Last Updated: 2012-02-11 12:17:41 UTC
by Mark Hofman (Version: 1)
KPN is a Dutch Telecommunications company which has not been having a good lately. They hit the national news a few days ago (http://nos.nl/artikel/338769-computersysteem-kpn-gehackt.html because of a breach in the organisation. The article is in Dutch, but in a nutshell it boils down to the following. on January 20 it was discovered that there had been a breach and they worked hard to fix the problem. A week later it turns out that their efforts were unsuccessful and the attackers still had access to the environment. That is when the breach was disclosed to the authorities.
It is also mentioned in the article that KPN could not confirm that customer information had been taken. A quick check on paste bin however will confirm that quite quickly. Interestingly KPN disabled over 2 million email accounts (http://www.reuters.com/article/2012/02/10/kpn-idUSL5E8DACNB20120210) as a precaution (mostly coming back online today).
Also interesting is that KPN has stopped issuing certificates after detecting a DDOS tool on their server (http://www.ehackingnews.com/2011/11/ssl-certificate-authority-kpn-stopped.html) This is managed by the division that was formerly known as Getronics (currently up for sale to Aurelius AG, http://www.kpn.com/Artikel/KPN-to-sell-Getronics-International.htm). A breach at another certificate authority Diginotar last year resulted in one less company. Not good. The new managing director (announced Feb 9) will have his work cut out to restore some faith. Are the two related? not sure, the systems may be completely separate.
There are probably a few lessons we can take away from KPN's misery. Firstly, when doing incident response, do it well. The problem was finally resolved after getting "outside specialist assistance". To me that reads along the lines of, we had a go ourselves and it didn't quite work out. Which is a shame. But it highlights an issue that we come across all the time. Do you know how to make a incident responder or digital forensics person cry? Just utter the phrase "we poked around ourselves for a bit". If you have the skills, go for it, but know when to ask for help and know when to stop. Having an incident response plan that clearly states what to do and what not to do helps a lot.
On the positive they did discover the issue in the first place.
If you are a KPN client. you'll want to change your passwords and if your password is used anywhere else you'll want to change those as well.
If you are at all worried about a breach in your organisation have a look at the processes you have in place the deploy, secure and maintain your infrastructure. How would you detect and if discovered deal with a breach? Have you basic security strategy in place. Not a sexy message, or even ground breaking, yet many of us still live in straw houses, or at least our servers do.