Corporate lessons (On Security) by Ms. Hilton

The sad case of Ms. Paris Hilton’s personal information, stored in her mobile, made publicly available by some cracker (yes I believe he is using it with a profit motive) is known to all. We will look at the lessons to be learnt from this fiasco.

It was not only an embarrassment for her but also a cause for concern for everyone who confided their personal information to her. The situation is hard to contain but it could have been worse, much worse. She could have had her financial information stored in her mobile.

The basic idea of storing personal information in a mobile is not wrong. Nor is the idea to make it accessible through a web site by T Mobile. The problem lies elsewhere.

Weak Single Layered Authentication

First they used a weak single layered authentication system to give access to the account, which may potentially contain very crucial information.

Normally in any web-based applications when a password-reset request is made and the test question is correctly answered, the actual password or reset password is sent via email to the registered email address. AFAIK it wasn’t the case in this web application! The web site access was immediately provided.

The Problem with Secret Question based authentication

Secondly they used the now standard format of providing an answer to a secret question to reset the password. Now if someone tries to guess my pet’s name, unless he is my neighbor or close relative, it would be almost impossible to guess. Not so in the case of Ms. Hilton. She is a well-known celebrity and her personal details are fairly well known to enthusiasts. That makes such scheme much easy to decipher. Thanks to paparazzi press (in the name of press freedom and the spurious right of the need of the public to know) the personal life of so-called celebrities are very much exposed. It is another issue whether press should have such access. Personally I think it is a heinous activity to forcefully delve into ones personal space without explicit permission. Being a celebrity doesn’t change the equation. However at the core the issue is how secure such scheme is when faced with an attacker with inside information. The reality is that it is not secure at all!

Paris Hilton T-Mobile: Lessons Learnt

There are few interesting lessons to be learnt by any web application provider from this fiasco.

• Do not provide a simple single layered protection for access to sensitive accounts. It is ok to be over-protective even at the expense of being a pain sometimes.
• Allow users to choose their secret question and at least two of them. Ensure they are different. Tell them the consequences of choosing a well known question.
• Use the registered email address only for communication like send the link to reset password in their email. However never send the actual password in the email.
• Do not inform the user any details when authentication attempt fails like don’t tell them if their login or password is wrong. Give them a generic message.
• Think about locking access to the account after specified number of attempts. Locking could be soft as in restoring access to account after pre-defined time period or hard as in requiring a phone call or fax to restore the access. Choose based on sensitiveness of the data.

Insider Job

The lesson for any corporation in general is to realize the importance of not only securing from outside but also from inside. Insider hacking can be much more serious than any outside attempts. In this case the cracker was strangely an insider because he knew personal details of the Ms. Hilton. Unfortunately for movie stars half the world are their insiders! The corporations are lucky in this respect if only they would put some basic security in place. An old army paradigm of information access on a need-to-know basis is equally applicable to insiders.

Questions to ask

At this point you may be thinking that your corporation is well protected from inside. Can you answer the following questions:

• Who in your company has access to your Source Code Management System?
• Can a programmer access source code not belonging to his project?
• Can QA/Marketing/Contractors/Temps view/modify source code? What are their levels of access?
• Where do you store your customer information? Who manages access control policies to such sensitive files? Is it centrally managed?
• Are access to corporate information switched off (immediately) before an employee is notified about termination of employment?
• Can a terminated employee forward his emails to another outside account before leaving? Is the process supervised?
• Are your hardware resources centrally managed? Do you restrict access to CD-RW, Follpy Drives?
• Is internet access monitored?

If you are unsure of any of the questions above seriously think about doing a security audit as soon as possible. Damage control is very hard with an extensive insider breach. You may not even know till its too late what information have been compromised. You can also think about intrusion testing from reliable sources.