TSTT

Analyze This.

~ Taran ~ Leave a comment

When I read this article in the Trinidad Express, “Analyzing the TSTT Data Breach“, I shook my head a bit. It’s all much simpler than what was written down, citing Daniel Smith.

Protecting user information in a business is simple and doesn’t require couching in robust academic terms because it comes out smelling like something you might wish to put on a flower bed.

Keep. It. Simple.

It’s 6 very basic steps.

  1. Create a business list of what data you need in your system.
  2. Have a data policy as to who can access what (tiered).
  3. Inventory what you have in your systems.
  4. Get rid of what you don’t need.
  5. Lock and/or encrypt what you have.
  6. Have plans for dealing with any security incidents.

Any company dealing in user data should be doing these steps. They are not difficult, but people can make them complicated and those people are a large part of the problem.

TSTT Data Breach Context.

Step 1: In the context of the TSTT data breach, I have yet to hear any reason why TSTT needed scanned identifications, business registrations, and for all I know the latest DNA samples from Ancestry.com. I can go to a police station in Trinidad and Tobago and have a constable look at my driver’s permit, who then writes down the particulars, but somehow TSTT (and banks for that matter) need a constant deluge of copies of user identification?

I find it hard to believe that there’s a need for that in the systems that connect to anything other than a shredder and incinerator, but I could be wrong. I would like to know if I am and for what reasons, but I could be wrong.

Step 2: Who in TSTT needs access to documents, identification, etc? Which documents do they need to access? So you create the tiered access.

Step 3: What are you missing for your business requirements? Develop plans for that, and make sure it fits in with that tiered access level.

Step 4: You’re likely to find rubbish in all the data that has been needlessly stored over the years, particularly with steps (1) and (2) done. Destroy it. Shred it. Burn it with fire. You don’t want the liability, if a Data Protection Act ever surfaces. That Data Protection Act be something a Minister of Public Information and Digital Transformation could champion.

Step 5: Encrypt personal information of your customers if it must be accessible on any network. It’s not hard. Most content management systems can handle that pretty easily.

Step 6: With the above steps done, a bad actor would have to get past all those hurdles and that makes the company much more defensible should it happen. What’s more, since there’s no extraneous data, you should be able to point directly at why you needed the information stored on a network in the first place.

6 steps. That’s it.

Any CTO should be able to handle that. I’ve seen it properly done by high school graduates. I’ve seen it improperly done by college graduates. Once you care about your customer’s privacy, and once you are concerned about liability, things become extremely clear.

A Telecommunications Company Without A CTO?

~ Taran ~ 2 Comments

I’d moved on to other things after writing about the TSTT data breach, and while it seemed that most of the breaches in Trinidad and Tobago that we do know about could have been because organizations didn’t keep their content management systems up to date, there was something very weird to me about the whole TSTT debacle aside from the response(s) they had.

When the CEO, Lisa Agard, was removed, Kent Western replaced her. It’s on the TSTT leadership team page. Of course, Agard’s LinkedIn page hasn’t been updated with what she’s doing now, but she’s not really the story here.

What is interesting is that TSTT, the Telecommunications Services of Trinidad and Tobago, with majority control held by the Government of Trinidad and Tobago… has no Chief Technology Officer listed. Through the previous CTO’s LinkedIn Profile still has him listed as the CTO of TSTT. This is likely an oversight, easily explained and remedied.

The Honourable Senator and Minister of Public Information and Digital Transformation, Hassel Bacchus, former CTO of TSTT, did in fact leave as CTO a few years ago. In fact, it was a little controversial because there were claims he got ‘special payments’ which were refuted by TSTT. That article is about 2 years old, so one has to wonder…

In 2 years, TSTT couldn’t find a CTO? A data breach would have fell into a CTO’s wheelhouse, as would avoiding it. If there’s anyone that should fall on their sword because of a data breach, it would be the CTO, not a CEO. Sure, the CEO is ultimately responsible, but the CTO is the technology officer.

I found this leading to larger questions beyond the data breach. Why would a company that deals almost if not completely in technology not have a Chief Technology Officer? Why don’t they have one yet? Where are TSTT’s Board of Directors on making such appointment?

That I missed this on the first evolution of the data breach speaks to my own mindset. I immediately honed in on the technology and privacy issues and didn’t look at the structure of TSTT.

It boggles the mind that a telecommunications service company doesn’t have a CTO, and hasn’t had one for years. Of course, maybe no one wanted the job.

Maybe we know why.

And as it happens, with all these data breaches, I suppose it’s good to have a Minister of Public Information and Digital Transformation. Information, as some say, wants to be free, and in such cases it makes it to the public.

“Business In The Street”

~ Taran ~ 1 Comment

That’s a Trinidad and Tobago colloquialism much like dirty laundry, but with it embedded in the street networks of information. Gigabytes, terabytes, or even bytes – it didn’t matter the amount of bytes, just the weight of the bytes.

A juicy tidbit of gossip didn’t need much. In fact, you could consider it decompressing in a different way each time it was re-told.

In a world built largely on trust, on integrity, the wrong information could ruin someone. The right information might get you elected to political office, for those with such aspirations.

Some say these were simpler times. Some think they were better times, when people would discuss what they read in a borrowed newspaper over some puncheon rum. I don’t know. It was different, and it’s hard to say progress has been made.

I write that after reading Mark Lyndersay’s, “TSTT’s dark night of the soul“.

