Thursday, March 03, 2005
Things to learn from the T-Mobile security breaches
The mainstream media haven't been very helpful in explaining what went wrong at T-Mobile to cause the security breach which had the tragic result of giving more publicity to Paris Hilton.
One problem was largely her fault. She set up one of those "secret questions" to use in case she forgot her password. You need to pick those carefully because anyone can start the procedure for a forgotten password. She picked something like "What is your pet's name?" If you're Jane Average, that question will keep out anyone except nosy co-workers, ex-husbands, ex-husbands's lawyers, and stalkers. If you're a celebrity it won't keep out anybody.
The other problem was T-Mobile's fault, though some blame should stick to their software supplier. T-Mobile's web-based management software has had one security bug after another for years. In 2003 it let you upload and download files from the server without a password. A later bug let anyone with web access run some administrative commands without a password. T-Mobile could have installed a patch to fix that but didn't. An intruder had the run of T-Mobile's network for months as a result and even read the email of Secret Service agents who were investigating him. At least that's one theory: they have so many security bugs it's hard to say for sure which one got used. Details for your technical friends on the T-Mobile compromise.
So how can you protect yourself? It's not like you can audit every piece of software your phone company uses. The closest thing to an answer is not to store anything with a third party unless you're willing to see it in the newspaper.
|
One problem was largely her fault. She set up one of those "secret questions" to use in case she forgot her password. You need to pick those carefully because anyone can start the procedure for a forgotten password. She picked something like "What is your pet's name?" If you're Jane Average, that question will keep out anyone except nosy co-workers, ex-husbands, ex-husbands's lawyers, and stalkers. If you're a celebrity it won't keep out anybody.
The other problem was T-Mobile's fault, though some blame should stick to their software supplier. T-Mobile's web-based management software has had one security bug after another for years. In 2003 it let you upload and download files from the server without a password. A later bug let anyone with web access run some administrative commands without a password. T-Mobile could have installed a patch to fix that but didn't. An intruder had the run of T-Mobile's network for months as a result and even read the email of Secret Service agents who were investigating him. At least that's one theory: they have so many security bugs it's hard to say for sure which one got used. Details for your technical friends on the T-Mobile compromise.
So how can you protect yourself? It's not like you can audit every piece of software your phone company uses. The closest thing to an answer is not to store anything with a third party unless you're willing to see it in the newspaper.
# posted by Frederick @ 7:17 PM Email to a friend:
Haloscan: they provide trackback