T-Mobile
responds to Paris Hilton Sidekick hacking
[via Venture
Chronicles by Jeff Nolan]
This incident is an interesting one to
follow as there is a little more to it than the purported T-Mobile
stance: "..Paris may have given out her password..".
I have written about database and
data access security matters on numerous occasions, and my
underlying message has always been that there are many dimensions
to security vulnerability that aren't catered
forwhenthe distinct functional domains of data access
and data storage intersect (I am almost certain that the
infrastructure at the bottom of this controversy will comprise at
least one or more of the following: data access drivers (free and
closed- or open source), relational database engine (closed- or
open source), anda web application scripting language
(closed- or open source).
Here is a hypothetical situation relating
to this matter. Lets assume thatParis did inadvertently give
away her password, would it be too muchfor her to
assumethat T-mobile's data access infrastructure should be
capable of controlling access to her data using any combination of
her password and the following:
-
Data Access Device
-
Data Access Device host operating system
-
Network IP or Mac Address
-
Data Access Application
If a very simple combination of the elements above
formed part of the T-mobile authentication and data access security
matrix,we would be looking at a much clearer picture of the
vulnerabilityscenariosfor thishack that
wouldbe confined to the following:
-
She inadvertently gives out her password and also
hands over her sidekick device to the hacker
-
She inadvertently gives out her password and then
the hacker successfully logs on to her sidekick (it does have a
web browser and email implying a tcp/ip stack etc..).
ButI would expect Paris to be within her rights to assume
some basic firewalling would be in place by default
T-mobile should have a data access security
infrastructure that would have a rule that restricted sidekick
accounts (by default) from direct access from remote locations to
address book data for instance. Account owners should be allowed to
enable this feature after receiving clear notification about
security implications.