Russian Elcomsoft Finds Backdoor in Quicken Passwords

Outsmart Malicious Hackers


Elcomsoft is quite a well known firm when it comes to password ‘recovery’, I have used their products in the past when I was in a fix and I needed a password that had been, you know…lost.

They rose to fame in 2001 after cracking Adobe’s eBook format.

Recently they announced a fairly serious backdoor in Quicken product for accounting.

A Russian firm that provides password-recovery services says it has found a backdoor in the encryption mechanism that Quicken uses to secure password-protected files, a feature that makes millions of users of the personal finance program more vulnerable to government spooks or other highly determined snoops.

Elcomsoft, which made waves in 2001 after it circulated software that circumvented digital rights management protections in Adobe’s eBooks, said the latest version of its Advanced Intuit Password Recovery product allows users to remove password protection from Quicken files.

It’s a pretty serious case seen as though a lot of small and medium enterprises hold all of their accounting and payroll data in Quicken databases. It could lead to some serious theft, if Elcomsoft can work out the backdoor I’m sure the bad guys can too.

According to a statement issued by Elcomsoft, Intuit since 2003 has secured password-protected Quicken files using “strong encryption” that for practical purposes makes brute-force attacks impossible. But Elcomsoft said the strong encryption is accompanied by a backdoor that lets Intuit unlock encrypted files using a 512-bit RSA key that until recently was known only to Intuit. The key enabled Intuit to deliver retrieval service for customers who could no longer remember their password.

“It is very unlikely that a casual hacker could have broken into Quicken’s password protection regimen,” Vladimir Katalov, Elcomsoft’s CEO, said in a statement. “Elcomsoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit’s undocumented and well-hidden back door, and to successfully perform a factorization of their 512-bit RSA key.”

The skeptics would indeed say the escrow or backdoor is there to allow Quicken to make more money from password recovery, the conspiracy theorists would say it’s there for FBI/CIA/Homeland access to people’s account.

I’m undecided personally.

Source: The Reg

Posted in: Hacking News, Password Cracking

,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


10 Responses to Russian Elcomsoft Finds Backdoor in Quicken Passwords

  1. Cyanide August 14, 2007 at 12:41 pm #

    Meh..to tell you the truth I would lean more towards Quicken just wanting to make more money with the recovery of their customers files.

  2. Zanith August 14, 2007 at 2:45 pm #

    I agree, they probably count on the fact that a certain percentage of their customers will loose their passwords at some point.

  3. TheRealDonQuixote August 14, 2007 at 3:49 pm #

    Its a good thing I don’t have any money to keep track of!! ;)

    Coding in a “backdoor” as a precaution for retard customers is always a bad idea. The whole notion of it is passe, you might as well be watching the movie “Hackers”. Anyway, I prefer to use OpenOffice Spreadsheet and my brain to manage what little cash I got. If I ever really need a program specifically to keep track of my funds then I’ll hire an accountant or an accounting firm.

    Remember kids, trusting other people’s code with your money/accounts/investments is like trusting a politician to tell the truth.

  4. Steve August 14, 2007 at 5:07 pm #

    Well based on the fact that ppl will legitamately loose their passwords, this is helpful. But what about those that will loose this maliciously.

    I guess it maybe too much work to put some type of 2 factor authentication into some applications, in the event that your password is cracked, you make need a file that’s physically on the machine to open the file, and it should be a file that you chose as “key file”.

  5. CK76 August 14, 2007 at 5:10 pm #

    Yeah, this sucks. While it may not matter to people in lower tax brackets (me), it sucks for all those small and medium sized businesses whose accounting departments rely on this software to manage payroll, accounts receivable, etc.

  6. Alfred Farrington August 15, 2007 at 2:11 pm #

    Hmmm, I would like to think that accountants and people running payroll could actually think instead of letting a program think for them. This is what happens when you let a company decide how to “think” for you. You are at their mercy. I am waiting to hear government hacks company to find out true earnings for the company. Put I’m just paranoid :P

    I agree with the other people in the commentary this is a way to make money. You forget your password you have to call support. Guess what? Support = Dollars. To Quicken dollars makes sense. :)

  7. Alfred Farrington August 15, 2007 at 2:14 pm #

    I agree with the other people in the commentary this is a way to make money. You forget your password you have to call support. Guess what? Support = Dollars. To Quicken dollars makes sense. :)

  8. Sandeep Nain August 16, 2007 at 12:55 am #

    Yes

  9. Alfred Farrington August 17, 2007 at 2:25 pm #

    Ah Sandeep is a thinker a company or the government has any use for you ;P

  10. Sandeep Nain August 31, 2007 at 2:36 am #

    Thanks Alfred

    I’ll take that as compliment… I can probably help out government in implementing new technologies in a better way…