Companies being hacked is hardly any news any more. It happens every day and most do not even make the newspapers. This is different when it happens to a digital security company like RSA or Internet certificate company Diginotar, the Dutch Top 2000 voters’ database, Visa losing 4.3 million customers’ data and now telecoms and Internet incumbent KPN. Are there lessons to be learned?
There are several reasons why hacks are taking place. Hacking as a sport is one, for criminal intent another, industrial espionage is a possibility and even to prepare for cyber warfare is proclaimed by writers like Richard Clarke. I won’t go into these options here. They speak for themselves.
Whatever the intent behind hacking they all make use of vulnerabilities. Whether in the software, whether in human mistakes, weakness or gullibility, fact is that hacks are a fact of life. However, the more dependent our modern life has become of all things Internet, it is not as if security is keeping pace with this dependency. More like the opposite. Security is the dead end street of Industry. The street that’s rather passed and only costs money to upkeep. Speak to any abuse desk operator of an ISP and you’ll find out how frustrating a job this is. Security goes right out of the profits, so the less spent the better for shareholders and profit in general.
Cyber security and responsibility
It is as if losing privacy sensitive data is of no consequence. No one gets punished or goes to jail over it. As long as there is no consequence, e.g. steep fines, it is also no one’s real responsibility to prevent. It is this attitude that needs to change also. I’m not saying that no one was held accountable after a hack of a company, but that is probably the same person that could not really speak up before the hack.
Regulation is debated in The Netherlands. We will have to see whether this changes the attitude towards the subject.
Investment in security
At the same time security is on the agenda of many a major company. Initiatives like the National Cyber Security Council and Centre are set up in The Netherlands, ISACs are in place, in which industry fully participates. Despite these efforts, in both time and resources, I see vulnerabilities exploited quite often, leading to panic and overheated reactions. So it appears that there still is a major discrepancy between external and internal security. Critics may say the external efforts are just window dressing, but that remains to be determined over time. Initiatives are only starting.
My personal interest
All this goes against my interests as a private person. Where may my privacy sensitive data have been lost this past year? That I know about? My credit card company? LinkedIn, KPN, WordPress? Even my gas station was skimmed. But who tells me that my bank was safe, my cable or cell phone operator, my retailer, my municipality, the national transport chip card? My ???? In other words, nothing is safe. Thinking it is, is an illusion. Still, we live on and continue boldly on the Internet. There is no other option. It is not as if I leave KPN because of the hack that was disclosed this week. (What could happen to me through data loss in general, is another topic.)
Hiring a hacker
As usually it is not an easy option to leave a service (and it’s not as if security would be much more prioritized elsewhere), it is time to discuss what could be done in the short run. I’d say that if these “kids” that hacked KPN in January are able to do so, why can’t people working for KPN? Or the NCSC? To learn of vulnerabilities upfront it is time that companies invite and pay hackers to “attack” them and expose their vulnerabilities, instead of waiting for doomsday and bad publicity. There are people out there who love doing this. Make use of their expertise and give them a living and purpose.
I am very much convinced that this saves a tremendous lot of money, as panic is prevented. After all, the hack directed under controlled circumstances shows the flaw and doesn’t unleash a purge on all systems, as the company that was hacked does not know where to start. These searches would become a continuous process. Lessons are learned all the time, preventing other flaws and errors through these lessons including internal protocol changes. Win – win I’d say and explainable to every shareholder.
Software flaws and human errors are a fact of life. Let’s deal with them and make sure they’re noticed before real bad guys notice them and actually start that doomsday scenario that presenters love showing at cyber security meetings. Let’s beat them to it. Now that would save money and time!
What to do with the hackers?
As the hackers only announced themselves after the publication of facts, it leaves them in a weak spot. What about 240 hours of community service? As hackers of course, serving the community this way. Thinking that KPN is the only company out there with this form of vulnerability is pure wishful thinking. It’s time to act. It may be a smart move to hire them afterwards.
If these hackers did what they claimed to do, they brought something to light before harm was done. And I hope that KPN is testing whether someone has been at this back door before and was a whole lot more quiet about it. It may be the chance to find some malware or spyware in their systems.
P.S. 11 February 2012
KPN took her complete mailservice offline during the day of 10 February, after stolen privacy sensitive data of 537 customers was published online. Apparently in defiance of KPN’s claim that no data was lost. It’s unclear whether the data was placed online by the hackers that sought media contact before. The so-called “kids”. My conclusion that there’s no telling what has been taken before the hack of 20 January seems justified.
KPN advices all customers to change passwords asap. On the 11th mail can be sent again, not received. So KPN cannot reach out directly to her customers.
P.S. 2, 13 February 2012
Another day, more news. Here’s a link that more or less links all steps of the past days. KPN’s e-mail service is back online. The data published on Friday 10 February was not from KPN’s servers, but from an earlier hack of the webshop “Babydump” (what’s in a name?). With the news today of the loss of 133.000+ customer data of beerbrewer Bavaria through a hack, the bandwagon rolls on.
Wout de Natris, De Natris Consult
Leiderdorp, 10 February 2012