The sad case of Ms. Paris Hilton’s personal information, stored in her mobile, made publicly available by some cracker (yes I believe he is using it with a profit motive) is known to all.可悲的案件女士帕麗斯希爾頓的個人資料,儲存在她的移動,公開提供一些餅乾(沒錯,我相信他是利用它與利潤動機)是眾所周知的。 We will look at the lessons to be learnt from this fiasco.我們將看看在汲取的教訓從這個失敗的。

It was not only an embarrassment for her but also a cause for concern for everyone who confided their personal information to her.這不僅是一個尷尬的她,但也引起大家的關注,誰confided他們的個人信息,以她的。 The situation is hard to contain but it could have been worse, much worse.情況是難以遏制,但它可能會被更糟的是,更糟糕。 She could have had her financial information stored in her mobile.她可以有她的財務資料儲存在她的移動。

The basic idea of storing personal information in a mobile is not wrong.基本思路儲存的個人資料在流動,是沒有錯。 Nor is the idea to make it accessible through a web site by T Mobile.也不是的思想,使它可以通過網站噸移動。 The problem lies elsewhere.問題在於其他地方。

Weak Single Layered Authentication弱單層認證

First they used a weak single layered authentication system to give access to the account, which may potentially contain very crucial information.首先,他們用了一個弱單層認證系統,使進入該帳戶,其中可能包含非常重要的信息。

Normally in any web-based applications when a password-reset request is made and the test question is correctly answered, the actual password or reset password is sent via email to the registered email address.通常在任何基於Web的應用程序時,密碼重置提出要求和考驗的問題是,正確回答了,實際的密碼或重置密碼是通過電子郵件發送至註冊的電子郵件地址。 AFAIK it wasn’t the case in this web application! afaik ,它並非如此,在這方面的Web應用! The web site access was immediately provided.網站的訪問,立即提供。

The Problem with Secret Question based authentication問題與秘密的問題,基於身份驗證

Secondly they used the now standard format of providing an answer to a secret question to reset the password.其次,他們用現在的標準格式,提供一個答案,一個秘密的問題,重設密碼。 Now if someone tries to guess my pet’s name, unless he is my neighbor or close relative, it would be almost impossible to guess.現在如果有人嘗試猜測我的寵物的名字,除非他是我的鄰居或近親,便幾乎是不可能的猜測。 Not so in the case of Ms. Hilton.並非如此,在案件女士希爾頓。 She is a well-known celebrity and her personal details are fairly well known to enthusiasts.她是一位著名的名人和她的個人資料是相當熟知的愛好者。 That makes such scheme much easy to decipher.這使得這個計劃容易得多破譯。 Thanks to paparazzi press (in the name of press freedom and the spurious right of the need of the public to know) the personal life of so-called celebrities are very much exposed.感謝狗仔隊,商務印書館(在名稱新聞自由和雜散的權利,市民的需要知道)個人生活的所謂名人是十分暴露無遺。 It is another issue whether press should have such access.這是另一個問題,是否新聞界應該有這樣的存取權。 Personally I think it is a heinous activity to forcefully delve into ones personal space without explicit permission.我個人認為這是一個令人髮指的活動,有力地深入的個人空間,沒有明確的許可。 Being a celebrity doesn’t change the equation.作為一個名人,但並未改變方程。 However at the core the issue is how secure such scheme is when faced with an attacker with inside information.然而,在核心問題是如何確保這個計劃是,當面對攻擊與內幕信息。 The reality is that it is not secure at all!現實情況是,這並不是在所有的安全!

