Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Mobile Password Protection


Mobile Password Protection

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)

Group: Administrators
Points: 51319 Visits: 19004
Comments posted to this topic are about the item Mobile Password Protection

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Eric M Russell
Eric M Russell
SSCrazy Eights
SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)

Group: General Forum Members
Points: 9507 Visits: 10307
Does the password encrypt the critial data files on the iPhone, or is it just a means to prevent someone from accessing the folders via the operating system?
If the data isn't encrypted, it seems a law enforcement agency with a warrant should be able to have one of their tech guys pop open the phone and stick the flash card (memory chip or whatever) into an external reader without having to turn to a 3rd party company for assistance.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Nadrek
Nadrek
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1590 Visits: 2714
This is simply a specific instance of the generalized case of offsite remote access/offsite data storage, combined with what are often some of the least useful "security" measures every kludged together.

As always, evaluate what threat resources you must mitigate, what threats you wish to mitigate, and which threats you are not mitigating.

Evaluate what laws and regulations you must follow, and what best practices you wish to follow.

No Insider vs. One Insider vs. Multiple Insider
Single top end machine ($2500, outfitted optimally) vs ten ($25k) vs. a thousand ($2.5m) vs. a first world government
Realtime online attacks vs. offline attacks.
Unskilled vs. moderately skilled vs. expertly skilled
Vandalism vs. data theft vs. data theft plus vandalism

Note that your average teenage cracker is going to fall into Single top end machine, both realtime and offline attacks, moderately to expertly skilled, and whatever they feel like. At least one may well find it amusing to devote several weeks of computer power to it... and they may have friends who feel like joining them. Late teen/early twenties crackers may have access to scores of machines; we call them college computer labs, and at night, it's not difficult to get around 100 machines trying to crack a specific piece of data. 30 or more may have serious graphics cards, as well.

Then stop thinking in terms of what you'd like the threat to do or not do, and what you hope they might do or not do, and instead think in terms of what the threat can do.

As far as mobile devices with a 4 digit password, we will generously assume the following:
No Insider, Less than a single machine, offline attacks, moderately skilled.

A) Take the battery out of your phone - no remote wipe.
B) Take it out of contact range; perhaps a basement or inside a sheet metal shed - no more remote wipe even with a battery in.
C) If the data's on any standard storage, make an offline copy first (which lets them bypass any password lockout and ignore any remote or /auto-wipe with multiple bad passwords you might have).
D) If your password isn't an encryption password... they _already_ have all your data.
E) If your password is an encryption password, even trying _by hand_ at a try every 2 seconds, with 12 characters possible for each of 4 places with replacement, it's less than 12 hours.
E1) With a computer trying, the time will likely be near zero. Note that step C means the attempts will be made offline; no delay the phone itself puts in will be active (or, if computational, significant on the more powerful processor).

Yes, remote wipe is valuable; but only if you do so before an attacker gets the phone and removes the battery/wraps it in aluminum foil inside a ziplock bag inside a metal cookie tin.

Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?
Steve Jones
Steve Jones
SSC Guru
SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)

Group: Administrators
Points: 51319 Visits: 19004
Nadrek (5/7/2012)

Seriously: how many people are going to ask for, much less get, a wipe absolutely as soon as they realize the phone's missing? Instead of turning around to try and find where they left it, or looking around for it for a couple hours, or being embarrassed about it and not reporting it quickly, etc.?


Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Nadrek
Nadrek
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1590 Visits: 2714
Steve Jones - SSC Editor (5/7/2012)


Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.


I assume that's at most an hour or so after you've both realized and reported you've lost control?
Eric M Russell
Eric M Russell
SSCrazy Eights
SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)

Group: General Forum Members
Points: 9507 Visits: 10307
If a theif gained access to someone's smart phone, I'm sure they would be more than just a little curious about what kind of junk would be stored on it. Maybe screw around with it for a few days before flipping it at a pawn shop or 3rd party crook. They could send an email to everyone on the victim's contact book with a crazy story about being detained in a Mexican jail on bogus drug charges and ask them to pleeez wire some money ASAP. Imagine the possibilities...


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
LadyRuna
LadyRuna
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1341 Visits: 329
From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )
Eric M Russell
Eric M Russell
SSCrazy Eights
SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)

Group: General Forum Members
Points: 9507 Visits: 10307
LadyRuna (5/7/2012)
From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )

Similar in concept to a lock on a filing cabinette; it's enough to block casual snoopers from screwing around with your phone, if you leave it lying around somewhere at work or at the pool. When my daughter was six years old, she got hold of my wife's iPhone and downloaded several Justin Bieber music tracks for $1.99 a pop. I think she started out wanting to play some video game, but then started clicking on advertisment links.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Nadrek
Nadrek
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1590 Visits: 2714
LadyRuna (5/7/2012)
From examining several phones belonging to various people, I have determined that the "fingerswipe password" is essentially useless as security. It can perhaps prevent someone from accidentally opening your phone by just picking it up, but anyone who really wants to use it can find your password pattern quickly because the smears on the screen will reveal the pattern (look carefully at your phone if you use the fingerswipe password - you will "see" your pattern on the screen ... especially if you're the type of person who has never bothered to clean the phone screen.. (ewwwwwwwwwwwww) )


All serious key entry password systems use randomized keypads; the old way used red 7 segment LCD displays under each button, and the new way uses the regular device touchscreen, like the Datalocker portable USB drive does. Thus, even seeing the very latest fingerprint pattern shouldn't* help determine either what numbers were in which place at the time it was done, nor help figure out where they'll be next time.

*Unless someone uses a poor random number generator or seed.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)

Group: Administrators
Points: 51319 Visits: 19004
Nadrek (5/7/2012)
Steve Jones - SSC Editor (5/7/2012)


Few, though some companies will do it in a relatively short time. An hour or so if you've lost control.


I assume that's at most an hour or so after you've both realized and reported you've lost control?


Yes, though in practice, I think most people that use their phones heavily know they've lost them quickly. Your scenario definitely means that a targeted attack will likely succeed, but in most cases, losses occur from random thievery or chance.

I've had more than a few friends realize their phone is gone inside minutes, and they spend tens of minutes (usually 30-40) looking for it before calling it in. Remote wipes occur relatively quickly, but it's a help desk ticket. It processes, and if it ever connects to the network, it's wiped.

Not perfect, but then most crimes aren't perfect either, and with a little protection, the casual problems are mostly handled.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search