Home Forums SQLServerCentral.com Editorials Mobile Password Protection RE: Mobile Password Protection

  • May 7, 2012 at 8:47 am

    #1484086

    This is simply a specific instance of the generalized case of offsite remote access/offsite data storage, combined with what are often some of the least useful "security" measures every kludged together.

    As always, evaluate what threat resources you must mitigate, what threats you wish to mitigate, and which threats you are not mitigating.

    Evaluate what laws and regulations you must follow, and what best practices you wish to follow.

    No Insider vs. One Insider vs. Multiple Insider

    Single top end machine ($2500, outfitted optimally) vs ten ($25k) vs. a thousand ($2.5m) vs. a first world government

    Realtime online attacks vs. offline attacks.

    Unskilled vs. moderately skilled vs. expertly skilled

    Vandalism vs. data theft vs. data theft plus vandalism

    Note that your average teenage cracker is going to fall into Single top end machine, both realtime and offline attacks, moderately to expertly skilled, and whatever they feel like. At least one may well find it amusing to devote several weeks of computer power to it... and they may have friends who feel like joining them. Late teen/early twenties crackers may have access to scores of machines; we call them college computer labs, and at night, it's not difficult to get around 100 machines trying to crack a specific piece of data. 30 or more may have serious graphics cards, as well.

    Then stop thinking in terms of what you'd like the threat to do or not do, and what you hope they might do or not do, and instead think in terms of what the threat can do.

    As far as mobile devices with a 4 digit password, we will generously assume the following:

    No Insider, Less than a single machine, offline attacks, moderately skilled.

    A) Take the battery out of your phone - no remote wipe.

    B) Take it out of contact range; perhaps a basement or inside a sheet metal shed - no more remote wipe even with a battery in.

    C) If the data's on any standard storage, make an offline copy first (which lets them bypass any password lockout and ignore any remote or /auto-wipe with multiple bad passwords you might have).

    D) If your password isn't an encryption password... they _already_ have all your data.

    E) If your password is an encryption password, even trying _by hand_ at a try every 2 seconds, with 12 characters possible for each of 4 places with replacement, it's less than 12 hours.

    E1) With a computer trying, the time will likely be near zero. Note that step C means the attempts will be made offline; no delay the phone itself puts in will be active (or, if computational, significant on the more powerful processor).

    Yes, remote wipe is valuable; but only if you do so before an attacker gets the phone and removes the battery/wraps it in aluminum foil inside a ziplock bag inside a metal cookie tin.

    Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?