Analysis Of Kate Upton Photos Shows Hackers May Have A Backup Of Her Entire iPhone
By Jim Edwards | Business Insider – 2 hours 34 minutes ago
ricky l • Remove
Mobile Apps security in public cloud seems to be quite lacking - as oppose to laptop, notebook or PC access.Reply
Wonder mobile apps for smartphone employ security as similar to client devices like notebook, laptop or PC like :-
(1) BYOD (Bring Your Own Device) security posture assessment - to check client security posture like client firewall, OS version, anti-virus software.
(2) AAA authentication services like RADIUS or TACAS with Directory Service - using authentication protocols like IEEE802.1x port-security with EAP (Extensible Authentication Protocol) - PEAP, TLS etc.
(3) Public Key Infrastructure (PKI) with Certificate Authority issuing Digital Certificate for key exchange of public key and private key through key file and cert file - to encrypt password
(4) Password change (of not static) - but age-out.
(5) Limit the Account retries before lockout.
(6) 2 Factor Authentication through OTP (One-Time Password) using a different network like Telco SMS, soft-token or hard-token.
(7) Backend infrastructure security like SAN Storage employing FDE (Full Disk Encryption), Backup & Data Recovery encryption.
(8) Using VDI (Virtual Desktop Infrastructure) to download VM (Virtual Machine) clone to access the Cloud resources.
ricky l • Remove
Also to address the statement of :-
"If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloudcom account to steal photos."
Typically, to access the cloud services user id and password need to be provided.
User credential such as userid and passwords hash are control and store in Directory Service database with AAA (Authorisation, Authentication, Accounting) services - usually RADIUS service turn on RADIUS service will make use of authentication protocol such as EAP with MS-CHAP for authentication challenges.
The AAA service will authenticate the user supplying the correct username and password with the Directory Service and the Directory database (using say Kerebos authentication)- and only when the right credential match (with password hash or encrypted password using DES) will allow user to access the cloud resource - in which this user is authorised to access.
However, if the Directory Service (DS) provide restriction by restricting the number of login attempt to say 3 tries or 5 tries - the hackers will not be able to do a brute-force or dictionary attack on the user id and password because if it exceed the number of retries on the password - the user account will be locked up - and DS administrator and real user will have noticed the account locked up and DS administrator will be able to check the access log - and noticed the tried hacking attempt.
To do brute force or dictionary attack successfully, the hackers must have stolen (or copied out) a replica of the Directory Service schema and database with all the user password hashes from the storage system without the cloud administrator knowledge to a hacker server.
Brute force or dictionary attack can then be administered offline from the cloud service in the hacker's server to break the password hashes or encrypted password with DES.
I think a safer method will be to use:-
(1) Using PKI using Digital Certificate with a Certificate Authority (CA). The Digital Cert will be used to store the key file and the cert file to be signed by the CA - to establish the correct identity of user with DS server. Public key and private key will be required to encrypt and decrypt the password.
(2) Using password with ageout - rather than password with static.
(3) Using 2 factor authentication (2FA) - ie. in addition to supply userid and password, another passcode (OTP - One Time Password) that are supplied by the cloud service provider through another network such as through mobilephone or soft-token or hard-token will need to be key-in before allowing user to access their data in the cloud service.
The 2 FA is the safest method - because even though hackers managed to do a brute force or dictionary attack on the password - the hackers still are not able to access the user cloud resource because hackers will have no possession of the 2FA that come in through another network.
ricky l • Remove
Then where does the DS database reside?
In a cloud service, they will like to be stored in a SAN storage system - because cloud service will have to use server virtualisation and network virtualisation to harness the full potential of shared server resources and network resources - through virtualising all the computing resources.
Then let us examine the structure of the SAN storage.
SAN Storage will comprise of the following components :-
(1) SAN switches - that will have FC (fiber channel interfaces) - to connect servers through FC HBA (host bus adapter) NIC to connect to the SAN switches to the SAN storage system.
Note :- if iSCSI using NAS will use Ethernet switches using TCP/IP.
if using FCOE (Fiber Channel Over Ethernet) - than Cisco Nexus LAN switches with FCOE ports connect to Fabric Interconnect and Fabric Extender with UCS blade servers using FCOE interface cards and FCOE drivers that can connect to Netapp SAN storage will be possible.
(2) SAN Storage System - comprise SAN Storage Manager that will manage Storage Subsystem make up of various Enclosure control by 1 controller or 2 (for redundancy).
Disk arrays comprising FC (fiber channel) disks, FDE (full disk encryption) disk, SAS disk, SATA disk, SSD disk can be provisioned for each Enclosure.
Grouping of the disk arrays can be done by configuring RAID - Such as RAID 0 (striping), RAID 1 (mirroring), RAID 5 (1 parity disk), RAID 6 (2 parity disk), RAID 10 (striping and mirroring) - to be configured to cater for different type of application.
For Database and Directory Service schema and database, RAID 5 or RAID 6 will be the appropriate RAID configuration.
The Directory Service will be using say AD of a Window Servers OS residing in a VM (Virtual Machine) hosted in the Cloud for Authentication. Kerebos authentication will be used for authentication challenge in useid and password authentication.
RADIUS service for AAA to work with the AD Directory Service may be enabled maybe turn on for user authentication.
The VM which is stored as vmdk file will be stored in one of the disk array configured with say RAID 5 or RAID 6 using SAS disk.
The Host (AD in Window Server using Microsoft OS) will be logically map to the logical drive of say LUN (Logical Unit Number) 1 with a specified disk capacity say 100 GB that will stored in the disk array of RAID 5 or 6 using SAS disk.
Hackers if able to hack the userid and password of the storage manager - can copied out the entire VM or replica of the DS from the storage subsystem and then attack the password in the hacker server.
ricky l • Remove
Oops forgot that this is Apple iPhone - it don't use AD with kerebos authentication.
It should be using LDAP with X.500 cert with RADIUS authentication.
Hubert • Report Abuse
iphone designed to be hacked by anyone who reads on the internet. and now they tell everyone how and with what programs.Reply
- ricky l • Remove
Now this article has tell us quite a lot about the iCloud security.
Alot of best security practices and security design are not build in into the iCloud infrastructure - and thus allow the iBrute and EPPB, or Elcomsoft Phone Password Breaker - to compromise the user account security to access the user files stored in the Cloud storage and backup system.ricky l • Remove
If iBrute can do a frontal brute force attack to steal the userid and password from the Cloud directory service without being detected by the cloud administrator or the intrusion detection or prevention system from the Cloud iAAS - then really the Public Cloud underlying security design come into question.
No comments:
Post a Comment