Hacking and security: lessons to learn and save money too

Companies being hacked is hardly any news any more. It happens every day and most do not even make the newspapers. This is different when it happens to a digital security company like RSA or Internet certificate company Diginotar, the Dutch Top 2000 voters’ database, Visa losing 4.3 million customers’ data and now telecoms and Internet incumbent KPN. Are there lessons to be learned?

Why hacks?
There are several reasons why hacks are taking place. Hacking as a sport is one, for criminal intent another, industrial espionage is a possibility and even to prepare for cyber warfare is proclaimed by writers like Richard Clarke. I won’t go into these options here. They speak for themselves.

Exploiting vulnerabilities
Whatever the intent behind hacking they all make use of vulnerabilities. Whether in the software, whether in human mistakes, weakness or gullibility, fact is that hacks are a fact of life. However, the more dependent our modern life has become of all things Internet, it is not as if security is keeping pace with this dependency. More like the opposite. Security is the dead end street of Industry. The street that’s rather passed and only costs money to upkeep. Speak to any abuse desk operator of an ISP and you’ll find out how frustrating a job this is. Security goes right out of the profits, so the less spent the better for shareholders and profit in general.

Cyber security and responsibility
It is as if losing privacy sensitive data is of no consequence. No one gets punished or goes to jail over it. As long as there is no consequence, e.g. steep fines, it is also no one’s real responsibility to prevent. It is this attitude that needs to change also. I’m not saying that no one was held accountable after a hack of a company, but that is probably the same person that could not really speak up before the hack.

Regulation is debated in The Netherlands. We will have to see whether this changes the attitude towards the subject.

Investment in security
At the same time security is on the agenda of many a major company. Initiatives like the National Cyber Security Council and Centre are set up in The Netherlands, ISACs are in place, in which industry fully participates. Despite these efforts, in both time and resources, I see vulnerabilities exploited quite often, leading to panic and overheated reactions. So it appears that there still is a major discrepancy between external and internal security. Critics may say the external efforts are just window dressing, but that remains to be determined over time. Initiatives are only starting.

My personal interest
All this goes against my interests as a private person. Where may my privacy sensitive data have been lost this past year? That I know about? My credit card company? LinkedIn, KPN, WordPress? Even my gas station was skimmed. But who tells me that my bank was safe, my cable or cell phone operator, my retailer, my municipality, the national transport chip card? My ???? In other words, nothing is safe. Thinking it is, is an illusion. Still, we live on and continue boldly on the Internet. There is no other option. It is not as if I leave KPN because of the hack that was disclosed this week. (What could happen to me through data loss in general, is another topic.)

Hiring a hacker
As usually it is not an easy option to leave a service (and it’s not as if security would be much more prioritized elsewhere), it is time to discuss what could be done in the short run. I’d say that if these “kids” that hacked KPN in January are able to do so, why can’t people working for KPN? Or the NCSC? To learn of vulnerabilities upfront it is time that companies invite and pay hackers to “attack” them and expose their vulnerabilities, instead of waiting for doomsday and bad publicity. There are people out there who love doing this. Make use of their expertise and give them a living and purpose.

Saving money
I am very much convinced that this saves a tremendous lot of money, as panic is prevented. After all, the hack directed under controlled circumstances shows the flaw and doesn’t unleash a purge on all systems, as the company that was hacked does not know where to start. These searches would become a continuous process. Lessons are learned all the time, preventing other flaws and errors through these lessons including internal protocol changes. Win – win I’d say and explainable to every shareholder.

Prevent Doomsday
Software flaws and human errors are a fact of life. Let’s deal with them and make sure they’re noticed before real bad guys notice them and actually start that doomsday scenario that presenters love showing at cyber security meetings. Let’s beat them to it. Now that would save money and time!

What to do with the hackers?
As the hackers only announced themselves after the publication of facts, it leaves them in a weak spot. What about 240 hours of community service? As hackers of course, serving the community this way. Thinking that KPN is the only company out there with this form of vulnerability is pure wishful thinking. It’s time to act. It may be a smart move to hire them afterwards.

If these hackers did what they claimed to do, they brought something to light before harm was done. And I hope that KPN is testing whether someone has been at this back door before and was a whole lot more quiet about it. It may be the chance to find some malware or spyware in their systems.

P.S. 11 February 2012

KPN took her complete mailservice offline during the day of 10 February, after stolen privacy sensitive data of 537 customers was published online. Apparently in defiance of KPN’s claim that no data was lost. It’s unclear whether the data was placed online by the hackers that sought media contact before. The so-called “kids”. My conclusion that there’s no telling what has been taken before the hack of 20 January seems justified.

KPN advices all customers to change passwords asap. On the 11th mail can be sent again, not received. So KPN cannot reach out directly to her customers.

P.S. 2, 13 February 2012
Another day, more news. Here’s a link that more or less links all steps of the past days. KPN’s e-mail service is back online. The data published on Friday 10 February was not from KPN’s servers, but from an earlier hack of the webshop “Babydump” (what’s in a name?). With the news today of the loss of 133.000+ customer data of beerbrewer Bavaria through a hack, the bandwagon rolls on.

Wout de Natris, De Natris Consult

Leiderdorp, 10 February 2012


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Cyber crime, Cyber espionage, Cyber security, Cyber warfare, Hacking, Privacy, Skimming and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s