Brute-Force Attacks Explained: How All Encryption is Vulnerable

Brute-Force Basics

Brute-force attacks are simple to understand. An attacker has an encrypted file — say, your LastPass or KeePass password database. They know that this file contains data they want to see, and they know that there’s an encryption key that unlocks it. To decrypt it, they can begin to try every single possible password and see if that results in a decrypted file.
They do this automatically with a computer program, so the speed at which someone can brute-force encryption increases as available computer hardware becomes faster and faster, capable of doing more calculations per second. The brute-force attack would likely start at one-digit passwords before moving to two-digit passwords and so on, trying all possible combinations until one works.
A “dictionary attack” is similar and tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords.

Why Attackers Can’t Brute-Force Web Services

There’s a difference between online and offline brute-force attacks. For example, if an attacker wants to brute-force their way into your Gmail account, they can begin to try every single possible password — but Google will quickly cut them off. Services that provide access to such accounts will throttle access attempts and ban IP addresses that attempt to log in so many times. Thus, an attack against an online service wouldn’t work too well because very few attempts can be made before the attack would be halted.
For example, after a few failed login attempts, Gmail will show you a CATPCHA image to verify you aren’t a computer automatically trying passwords. They’ll likely stop your login attempts completely if you managed to continue for long enough.

On the other hand, let’s say an attacker snagged an encrypted file from your computer or managed to compromise an online service and download such encrypted files. The attacker now has the encrypted data on their own hardware and can try as many passwords as they want at their leisure. If they have access to the encrypted data, there’s no way to prevent them from trying a large number of passwords in a short period of time. Even if you’re using strong encryption, it’s to your benefit to keep your data safe and ensure others can’t access it.

Hashing

Strong hashing algorithms can slow down brute-force attacks. Essentially, hashing algorithms perform additional mathematical work on a password before storing a value derived from the password on disk. If a slower hashing algorithm is used, it will require thousands of times as much mathematical work to try each password and dramatically slow down brute-force attacks. However, the more work required, the more work a server or other computer has to do each time as user logs in with their password. Software must balance resilience against brute-force attacks with resource usage.

Brute-Force Speed

Speed all depends on hardware. Intelligence agencies may build specialized hardware just for brute-force attacks, just as Bitcoin miners build their own specialized hardware optimized for Bitcoin mining. When it comes to consumer hardware, the most effective type of hardware for brute-force attacks is a graphics card (GPU). As it’s easy to try many different encryption keys at once, many graphics cards running in parallel are ideal.
At the end of 2012, Ars Technica reported that a 25-GPU cluster could crack every Windows password under 8 characters in less than six hours. The NTLM algorithm Microsoft used just wasn’t resilient enough. However, when NTLM was created, it would have taken much longer to try all these passwords. This wasn’t considered enough of a threat for Microsoft to make the encryption stronger.
Speed is increasing, and in a few decades we may discover that even the strongest cryptographic algorithms and encryption keys we use today can be quickly cracked by quantum computers or whatever other hardware we’re using in the future.

Protecting Your Data From Brute-Force Attacks

There’s no way to protect yourself completely. It’s impossible to say just how fast computer hardware will get and whether any of the encryption algorithms we use today have weaknesses that will be discovered and exploited in the future. However, here are the basics:

• Keep your encrypted data safe where attackers can’t get access to it. Once they have your data copied to their hardware, they can try brute-force attacks against it at their leisure.
• If you run any service that accepts logins over the Internet, ensure that it limits login attempts and blocks people who attempt to log in with many different passwords in a short period of time. Server software is generally set to do this out of the box, as it’s a good security practice.
• Use strong encryption algorithms, such as SHA-512. Ensure you’re not using old encryption algorithms with known weaknesses that are easy to crack.
• Use long, secure passwords. All the encryption technology in the world isn’t going to help if you’re using “password” or the ever-popular “hunter2″.

---

Brute-force attacks are something to be concerned about when protecting your data, choosing encryption algorithms, and selecting passwords. They’re also a reason to keep developing stronger cryptographic algorithms — encryption has to keep up with how fast it’s being rendered ineffective by new hardware.

What to Do When Your iPhone or iPad Won’t Turn On

iPhones and iPads are supposed to “Just work,” but no technology is perfect. If you’ve pressed the Power button and the screen won’t turn on or you see an error message, don’t worry. You can probably make it boot again.
The instructions here will make any iPhone or iPad boot up and work properly. If they don’t, your device has a hardware problem preventing it from booting.

Plug It In, Let It Charge — And Wait

An iPhone, iPad, or iPod Touch may fail to turn on if its battery is completely dead. Generally, you’ll see some sort of “low battery” indicator when you try to turn an iOS device on and it doesn’t have enough battery power. But, when the battery is completely dead, it won’t respond and you’ll just see the black screen.
Connect your iPhone or iPad to a wall charger and let it charge for a little while — give it fifteen minutes, perhaps. If the battery is completely dead, you can’t just plug it in and expect it to respond immediately. Give it a few minutes to charge and it should turn itself on. This will fix your device if its battery was just completely drained.
Make sure your charger is working if this doesn’t work. A broken charger or charging cable may prevent it from charging. Try another charger and cable if you have them available.

