Tinkerbell, Social Engineering & Fred Durst

Now, Fred Durst of Limp Bizkit has had his T-Mobile account hacked. Someone claiming to be the T-Mobile Terrorist ripped down a 3-minute hardcore porn-style video/audio clip of Durst having sex with an unidentified female.

Update: Nope. Didn’t have anything to do with T-Mobile. Fred claims that someone grabbed the clip from his hard drive when he took his busted PC in for service. Gotta appreciate his optimism — he hopes that the whole experience will raise awareness of security related issues.

OK. Whatever. I have no doubt that the female will be identified, will likely do a stint on Howard Stern’s show or the like, and will rake in some serious $$s for being in the right place at the right time or the wrong place/wrong time, depending on your culturethink. For those looking for the actual video, Gawker has the goods.

The interesting bit is that the site with the video claims: The previous information was obtained using social engineering tactics.

It wouldn’t surprise me if the social engineering tactis would involve the “forgot my password” feature. T-Mobile, like many e-commerce sites, has a question/answer challenge if you lose your password. That is, if you don’t remember your password, you just need your phone number and the answer to one of five questions to access your account.

The questions are:

  • What is your mother’s maiden name?
  • What is your favorite pet’s name?
  • On what street did you grow up?
  • In what city did you grow up?
  • What is your favourite movie?

In other words, T-Mobile is relying entirely upon security through obscurity to protect their user’s accounts.

And, of course, what is the one thing every famous person completely lacks (unless their career has already circled the bowl and left the building)?

Obscurity.

I would bet that a handful of Google searches would turn up answers to most of those questions for just about any Pop Star given that the sanitized interviews that show up on MTV and through other media channels focus on nothing but trivialities.

All it takes is for someone to get a hold of just one phone number of a non-obscure person. Once compromised, the contact list of that person is most likely going to reveal other phone numbers of other vulnerable accounts. Given the ‘star bling’ power of the SideKick, it is likely that at least some of those numbers will lead to T-Mobile accounts with even more information.

Tinkerbell?

As a matter of fact, it would not surprise me at all to learn that Paris Hilton’s question/answer pair were What is your favorite pet’s name? and Tinkerbell. Tinkerbell & Ms. Hilton have been in the press frequently and it is clear that she has a bit of an attachment to the dog, given that the dog is a published “author” and all.

Security through obscurity only works for as long as the veil of obscurity is not penetrated. If you happen to be the focus of the public eye, obscurity is already gone.

In other words: If you are famous, nothing is secret. Do not trust your secrets to be protected by answers to questions that are common knowledge!


Deprecated: link_pages is deprecated since version 2.1.0! Use wp_link_pages() instead. in /srv/www/friday/bbum/wp-includes/functions.php on line 4713


Leave a Reply

Line and paragraph breaks automatic.
XHTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>