Tuesday, July 22, 2014

Thoughts On The 2014 Bell Canada Hack

In Canada, a large portion of our news comes from two monopolies - Rogers or Bell Canada.  They own the phone lines, the cable/satellite broadcast systems, the news desks, the sports channels, the sports teams and the sports venues (that latter chunk of sports is part of the next decade’s fight to keep TV subscriptions going - because you’re forced to not cut the cable if they’ve the monopoly on live sports).

Last month, there was a story (http://www.theglobeandmail.com/news/national/mounties-charge-quebec-teen-for-hacking-bell-customer-data-posting-it-online/article19156480/) about a teen being charged for hacking into Bell Canada and posting lots of small businesses information online.  If you don’t know this story, here’s the crux of it as far as it’s generally told:

  • About 20,000 records were leaked.
  • It was done by a hacking crew.
  • Only five valid credit cards were in the data.
  • The blame lies with a third party that had Bell’s data, but all Bell’s residential customers are safe.


Now, apart from the odd math indicating that bell would have thousands of invalid credit cards on file and only 5 valid ones in a dump of 20,000 accounts, everything seems fairly cut and dry.  And that is how the news is delivered to the public.

What you don’t hear is how this is allowed to happen.

Five whole months before this breach took place, I was already on my second major pow-wow with Bell over exactly this type of third party runaway data (http://coulls.blogspot.ca/2013/09/bell-canada-and-yellow-pages-data-issue.html).  Now, whilst the Bell breach has been dissected and explained (basic ASP site + SQL Injection) in detail at third party security blogs, the problem remains that Bell has major security flaws. 

It’s been some years since I first raised the flag with Bell’s Privacy Office about compromised accounts, and how I found them.  Bell hasn’t fixed the issue, so there’s a number of people out there who are at risk of identity theft.  Just recently, I reported another issue to Bell, where they’re allowing people to share private credentials - seeing that Bell didn’t look for this is indicative of what’s on their “security” radar as far as I’m concerned - and that radar doesn’t look far from head office. 

Looking at what Bell Canada can see and can’t see, we can infer three fatal flaws:
  • The internal culture of thinking they’re more secure than they are is breeding opportunities for hackers.
  • The misunderstanding of the security risks means that hackers can target Bell Canada who won't see what they’re doing until it’s too late.
  • Bell Canada is clearly none the wiser about where things are heading;  They’re too focused on routers, encryption and technology to see how policy and mismanagement is counteracting that same technology.


So, the next time you hear about hackers taking Bell customer information, remember that the stable doors have been open for a while.