Hold Power + Home to Perform a Hard Reset

iPhones and iPads can freeze completely, just like other computers. If they do, the Power and Home buttons will do nothing. Perform a “hard reset” to fix this. This was traditionally performed by removing a device’s battery and reinserting it or pulling the power cable on devices without batteries, which is why it’s also known as performing a “power cycle.” However, iPhones and iPads don’t have a removable battery. Instead, there’s a button combination you can use to forcibly restart your phone or tablet.
To do this, press both the Power and Home buttons and hold them down. Keep holding both buttons down until you see the Apple logo appear on the screen. The logo should appear between ten and twenty seconds after you start holding the buttons. After the Apple logo appears, your iPhone or iPad will boot back up normally. (The Power button is also known as the Sleep/Wake button — it’s the button that normally turns your device’s screen on and off.)
If this button combination doesn’t work, your iPhone or iPad may need to be charged for a while first. Charge it for a while before attempting the Power+Home button hard reset.

Bloatware Banished: Windows 10 Eliminates the Need to Ever Reinstall Windows on New PCs

Windows 10’s New Recovery System

 This news was revealed in a Microsoft blog post titled “How Windows 10 achieves its compact footprint.” Windows 10 has a new recovery system that works in an entirely different way. Most people focused on the storage improvements and missed the implications for manufacturer-installed junkware.

While Windows 8 used a recovery image that manufacturers could customize, Windows 10 uses a more intelligent system that rebuilds Windows in-place without the need for a separate recovery image. The system is cleaned up and the latest files are kept — this means you also won’t have to install Windows Updates after refreshing or resetting your PC. Here’s how Microsoft explained it:

“We are also redesigning Windows’ Refresh and Reset functionalities to no longer use a separate recovery image (often preinstalled by manufacturers today) in order to bring Windows devices back to a pristine state.”

Manufacturers Can Still Add Pre-installed Software, But…

Rather than restoring Windows to a previous point in time using the refresh image, the refresh and reset functionalities will “bring Windows devices back to a pristine state” by restoring them to a known-good state with only built-in Windows software installed.

PC manufacturers will still be able to customize the computer’s state after the refresh or reset — for example, adding their own hardware drivers and any other software they want, including junkware like Superfish. For the average computer user doing a typical refresh or reset, the experience will likely be similar to today.

However, Windows will restore the system to a known-good state before installing the manufacturer-provided software and configuration changes. These changes will be stored separately in a different package. You’ll be able to delete this manufacturer-provided package of software and changes from a Windows 10 PC and then run a refresh or reset. This will restore your computer to a fresh state with only Microsoft’s own Windows software installed and no manufacturer-provided junkware installed.

This doesn’t actually solve the “crapware” problem for everyone. Less knowledgeable users will likely still end up with PCs filled with bloatware after performing a normal refresh or reset. But geeks will at least be able to get a fresh system much more quickly. And average users will be able to find these instructions, make a quick change, and refresh their PCs to get a fresh system — it’s easier than a full reinstall.

We don’t have all the final details — Windows 10 isn’t even finished yet! But the change to the way the refresh and reset image works is a big step in the right direction from Microsoft. If only Windows asked whether you wanted to install the manufacturer-provided software — and which bits of that software — when you refreshed or reset it.

Study reveals We are being tracked by Our Smartphones – Every 3 Minutes

It is a widely known fact that smartphone apps collect huge amount of data regularly. The data usually includes users’ location information. But startling new facts on this data collection spree have been revealed by Researchers at Carnegie Mellon University in their study.

According to the study findings, our smartphones can collect location data very frequently that is, after every 3 minutes.

The Wall Street Journal reports:

    “Even apps that provided useful location-based services often requested the device’s location far more frequently than would be necessary to provide that service, the researchers said. The Weather Channel, for example, which provides local weather reports, requested device location an average 2,000 times, or every 10 minutes, during the study period. Groupon, which necessarily gathers location data to offer local deals, requested one participant’s coordinates 1,062 times in two weeks.”

Few of the apps are already installed on a majority of smartphones and cannot be deleted easily. Researchers also investigated whether users in any way can benefit from these “nudges” imposed by the software or appreciate the fact that sensitive data is being collected by the installed apps.

They found that after learning about the location data collection aspect, many users changed their mobile’s settings.

How to use Google Search to locate your lost Android Smartphone or Tablet

All you need to do is search for your Android device, a mobile phone or tablet on Google. The search engine will instantly track the device’s location and upload its map.

Smartphones or any such electronic device can be misplaced or lost anytime and anywhere. We all have faced this issue at one point or another at home, office or in the car.

Usually we search for our lost mobile phone everywhere in order to track it down. However, now we can utilize a much easier and quicker method for finding out lost Android smartphone or even tablet, that is, Google search.

On Wednesday, a new feature was unveiled by Google that allows searching for your lost Android cell phone or tablet through through Google search. However, the search engine requires you to meet certain criteria to perform the search. Here is the entire process to be followed for tracking lost device:

    Firstly, make sure that you have logged in to the same Google account from your computer’s browser that you have been using on your lost phone/tablet

    Also, make sure that the latest version of Google app is already installed on your phone

    When this aforementioned criteria is met, type “find my phone” in to the search bar of Google from your computer

    Google will produce a map pinpointing the exact location where your device currently exists

    After few seconds, you will be able to see an accurate location on the map along with the exact distance. For instance, the map will tell you that the device can be tracked at 46feet distance.

You might be thinking what if you have lost your phone somewhere inside your home. Well unfortunately Google cannot specifically inform you the room in which you can find it. However, it will ring the lost device so that you are able to track it manually.

In order to locate your device simply click on the Ring icon or link on the displayed map. Immediately your lost device will start ringing at full volume. The ring will continue for up to 5 minutes. When you have found your device, turn off the ringer by turning the power button off.

In case your Android tablet is lost, you can use this feature too. The same process will be followed.

There is another feature to locate lost Android devices. It is called Android Device Manager. It will also track and ring your lost device. If you believe that your device isn’t lost but stolen, you can easily lock it remotely and reset the password. You may even delete the data present on your device.