Every Day Is An Epiphany

An interesting piece of information security news came out yesterday. It was revealed that T-Mobile's computer systems were cracked by a 21-year-old named Nicolas Jacobsen. This in itself isn't terribly unique; large companies' computer systems and networks are attacked or probed every day. (The network I protect here at Alpine Access is probed at least 4-5 times a day, and we're pretty small.) What makes this unique is the interesting dilemmas that must have come up through this, the dangers of quickly embracing new technologies, the implications for customers of ANY large company, and the implications for information security folks like myself when the lines between corporate security and national security become blurred. The latter is something I expect to see more and more as time goes on.

You see, this incident didn't happen this past week, or even last month...Jacobsen attacked T-Mobile's systems and had access to them for several months, apparently beginning in late 2003. He wasn't even arrested until this past October, and even then, it was all very quiet (for reasons we'll get to shortly). If you read the story linked above, you'll see that there were no suspicions regarding Jacobsen's activities inside T-Mobile's network until March of 2004. There is a large and indeterminate amount of time during which Jacobsen "owned" (to use the current cracker term) T-Mobile's systems, and apparently, no one at T-Mobile even realized this. For a company of this size, harboring the types of data it harbors regarding its customers, as well as the infrastructure it supports, this is completely unacceptable. The story goes on to say that Jacobsen had access to stored documents (in the most prominent case, US Secret Service documents some idiot agent in NYC had stored on his handheld without additional protection), personal photos, e-mail, and confidential information about T-Mobile's customers. During the investigation of this case, Jacobsen was actively pursuing buyers for this confidential information.

So, the first point of this story is, T-Mobile and every other large company better wake up and get on the ball when it comes to corporate security. Gone are the days of Watergate and old-school corporate espionage, where access to sensitive information entailed physically breaking into a facility owned by the target company. Now, nearly all critical data, particularly at large companies such as T-Mobile, is digital or has a digital copy residing somewhere. No longer can companies be lax about security. Recent regulations such as the Graham-Leach-Bliley Act, Sarbanes-Oxley, and HIPAA are beginning to provide stronger requirements for information security for the financial and healthcare industries, where highly confidential personal information is the order of the day. But what about other companies? Every company these days not only creates or gathers information, but also buys and sells that information to other companies on a regular basis. As an example, a few years ago, I donated some money to the local public radio station here in Denver. I was a regular listener at the time and I wanted to support them. However, not too long after my donation, I began to get reuqests for donations from other charities, many of which I hadn't heard of and had never expressed an interest in. How did these charities know I was the giving type? Why, the public radio station told them, of course. Now that entities and organizations of all types realize the value of the information they possess, and now that the drive for higher profits and share prices is tantamount (and charities see another potential way to pay the bills), organizations of all types will only continue to barter our personal information back and forth. That information has value, to them and to us, and it must be protected. There needs to be a greater push for information security from all sides; shareholders, who want to protect their investment; consumers, who have to deal with the companies and have their information taken from them; and the government, who has a stake as the representative not only of the people's privacy but also the people's overall security. These three groups need to push corporations for better security, because corporations won't do it on their own, as T-Mobile woefully demonstrates.

Most concerning to me is that I'm a T-Mobile customer, and I have been since October of 2003. Did Jacobsen look at any of my information? Was he preparing to sell it along with the other info he had? What does he know about me? I doubt he'd come after me personally; I have very little of value to entice him, so the return-on-investment for him would be pretty low. But who else has that info now? And even further, how can I trust T-Mobile? Another problem is, why were customers never notified? I understand in this case that since national security issues were theoretically involved, it was better to keep it quiet for now. But even now that the news has been released, where's the notification from T-Mobile that this happened and that there's a chance my information is out there? The arrests happened this past October...where was notification then, when the issue should have been resolved? Another piece of regulation that should be pushed for is notification of system compromise and information theft by companies to their customers. Yes, there's a loss of prestige to the company involved, but you know what? THERE SHOULD BE. If you care so little about your customers and their personal information, your carelessness deserves to be revealed. Spend some extra money, hire some extra resources, develop some extra policies and procedures, AND SECURE YOUR NETWORK TO THE BEST OF YOUR ABILITY.

If I were the CEO of T-Mobile, I would make a HUGE push, both with technical resources and PR, to reassure my customers that T-Mobile is moving to rectify the issues that created this situation, and that T-Mobile will do everything possible to prevent this kind of situation from happening again.

This post is already far too long, but I have more to say on it, so I say it in another post. For those of you reading this, as they used to say on Hill Street Blues, "Take care out there."