The Paris Hack
Posted by creining | Filed under Security
It’s been big news lately, Paris Hilton having her T-Mobile Sidekick get hacked and her addressbook, notes, and camera phone images showing up all over the internet and back again. I originally suspected that it was a result of T-Mobile getting pwned by Nicolas Jacobsen throughout the course of a year that was in the news recently. That article states that Jacobsen “could access information on any of the Bellevue, Washington-based company’s 16.3 million customers, including many customers’ Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with Web access to their T-Mobile e-mail accounts. He did not have access to credit card numbers.” However, I ran into this O’Reilly article by Brian McWilliams that states T-Mobile.com requires users to answer a secret question if they forget their passwords in order to reset their password. Supposedly, someone simply masquerated as Hilton using her T-Mobile.com email account and forget their (her) password. Hilton’s question was “What is your favorite pet’s name?” Anyone who doesn’t live in a cave knows that Hilton carries around a little rat dog named Tinkerbell everywhere she goes. I really dislike secret questions, for one, if they are lame and there’s no lockout on attempts they can easily be bruteforced (favorite color, etc). Second, some answers can be obtained through social engineering or public records (name of street you grew up on, etc). Third, I can use a fairly secure password but have to rely on an answer to a secret question as essentially my backup password. This backup password, in my case, will be much easier to guess than my fairly secure password.
Comments are closed.