The sad case of Ms. Paris Hilton’s personal information, stored in her mobile, made publicly available by some cracker (yes I believe he is using it with a profit motive) is known to all.可悲的案件女士帕丽斯希尔顿的个人资料,储存在她的移动,公开提供一些饼干(没错,我相信他是利用它与利润动机)是众所周知的。 We will look at the lessons to be learnt from this fiasco.我们将看看在汲取的教训从这个失败的。

It was not only an embarrassment for her but also a cause for concern for everyone who confided their personal information to her.这不仅是一个尴尬的她,但也引起大家的关注,谁confided他们的个人信息,以她的。 The situation is hard to contain but it could have been worse, much worse.情况是难以遏制,但它可能会被更糟的是,更糟糕。 She could have had her financial information stored in her mobile.她可以有她的财务资料储存在她的移动。

The basic idea of storing personal information in a mobile is not wrong.基本思路储存的个人资料在流动,是没有错。 Nor is the idea to make it accessible through a web site by T Mobile.也不是的思想,使它可以通过网站吨移动。 The problem lies elsewhere.问题在于其他地方。

Weak Single Layered Authentication弱单层认证

First they used a weak single layered authentication system to give access to the account, which may potentially contain very crucial information.首先,他们用了一个弱单层认证系统,使进入该帐户,其中可能包含非常重要的信息。

Normally in any web-based applications when a password-reset request is made and the test question is correctly answered, the actual password or reset password is sent via email to the registered email address.通常在任何基于Web的应用程序时,密码重置提出要求和考验的问题是,正确回答了,实际的密码或重置密码是通过电子邮件发送至注册的电子邮件地址。 AFAIK it wasn’t the case in this web application! afaik ,它并非如此,在这方面的Web应用! The web site access was immediately provided.网站的访问,立即提供。

The Problem with Secret Question based authentication问题与秘密的问题,基于身份验证

Secondly they used the now standard format of providing an answer to a secret question to reset the password.其次,他们用现在的标准格式,提供一个答案,一个秘密的问题,重设密码。 Now if someone tries to guess my pet’s name, unless he is my neighbor or close relative, it would be almost impossible to guess.现在如果有人尝试猜测我的宠物的名字,除非他是我的邻居或近亲,便几乎是不可能的猜测。 Not so in the case of Ms. Hilton.并非如此,在案件女士希尔顿。 She is a well-known celebrity and her personal details are fairly well known to enthusiasts.她是一位著名的名人和她的个人资料是相当熟知的爱好者。 That makes such scheme much easy to decipher.这使得这个计划容易得多破译。 Thanks to paparazzi press (in the name of press freedom and the spurious right of the need of the public to know) the personal life of so-called celebrities are very much exposed.感谢狗仔队,商务印书馆(在名称新闻自由和杂散的权利,市民的需要知道)个人生活的所谓名人是十分暴露无遗。 It is another issue whether press should have such access.这是另一个问题,是否新闻界应该有这样的存取权。 Personally I think it is a heinous activity to forcefully delve into ones personal space without explicit permission.我个人认为这是一个令人发指的活动,有力地深入的个人空间,没有明确的许可。 Being a celebrity doesn’t change the equation.作为一个名人,但并未改变方程。 However at the core the issue is how secure such scheme is when faced with an attacker with inside information.然而,在核心问题是如何确保这个计划是,当面对攻击与内幕信息。 The reality is that it is not secure at all!现实情况是,这并不是在所有的安全!

