T-Mobile responds to Paris Hilton Sidekick hacking

[via Venture Chronicles by Jeff Nolan]

This incident is an interesting one to follow as there is a little more to it than the purported T-Mobile stance: "..Paris may have given out her password..".

I have written about database and data access security matters on numerous occasions, and my underlying message has always been that there are many dimensions to security vulnerability that aren't catered forwhenthe distinct functional domains of data access and data storage intersect (I am almost certain that the infrastructure at the bottom of this controversy will comprise at least one or more of the following: data access drivers (free and closed- or open source), relational database engine (closed- or open source), anda web application scripting language (closed- or open source).

Here is a hypothetical situation relating to this matter. Lets assume thatParis did inadvertently give away her password, would it be too muchfor her to assumethat T-mobile's data access infrastructure should be capable of controlling access to her data using any combination of her password and the following:

  1. Data Access Device
  2. Data Access Device host operating system
  3. Network IP or Mac Address
  4. Data Access Application

If a very simple combination of the elements above formed part of the T-mobile authentication and data access security matrix,we would be looking at a much clearer picture of the vulnerabilityscenariosfor thishack that wouldbe confined to the following:

  1. She inadvertently gives out her password and also hands over her sidekick device to the hacker
  2. She inadvertently gives out her password and then the hacker successfully logs on to her sidekick (it does have a web browser and email implying a tcp/ip stack etc..). ButI would expect Paris to be within her rights to assume some basic firewalling would be in place by default

T-mobile should have a data access security infrastructure that would have a rule that restricted sidekick accounts (by default) from direct access from remote locations to address book data for instance. Account owners should be allowed to enable this feature after receiving clear notification about security implications.