KPN (Dutch Telecommunications company) Hack
Last Updated: 2012-02-11 12:17:41 UTC
by Mark Hofman (Version: 1)
KPN is a Dutch Telecommunications company which has not been having a good lately. They hit the national news a few days ago (http://nos.nl/artikel/338769-computersysteem-kpn-gehackt.html because of a breach in the organisation. The article is in Dutch, but in a nutshell it boils down to the following. on January 20 it was discovered that there had been a breach and they worked hard to fix the problem. A week later it turns out that their efforts were unsuccessful and the attackers still had access to the environment. That is when the breach was disclosed to the authorities.
It is also mentioned in the article that KPN could not confirm that customer information had been taken. A quick check on paste bin however will confirm that quite quickly. Interestingly KPN disabled over 2 million email accounts (http://www.reuters.com/article/2012/02/10/kpn-idUSL5E8DACNB20120210) as a precaution (mostly coming back online today).
Also interesting is that KPN has stopped issuing certificates after detecting a DDOS tool on their server (http://www.ehackingnews.com/2011/11/ssl-certificate-authority-kpn-stopped.html) This is managed by the division that was formerly known as Getronics (currently up for sale to Aurelius AG, http://www.kpn.com/Artikel/KPN-to-sell-Getronics-International.htm). A breach at another certificate authority Diginotar last year resulted in one less company. Not good. The new managing director (announced Feb 9) will have his work cut out to restore some faith. Are the two related? not sure, the systems may be completely separate.
There are probably a few lessons we can take away from KPN's misery. Firstly, when doing incident response, do it well. The problem was finally resolved after getting "outside specialist assistance". To me that reads along the lines of, we had a go ourselves and it didn't quite work out. Which is a shame. But it highlights an issue that we come across all the time. Do you know how to make a incident responder or digital forensics person cry? Just utter the phrase "we poked around ourselves for a bit". If you have the skills, go for it, but know when to ask for help and know when to stop. Having an incident response plan that clearly states what to do and what not to do helps a lot.
On the positive they did discover the issue in the first place.
If you are a KPN client. you'll want to change your passwords and if your password is used anywhere else you'll want to change those as well.
If you are at all worried about a breach in your organisation have a look at the processes you have in place the deploy, secure and maintain your infrastructure. How would you detect and if discovered deal with a breach? Have you basic security strategy in place. Not a sexy message, or even ground breaking, yet many of us still live in straw houses, or at least our servers do.
The shut down of 2 million accounts was an over reaction to a fake leak. Someone had hacked a website in second hand baby clothing, filtered out all the kpn email addresses and published those, so that it looked as if KPN had been hacked.
Because of recent security issues KPN decided to shut down all email accounts. That's 2 million, which is quite a lot in a country of 16 million people.
It has been suggested that the leak of the baby website is related to our national leaktober month last year, which was organized by webwereld.nl (IDG).
Feb 13th 2012
1 decade ago