Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Mobile Password Protection Expand / Collapse
Author
Message
Posted Sunday, May 06, 2012 10:31 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 4:31 PM
Points: 32,780, Visits: 14,941
Comments posted to this topic are about the item Mobile Password Protection






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1295768
Posted Monday, May 07, 2012 7:21 AM


UDP Broadcaster

UDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP Broadcaster

Group: General Forum Members
Last Login: Today @ 12:40 PM
Points: 1,477, Visits: 4,281
Does the password encrypt the critial data files on the iPhone, or is it just a means to prevent someone from accessing the folders via the operating system?
If the data isn't encrypted, it seems a law enforcement agency with a warrant should be able to have one of their tech guys pop open the phone and stick the flash card (memory chip or whatever) into an external reader without having to turn to a 3rd party company for assistance.



"Winter Is Coming" - April 6, 2014
Post #1295906
Posted Monday, May 07, 2012 8:47 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: 2 days ago @ 8:46 AM
Points: 845, Visits: 2,331
This is simply a specific instance of the generalized case of offsite remote access/offsite data storage, combined with what are often some of the least useful "security" measures every kludged together.

As always, evaluate what threat resources you must mitigate, what threats you wish to mitigate, and which threats you are not mitigating.

Evaluate what laws and regulations you must follow, and what best practices you wish to follow.

No Insider vs. One Insider vs. Multiple Insider
Single top end machine ($2500, outfitted optimally) vs ten ($25k) vs. a thousand ($2.5m) vs. a first world government
Realtime online attacks vs. offline attacks.
Unskilled vs. moderately skilled vs. expertly skilled
Vandalism vs. data theft vs. data theft plus vandalism

Note that your average teenage cracker is going to fall into Single top end machine, both realtime and offline attacks, moderately to expertly skilled, and whatever they feel like. At least one may well find it amusing to devote several weeks of computer power to it... and they may have friends who feel like joining them. Late teen/early twenties crackers may have access to scores of machines; we call them college computer labs, and at night, it's not difficult to get around 100 machines trying to crack a specific piece of data. 30 or more may have serious graphics cards, as well.

Then stop thinking in terms of what you'd like the threat to do or not do, and what you hope they might do or not do, and instead think in terms of what the threat can do.

As far as mobile devices with a 4 digit password, we will generously assume the following:
No Insider, Less than a single machine, offline attacks, moderately skilled.

A) Take the battery out of your phone - no remote wipe.
B) Take it out of contact range; perhaps a basement or inside a sheet metal shed - no more remote wipe even with a battery in.
C) If the data's on any standard storage, make an offline copy first (which lets them bypass any password lockout and ignore any remote or /auto-wipe with multiple bad passwords you might have).
D) If your password isn't an encryption password... they _already_ have all your data.
E) If your password is an encryption password, even trying _by hand_ at a try every 2 seconds, with 12 characters possible for each of 4 places with replacement, it's less than 12 hours.
E1) With a computer trying, the time will likely be near zero. Note that step C means the attempts will be made offline; no delay the phone itself puts in will be active (or, if computational, significant on the more powerful processor).

Yes, remote wipe is valuable; but only if you do so before an attacker gets the phone and removes the battery/wraps it in aluminum foil inside a ziplock bag inside a metal cookie tin.

Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?


Post #1295939
Posted Monday, May 07, 2012 8:51 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 4:31 PM
Points: 32,780, Visits: 14,941
Nadrek (5/7/2012)

Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?


Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1295943
Posted Monday, May 07, 2012 8:53 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: 2 days ago @ 8:46 AM
Points: 845, Visits: 2,331
Steve Jones - SSC Editor (5/7/2012)


Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.


I assume that's at most an hour or so after you've both realized and reported you've lost control?
Post #1295944
Posted Monday, May 07, 2012 9:22 AM


UDP Broadcaster

UDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP Broadcaster

Group: General Forum Members
Last Login: Today @ 12:40 PM
Points: 1,477, Visits: 4,281
If a theif gained access to someone's smart phone, I'm sure they would be more than just a little curious about what kind of junk would be stored on it. Maybe screw around with it for a few days before flipping it at a pawn shop or 3rd party crook. They could send an email to everyone on the victim's contact book with a crazy story about being detained in a Mexican jail on bogus drug charges and ask them to pleeez wire some money ASAP. Imagine the possibilities...


"Winter Is Coming" - April 6, 2014
Post #1295961
Posted Monday, May 07, 2012 9:29 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Yesterday @ 11:07 AM
Points: 1,033, Visits: 230
From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )
Post #1295965
Posted Monday, May 07, 2012 9:49 AM


UDP Broadcaster

UDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP Broadcaster

Group: General Forum Members
Last Login: Today @ 12:40 PM
Points: 1,477, Visits: 4,281
LadyRuna (5/7/2012)
From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )

Similar in concept to a lock on a filing cabinette; it's enough to block casual snoopers from screwing around with your phone, if you leave it lying around somewhere at work or at the pool. When my daughter was six years old, she got hold of my wife's iPhone and downloaded several Justin Bieber music tracks for $1.99 a pop. I think she started out wanting to play some video game, but then started clicking on advertisment links.



"Winter Is Coming" - April 6, 2014
Post #1295974
Posted Monday, May 07, 2012 11:51 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: 2 days ago @ 8:46 AM
Points: 845, Visits: 2,331
LadyRuna (5/7/2012)
From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )


All serious key entry password systems use randomized keypads; the old way used red 7 segment LCD displays under each button, and the new way uses the regular device touchscreen, like the Datalocker portable USB drive does. Thus, even seeing the very latest fingerprint pattern shouldn't* help determine either what numbers were in which place at the time it was done, nor help figure out where they'll be next time.

*Unless someone uses a poor random number generator or seed.
Post #1296020
Posted Monday, May 07, 2012 12:31 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 4:31 PM
Points: 32,780, Visits: 14,941
Nadrek (5/7/2012)
Steve Jones - SSC Editor (5/7/2012)


Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.


I assume that's at most an hour or so after you've both realized and reported you've lost control?


Yes, though in practice, I think most people that use their phones heavily know they've lost them quickly. Your scenario definitely means that a targeted attack will likely succeed, but in most cases, losses occur from random thievery or chance.

I've had more than a few friends realize their phone is gone inside minutes, and they spend tens of minutes (usually 30-40) looking for it before calling it in. Remote wipes occur relatively quickly, but it's a help desk ticket. It processes, and if it ever connects to the network, it's wiped.

Not perfect, but then most crimes aren't perfect either, and with a little protection, the casual problems are mostly handled.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1296032
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse