Blog / Layered Security is Your Network’s Best Defense
Another day, another breach of a major company. This time around it’s T-Mobile, one of the major US cellular carriers, who apparently wasn’t using layered security as part of their defenses. The hacker claiming to be responsible is active on Twitter, and claims the attack was politically motivated by an alleged abduction and subsequent torture carried out by the CIA and Turkish intelligence. Over 100 million customer records were recently stolen from the T-Mobile network, including customer names, addresses, phone numbers, birthdates, social security numbers, and more (plenty of information for bad guys to steal identities).
So why is this particular breach important news (beyond the sheer size of the target company and the amount of information released)? Well, both the hacker and other security experts agree that T-Mobile’s defenses were “awful” (and yes, that’s a direct quote). Other cyber security experts who’ve worked with T-Mobile have also given the company’s security practices universally bad reviews.
Fortunately, as with most breaches, there’s still a few important lessons to be learned from the situation.
Apparently the hacker was able to gain entrance to the network by finding a poorly-configured router using ‘a simple tool available to the public’. While it’s not stated directly what tool was used, I take this to mean the hacker found a router with a default administrator login exposed to the internet and used Shodan to find it.
Default users and passwords for any kind of software or hardware are public domain information. They are well known and easy to find. Even if a device is not directly accessible from the internet, these are the sort of things that should be changed as a matter of course.
Once the hacker gained access to the network they could access servers to extract data. This tells me the data was not encrypted while it was being stored, which in turn means T-Mobile focused their attention on firewalls and devices that prevented access from the internet. As soon as those were compromised it was just a matter of the hacker looking around to find useful data and get it out. In other words, there was no layered security.
The thing is, looking for data is not something you can do both quickly and quietly—you can do one or the other. Being inside an unfamiliar network is kind of like visiting an unfamiliar place in the real world. You have to scope the place out to find what’s there and where you want to go. Typically this means generating traffic, like port scans and down sweeps of the network, both of which are distinctive and easy to notice. As a result, the longer you stay, the harder it is to remain hidden.
T-Mobile is claiming that part of the attack used brute force techniques. They haven’t said exactly what was forced but it’s easy to assume it was a password. Brute force attacks are basically just when a hacker throws a whole bunch of password variations at your login portal until one work . It’s neither sophisticated nor elegant, and is remarkably easy to defend against just by putting limits on the number of attempts that can be made within a certain amount of time. Apparently this is the “sophisticated” activity that went undetected by T-Mobile.
I could go on about these flaws but the point of this is get some useful advice out of the situation so here we go:
Tip #1: Don’t forget about your internal defenses
It’s important to remember that firewalls are computers. They’re specialized computers but computers nonetheless, and that means they can be compromised. Once firewalls are set up they need to be monitored to make sure they continue to function properly.
Remember that the firewall is just a first line of defense at your network perimeter, so don’t put all your faith in just that one defense. Make sure to take secondary and tertiary actions to protect important resources (the heart of layered security). Also, and remember to encrypt your important data while it’s being stored and not simply when it’s being moved from one locations to another.
Tip #2: Rate limit your logins
Brute force attacks only work because the attacker is allowed to make thousands of attempts per second. Preventing too many login attempts from occurring too quickly defeats them. Not every form of defense needs to be massively technical; simpler is better. Like most software, Windows has settings that limit the number of login attempts allowed. Enable these settings anywhere they can be turned on.
Tip #3: Monitor your logins
It’s important to monitor all of your logins, and not just to Windows but to all of your software and devices. If you’re checking login activity then someone attempting a brute force attack with show up immediately. To put this in perspective, all of T-Mobiles network devices probably see hundreds or thousands of logins per day. A brute force attack would have boosted this to hundreds of thousands or millions so even in a network that large, it would have been easily noticeable.
Advice #4: Be open when you have a breach
I freely admit that much of the advice I’m giving about layered security is based on inferences about this situation. What I’m trying to do is look at the claims being made by all the parties involved and trying to figure out exactly what happened. This, of course, is based on the idea that nobody is trying to be deliberately false. As I’ve said before, when it comes to ransomware or breaches that you should be open about the details.
Now, while I admit most of this is supposition and guesswork, when a hacker slams your security and industry experts with knowledge of the situation agree (politely), it’s a pretty good indicator that you’re cyber security has some egregious flaws. It’s reasonable to assume that these are the sort of basic mistakes, including a lack of layered security, that allowed the hacker to not only get inside the network but to get all of that personally identifiable information (PII) out of it. 100 million records are a sizeable amount of network traffic. If the brute force attack didn’t set off some alerts, that much data being transferred certainly should have.
Loathe as I am to kick people when they’re down, this example of frankly terrible cyber security reminds me of a quote from King Lear, when in Act 4 Lear says ‘When we are born, we cry that we are come to this great stage of fools.’
If you have any questions about setting up layered security, please reach out to your TRINUS Account Manager for some stress-free IT.
Courtesy of Your Friendly Neighbourhood Cyber-Man.