secondary way into the data is always worth having. After all, the IRS or HMRC aren't going to let you off because you've 'forgotten the password'...

  10. Dillon Pyron

    Respectable?

    They have a product that will "recover" the password. Which they are apparently selling. So getting in is now easy. But somehow they are "respectable".

  11. Gene Cash Silver badge

    Don't forget your passwords

    > Tell that to the fella who has his past 10 years' financial data in Quicken, has forgotten his password

    Uhm, how about "don't forget your password"?

    "You don't convince family members to remember passwords. Repeated, tragic data loss convinces family members to remember passwords. Same as everyone else."

    The people that expect software companies to instantly restore their forgotten passwords are the people to blame for poor password/encrpytion security, not the NSA.

  12. Richard Kay

    No such thing as perfect security

    It's always a trade off between security and usability. The news that a 512 bit RSA key has been factorised doesn't surprise me as we have been advised to increase these keylengths to 1024 or better 2048 for some time now. It also isn't a given that a 1024 bit key will be crackable any time soon, though rapid advances in quantum computing might render RSA obsolete at any feasible keylength. The fact is that people are not very good at remembering good enough password entropy to defeat distributed key cracking. Few people who have accounts at 20 websites will be using different credentials at all of them, unless they have most of these written down which is another problem. It is also likely that biometrics will gradually become more acceptable for an increasing range of applications simply because this allows a better set of trade offs between the cost, the convenience and the security level, and the problem of how to deal with it when it goes wrong.

    Whatever security humanity has the wit to make he also has the intelligence or forgetfulness to break, so any security system is either useless or it works against the customer if it is without human backup when the system fails e.g. the day it took some skilled engineers working for a safe company to get into a customer safe with a lost key. Generally RSA cryptography is strong enough so that attackers have to find other methods to beat a system, though any standard crypto algorithm will be weak in the DRM case where the keys have to be distributed together with the lock for the system to work in the first place.

This topic is closed for new posts.