KPN: The stolen data that wasn’t and the 8 year-old that was to blame.

On Wednesday February 8th, the giant Dutch ISP, KPN announced that their network had been breached. KPN first became aware of the breach around January 27th of this year and since that date have worked with the National Cyber Security Centre, the regulator OPTA, the Data Protection Agency, the Ministry of Economic Affairs, Agriculture & Innovation, the Ministry of Justice and Safety and the Public Prosecutor in an effort to contain and trace the intruder(s).
 
A conscious decision was made in January not to make a public announcement regarding the intrusion, this decision was apparently made for two reasons; to increase the chances of success of the investigation and to mitigate the possibility that the hacker would do some kind of damage if they knew they were discovered.
 
In the initial announcement, KPN recognised that some customer data may have been affected but stated that servers containing credit card data or passwords were not compromised.
 
One day after this announcement a list of 537 KPN user accounts (name, address, email address & password in clear text) were posted up on pastebin. There was no direct context given for the data or where it came from, the title of the post was simply “KPN HACK PROOF, KPN houdt vol: geen klantgegevens gestolen” which translates as “KPN insists: no customer data stolen“, so the insinuation was clearly that the two events were linked.
 
As a result of this data leakage KPN immediately shutdown access to all of its 2 million consumer email accounts (as a precautionary measure). It took fully 25 hours before KPN were able to restore outbound email service to their customers on Friday night, and it wasn’t until Saturday that inbound email services were restored in a phased approach. At the same time KPN invested in extra bandwidth and services to enable all their customers to go through an online password reset procedure. Business services remained unaffected although business users were also strongly advised to change their passwords. By midday Sunday, more than 100,000 customers had already done so.
 
In an article published this weekend, it became clear that the 537 user accounts were in fact not associated with this attack at all. Instead the user accounts were a subset of a much larger list stolen earlier in the year from the online store babydump.nl. The information published is at least a year out of date although several of the victims on the list were unaware that their information had been stolen or leaked at all.
 
According to the ongoing analysis by KPN, in agreement with the information given by the self-confessed attacker, the underlying reason for the successful intrusion was the use of outdated software. According to the hacker, the first system breached was running SunOS 5.8 with patch 108528-29, a version that dates back to 2004. SunOS 5.8 is due to be end-of-support next month. In addition, the hackers claim to have downloaded at least 16GB of data, which they have subsequently destroyed and to have breached the systems to the point where they were able to individually control a customer’s Internet access.
 
KPN appear in large part to agree with the assertions of the hacker, their statement from today says, “Several experts in their analysis around the digital break-in suggested that KPN were using seriously outdated systems, and that they also failed to regularly update them. Joost Farwerck, Director of KPN Netherlands said “Granted, developments in our sector are of course very fast. That said, by research in recent weeks we have seen that the maintenance of Internet IT systems has not always been optimal.We are drawing lessons from this to make the service for our customers better and safer.”
 
As if the Sony debacle were not enough, here is yet another salutary lesson that vulnerable and outdated systems should not be Internet-facing if they are not adequately protected. It is a relatively simple matter to discover the versions of operating systems and applications running on a given server and an even more simple task to uncover the disclosed vulnerabilities.
 
While it may be unrealistic to expect an enterprise to install each and every patch as it becomes available, attaching an inadequately protected system, with an eight year out of date operating system and application stack is inexcusable. Even in an internal environment enterprises should be shielding known vulnerabilities with effective host-intrusion protection software until patches are deployed and patches themselves should be deployed in as timely a manner as possible. Don’t be the next KPN.
 
If you believe that your account may have been affected by this intrusion, the password reset service is here, although it appears to be suffering under heavy load right now and I could not get a response. You would also be advised to check out the password advice I posted earlier and avoid reusing one password across multiple web sites.
 

2 thoughts on “KPN: The stolen data that wasn’t and the 8 year-old that was to blame.

  1. Pingback: 從荷蘭 ISP-KPN被入侵事件,看八年未更新的系統之後遺症 | 雲端防毒是趨勢

  2. Pingback: KPN: The stolen data that wasn’t and the 8 year-old that was to blame. » CounterMeasures from blog The Technology blog and podcast

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>