Wednesday, August 19, 2015

Telco security in Canada

This morning, I was checking up on some old security holes, just to see if any had been patched or not.  I looked at Rogers and I looked at Bell Canada.  Usually, not much changes, but this morning I noted that both had tackled some very very low hanging security fruit.

It may be coincidence that they both did this around the same time.  It may also be a case of one noticed that the other had "upped their game" and followed suit.  Either way, both of these flaws were schoolboy errors that allowed someone to start poking around in areas where the general public shouldn't be.

In the case of Rogers, you could access network infrastructure information that wasn't for public consumption.  In the case of Bell Canada, you could see what their PR machine was going to announce before they announced it.  After a little more poking around, I discovered Rogers still had a hole, so I've reached out for the them to contact me and I'll re-explain it to them.

Now, here's the kicker:  Both holes are visible in Google's caching mechanism, meaning you don't need to even touch or access their networks.  You just wait for Google's bots to crawl through the holes and report to Google what it found, then you just go and read it on Google where it's all spat out for all and sundry to see (if you know what to look for).

As you can see, this is schoolboy level stuff.  Luckily, in either case, it wasn't spewing out customer data - but each flaw does point to a bigger problem with security...

In Rogers case, it's usually that unless something involves billing or customer facing sales, websites and portals become neglected and forgotten - at which point security moves on and certain Rogers sites become relics of the past which are prime targets for problems like this.

In Bell Canada's case, their security problem is that they parade around saying how safe they are, pointing at firewalls and technological expenditures and monitoring equipment, then undermine all this with policy.  As I've said before, Bell can add as many guns as it thinks it needs to the decks of its battleship, but it doesn't make the blindest bit of difference to fixing the existing hole below the waterline.

Further, their myopic legal stance is basically paraphrased that if you report to them something you shouldn't know, they'll respond like you have perpetrated the crime.  This is analogous to you are on one side of the street and notice a burglar breaking into a house on the other side of the street and running off with the TV,  then you get arrested when you tell people you know the TV is missing.

This is what led to the rather silly situation with Bell Canada where nobody tells them what the specifics of their problems are, which reinforces Bell's notion of "Absence of evidence is evidence of absence" where security holes are concerned.  Meanwhile, crooks can run with compromised customer accounts that can't be reported.

So, in conclusion, whilst it's nice to see small incremental changes in security are happening at Canada's two major telco's, there's still bigger issues at play.