Paris Hilton T-Mobile: Lessons Learnt巴黎希爾頓的T - Mobile :吸取的教訓

There are few interesting lessons to be learnt by any web application provider from this fiasco.有幾個有趣的教訓,任何Web應用程序供應商從這個失敗的。

  • Do not provide a simple single layered protection for access to sensitive accounts.不提供一個簡單的單層保護進入敏感帳戶。 It is ok to be over-protective even at the expense of being a pain sometimes.這是確定以過分的保護,甚至不惜犧牲作為一個疼痛,有時。
  • Allow users to choose their secret question and at least two of them.允許用戶選擇他們的秘密的問題和至少兩個人。 Ensure they are different.確保它們是不同的。 Tell them the consequences of choosing a well known question.告訴他們的後果,選擇一個人所共知的問題。
  • Use the registered email address only for communication like send the link to reset password in their email.使用註冊的電子郵件地址,只有溝通一樣,連結傳送給重設密碼,在他們的電子郵件。 However never send the actual password in the email.不過,永遠不要傳送實際的密碼的電子郵件。
  • Do not inform the user any details when authentication attempt fails like don’t tell them if their login or password is wrong.不通知用戶的任何細節時,身份驗證嘗試失敗一樣,不告訴他們,如果他們登錄或密碼是錯的。 Give them a generic message.給他們一個通用的訊息。
  • Think about locking access to the account after specified number of attempts.想一想,鎖定帳戶的訪問後,指定數量的企圖。 Locking could be soft as in restoring access to account after pre-defined time period or hard as in requiring a phone call or fax to restore the access.鎖定可軟作為在恢復進入帳戶後,預先定義的時間或努力,要求以電話或傳真,以恢復訪問。 Choose based on sensitiveness of the data.選擇的基礎上的敏感性的數據。

Insider Job內幕就業

The lesson for any corporation in general is to realize the importance of not only securing from outside but also from inside.的教訓,任何公司,一般是為了能夠實現的重要性,不僅是確保從外部,而且從內。 Insider hacking can be much more serious than any outside attempts.內幕黑客可以更為嚴重,比任何外界的企圖。 In this case the cracker was strangely an insider because he knew personal details of the Ms. Hilton.在這種情況下,餅乾是很奇怪的內幕,因為他知道個人的詳細情況希爾頓女士。 Unfortunately for movie stars half the world are their insiders!不幸的電影明星了世界上一半是他們的業內人士! The corporations are lucky in this respect if only they would put some basic security in place.該公司是幸運的在這方面,如果只有他們將提出一些基本的安全的地方。 An old army paradigm of information access on a need-to-know basis is equally applicable to insiders. 1舊軍範式的信息訪問在一個需要知道的基礎上,是同樣適用於業內人士。

Questions to ask問題要問

At this point you may be thinking that your corporation is well protected from inside.在這一點上,你可能會以為你的公司是很好的保護,從內。 Can you answer the following questions:你能回答下列問題:

  • Who in your company has access to your Source Code Management System?誰在您的公司是否有訪問您的源代碼管理系統?
  • Can a programmer access source code not belonging to his project?程序員可以訪問的源代碼不屬於他的計劃?
  • Can QA/Marketing/Contractors/Temps view/modify source code?可以質量保證/營銷/承包商/ temps查看/修改的源代碼? What are their levels of access?他們有什麼級別的訪問權限呢?
  • Where do you store your customer information?如果你存儲你的客戶資料? Who manages access control policies to such sensitive files?誰管理訪問控制政策等敏感檔案? Is it centrally managed?它是中央管理的呢?
  • Are access to corporate information switched off (immediately) before an employee is notified about termination of employment?是獲得企業信息關掉(立即)前僱員通知終止僱傭關係?
  • Can a terminated employee forward his emails to another outside account before leaving?可以終止僱員著他的電子郵件到另一個帳戶以外的前離開呢? Is the process supervised?是的過程中的監督?
  • Are your hardware resources centrally managed?是您的硬件資源,中央管理的呢? Do you restrict access to CD-RW, Follpy Drives?你限制進入的CD - RW , follpy驅動器?
  • Is internet access monitored?是因特網接入監察?

If you are unsure of any of the questions above seriously think about doing a security audit as soon as possible.如果您不確定的任何上述問題認真思考做了保安審計盡快落實。 Damage control is very hard with an extensive insider breach.損害控制是很難與廣泛的內幕違規行為。 You may not even know till its too late what information have been compromised.您可能甚至不知道,直至其為時已晚什麼資料,已經失密。 You can also think about intrusion testing from reliable sources.您也可以想想,入侵檢測,從可靠的消息來源。