Lessons from the KPN Hack

The Guardian recently published an interesting edited extract from Huib Modderkolk’s book There’s a War Going On But No One Can See It.

It tells the story of Edwin Robbe, the 17-year old responsible for hacking one of the largest Dutch telecommunications companies.

Key Lessons

Defence

• Patch your assets: KPN were using a vulnerable version of HP Data Protector which led to the breach.
• Understand and manage information security risks at a high-level: A company of KPN’s size should have had a CISO or similar. They didn’t, and appointed a Chief Security Officer soon after.
• Build a Security Operations Centre (SOC): A large telecommunications provider like KPN should have had a SOC with the goal of actively detecting intrusions into their networks and systems. They only discovered the hack through sheer luck - the hacker boasted to others online and ultimately one person told KPN.

Offense

• Keep quiet: Had the attacker not boasted online (understandably difficult to do for a teenager), KPN may never have found out or would have taken considerably longer. As they say, “the quieter you become the more you are able to hear”.
• Use kill switches: The article claims that the attacker would usually enter KPN’s network via a Russian VPN server, but made the mistake on one occasion of directly connecting from his home network.
• Don’t re-use identifiers: KPN’s initial investigations appear to have traced the inbound connection to the VPN server coming from another server with an admin email of teqnology@live.com. This same email was used in correspondence 2 years earlier when KPN had temporarily blocked the IP address of the attacker. Re-using nicknames/handles has caught out other attackers in the past too.

Final thoughts

None of this should take away from the human side of the story. Edwin was ultimately a troubled teenager who — seemingly missing the right mentors — channelled his passion, energy and skills in the wrong direction. The criminal justice system came down hard on him (some would say too hard) and instead of reforming him, put out an even more troubled individual who sadly got involved with drugs, became further estranged from his adoptive parents and ultimately committed suicide soon after. KPN also appears to have been fined €364k for inadequately securing its systems.