T-Mobile Breach Really? Defenses And Obama (and Congress) Incompetence

There are several things that really bother me about this latest breach.  The first is that it wasn’t T-Mobile that was breached, it was Experian.  Experian is a credit monitoring service that bridges a massive number of companies.  So how would someone just breach the T-Mobile records and why?  These things have value and once into Experian the attacker, if they were monetarily focused, would take as much as they could which implies Experian isn’t yet aware of the full scope of the breach, they are covering up the full scope of the breach, or the attacker just wanted to hurt T-Mobile.  This last would suggest that the attacker might be a competitor and not a foreign government or criminal organization. 

The other thing that really bothers me is we’ve had solutions like Varonis in the market for some time and these specifically are designed to catch and stop an attack like this.  You’d think a credit monitoring agency, who would be a huge target, would be using a solution like this broadly and thus should be able to stop this kind of a breach far more effectively. 

Finally I spent some time both in law enforcement and, more importantly, as a full spectrum (including IT) security auditor and there really is not excuse for the fact the US Government hasn’t stepped up to addressing this threat effectively. 

Let’s take this last first.

The Obama Administration Is Ineffective

I live in Oregon now and I started out this morning watching the head of US Law Enforcement lament on school shootings being so common place we now take them in stride.  We often forget that the US President is the top law enforcement official in the country.  This is kind of like the head chef in a restaurant complain that the food tastes bad.  It is the President’s job to fix problems like this and whether we are talking school shootings, data breaches, wars (Libya, Afghanistan..), affordable health care, veteran’s care or most anything else of substance the administration has been horribly ineffective. 

Some of this stuff predates him but there is no higher priority for a government than keeping its people safe and the Obama administration has failed catastrophically in this and, as a result, it is more amazing that we are all not broke or dead than that there is another data breach or school shooting. 

At some point the government has to step up and stop complaining about the job it isn’t doing and start doing it. 

At some point this stops being about the attacks and crimes and starts being about the broad failure of government to do its job.  If the President can’t do the job he should step down and let someone else try.  This goes for Congress as well and has nothing to do with party but competence and willingness to actually get something done. 

What You Can Do

If you are a company buy and implement a tool like Varonis which assures that only the people authorized to access data get access to it.  We know that traditional perimeter security defenses don’t work and that breaches like this one are often either by or through employees.  This latest breach is going to cost Experian and T-Mobile millions, it could even put one of them out of business.  Against that risk the cost of better security is trivial. 

Personally, if you don’t have a good credit monitoring service get one.  I’ve just started using Fraud-Armor and after an initial scan showing I was clean they found a copy of my email and encrypted password where it shouldn’t have been (black market trading room) and were able to trace it to a breach at a firm I did business with who had never notified me of the breach.  This alerted me to once again change my passwords so I can be safe.

Get a password manager.  I’d recommend one you pay for because the idea of using a product that from a firm that likely makes money selling information on you seems rather foolish.  The top two rated password managers this year are Dashlane Synced and LastPass.  LastPass is a value at $12. 

In the end we likely should have stopped using passwords some time ago but the effort to move to something else like fingerprint biometrics has been glacial. 

Wrapping Up: 

We are in an election cycle and it is becoming far too evident that politicians don’t want to do the jobs they have been elected to do.  This is partially our fault because we elected them.  In the end if we can’t find a way to get people into office that can do the job, particularly the job of keeping us safe, we’ll need to step up to keeping our families safe ourselves. 

Putting this another way, when the folks building bunkers start to look smart we’re screwed and we seem to be getting ever closer to that day.