Paris Hilton T-Mobile: Lessons Learnt巴黎希尔顿的T - Mobile :吸取的教训

There are few interesting lessons to be learnt by any web application provider from this fiasco.有几个有趣的教训,任何Web应用程序供应商从这个失败的。

  • Do not provide a simple single layered protection for access to sensitive accounts.不提供一个简单的单层保护进入敏感帐户。 It is ok to be over-protective even at the expense of being a pain sometimes.这是确定以过分的保护,甚至不惜牺牲作为一个疼痛,有时。
  • Allow users to choose their secret question and at least two of them.允许用户选择他们的秘密的问题和至少两个人。 Ensure they are different.确保它们是不同的。 Tell them the consequences of choosing a well known question.告诉他们的后果,选择一个人所共知的问题。
  • Use the registered email address only for communication like send the link to reset password in their email.使用注册的电子邮件地址,只有沟通一样,连结传送给重设密码,在他们的电子邮件。 However never send the actual password in the email.不过,永远不要传送实际的密码的电子邮件。
  • Do not inform the user any details when authentication attempt fails like don’t tell them if their login or password is wrong.不通知用户的任何细节时,身份验证尝试失败一样,不告诉他们,如果他们登录或密码是错的。 Give them a generic message.给他们一个通用的讯息。
  • Think about locking access to the account after specified number of attempts.想一想,锁定帐户的访问后,指定数量的企图。 Locking could be soft as in restoring access to account after pre-defined time period or hard as in requiring a phone call or fax to restore the access.锁定可软作为在恢复进入帐户后,预先定义的时间或努力,要求以电话或传真,以恢复访问。 Choose based on sensitiveness of the data.选择的基础上的敏感性的数据。

Insider Job内幕就业

The lesson for any corporation in general is to realize the importance of not only securing from outside but also from inside.的教训,任何公司,一般是为了能够实现的重要性,不仅是确保从外部,而且从内。 Insider hacking can be much more serious than any outside attempts.内幕黑客可以更为严重,比任何外界的企图。 In this case the cracker was strangely an insider because he knew personal details of the Ms. Hilton.在这种情况下,饼干是很奇怪的内幕,因为他知道个人的详细情况希尔顿女士。 Unfortunately for movie stars half the world are their insiders!不幸的电影明星了世界上一半是他们的业内人士! The corporations are lucky in this respect if only they would put some basic security in place.该公司是幸运的在这方面,如果只有他们将提出一些基本的安全的地方。 An old army paradigm of information access on a need-to-know basis is equally applicable to insiders. 1旧军范式的信息访问在一个需要知道的基础上,是同样适用于业内人士。

Questions to ask问题要问

At this point you may be thinking that your corporation is well protected from inside.在这一点上,你可能会以为你的公司是很好的保护,从内。 Can you answer the following questions:你能回答下列问题:

  • Who in your company has access to your Source Code Management System?谁在您的公司是否有访问您的源代码管理系统?
  • Can a programmer access source code not belonging to his project?程序员可以访问的源代码不属于他的计划?
  • Can QA/Marketing/Contractors/Temps view/modify source code?可以质量保证/营销/承包商/ temps查看/修改的源代码? What are their levels of access?他们有什么级别的访问权限呢?
  • Where do you store your customer information?如果你存储你的客户资料? Who manages access control policies to such sensitive files?谁管理访问控制政策等敏感档案? Is it centrally managed?它是中央管理的呢?
  • Are access to corporate information switched off (immediately) before an employee is notified about termination of employment?是获得企业信息关掉(立即)前雇员通知终止雇佣关系?
  • Can a terminated employee forward his emails to another outside account before leaving?可以终止雇员着他的电子邮件到另一个帐户以外的前离开呢? Is the process supervised?是的过程中的监督?
  • Are your hardware resources centrally managed?是您的硬件资源,中央管理的呢? Do you restrict access to CD-RW, Follpy Drives?你限制进入的CD - RW , follpy驱动器?
  • Is internet access monitored?是因特网接入监察?

If you are unsure of any of the questions above seriously think about doing a security audit as soon as possible.如果您不确定的任何上述问题认真思考做了保安审计尽快落实。 Damage control is very hard with an extensive insider breach.损害控制是很难与广泛的内幕违规行为。 You may not even know till its too late what information have been compromised.您可能甚至不知道,直至其为时已晚什么资料,已经失密。 You can also think about intrusion testing from reliable sources.您也可以想想,入侵检测,从可靠的消息来源。