TSTT’s data breach was shouted from the rooftops. On social media, people became more and more daring about showing the sorts of information available from the breach. To say that TSTT was not frank about the breach of their information security is an understatement.

There was outcry, enough that the TSTT CEO was replaced, but… it seemed like most people didn’t talk much about it. I’m not sure what replacing the CEO does anyway. That’s like changing the steering wheel when you have an oil leak.

There was no real reason for me to go outside and do anything today, but I wandered into a few places and talked to a few people. Some of them had heard about it but didn’t know what the breach had in it. One person hadn’t heard about the TSTT data breach while he worked across from a bMobile (subsidiary of TSTT) store.

Then I realized something. It wasn’t that it wasn’t written about, on television (I assume), on social media, and what have you. It was. It was there for people to find.

There’s the algorithm problem, where they might not normally watch technology related news, but someone along the way would probably have spoken to someone in person about it.

People just weren’t as interested as I had thought they would be. They have much lower expectations than myself about safeguarding of personal information. They didn’t see the threat of having their information compromised… or as someone pointed out today, “There’s just nothing I can do anyway”.

And oddly, that’s why Mark was writing about the Data Protection Act.

Meanwhile, TSTT customers have their business in the street.

Why So Many Breaches in Trinidad and Tobago?

~ Taran ~ 5 Comments

People continue to ask why there are so many data breaches happening in Trinidad and Tobago. I’m not someone who would call himself a security expert by a stretch, but it’s an intriguing enough question that I decided to look into it.

Commonalities in Website Technology?

First, I checked the websites of those that had been breached, which might reveal some commonalities. Bear in mind, it’s possible that the websites weren’t how the information was accessed.

TSTT, which had the most noteworthy breach, runs Wix – which was quite a surprise if only because of the vendor lock-in associated with it. I was expecting a more commonly used content management system but instead, Wix.

The Office of the Attorney General’s website, attacked earlier this year and probably the 2nd most important breach overall since it paralyzed the Judiciary is using WordPress. It also is actually not the first time; a teen was charged in 2007 for hacking into the Attorney General’s Office.

MassyStorestt.com also runs WordPress, but is substantially behind in upgrades. Pricesmart.com runs mostly BloomReach and a bit of Drupal. Their breach was reported yesterday.

It’s apparent that this isn’t an issue of common platforms being compromised. Yet there is a hint in here. MassyStoresTT.com being substantially behind in WordPress updates.

Maintenance.

When I was heavily into developing CMS websites, I tried doing that locally in Trinidad and Tobago and found that people thought they could just buy a website and it would simply be done and they could go about their business without maintenance contracts. It simply doesn’t work that way.

Maybe even after years, that hasn’t changed. Maybe these websites aren’t being maintained and kept up to date with technology, which includes patching for exploits that allow their data to be breached or otherwise attacked. Maybe.

Personally, with my experience in dealing with local companies and government offices, I don’t see them seeing maintenance as a priority. In fact, I didn’t do business with companies in Trinidad and Tobago for that same reason because… I didn’t want my name associated with poorly maintained sites.

Is this the only conclusion? Definitely not.

Who Has Access Anyway?

Everyone talks about the breaches, but the public always assumes that the people with access to the information had a reason to access the information. In the TSTT data breach, scanned copies of people’s identification were found and I have to wonder what TSTT’s information policy is. Who needs access to that level of information, and why?

I’d be surprised if it were available through the website because that would be just asking for trouble.

Assuming they themselves can be trusted with your personal information, there’s social engineering, which the video below explains.

We forget at times that the people with access to information themselves are open to attack to get to something bigger. Maybe their own computer systems they use to access the data are compromised, maybe they’ve been compromised.

Conclusions

Again, I’m no security expert. Some of the information available from these breaches and the way attacks happened on some websites was clearly associated with the websites themselves. TSTT’s data breach seems different in that regard because no sane company would have that information accessible through their website.

Altogether, it seems like a lack of maintenance for most of these breaches – and maybe there were deeper issues with all of them, but in particular the TSTT data breach.

What is most disturbing is that these are the breaches we’re worried about, which could be a fraction of the number of breaches that happened. The announced breaches we found out about because either someone showed evidence or it created an issue that impacted products and services.

The insidious breaches, the ones where people simply mine the information and don’t get caught or brag, we don’t know about. That’s what concerns me most.

We should be worried.

Breach Ho!

~ Taran ~ 8 Comments
Image by Gerd Altmann from Pixabay

As everyone in Trinidad and Tobago knows, Telecommunications Services of Trinidad and Tobago (TSTT) had a horrible data breach that leaked quite a bit of personal information of customers, from scanned identification to credit card numbers.

I sat back for most of it. It was pretty clear to me from the onset that there was no putting the genie back in the bottle. As mentioned in the mainstream media, the story from TSTT changed quite a bit.

If there was a checklist of every bad way to handle a data breach of customer personal information, I think they at least hit the high notes. They were as unprepared for their information security being compromised as they were unprepared to have their information security put to the test.

TechNewsTT.com seemed to have the best coverage. I sat back and watched as details of scanned copies of identification, credit card numbers, a suspected password file and more began surfacing even as TSTT denied that they lost that information. When I searched for my information in the data dump, I found 2 occurrences. A few days later, I checked again and I was up to 37. This disturbed me not just because of the amount of times I showed up but because of one very interesting detail.

I’m not a TSTT customer. I am a customer of their subsidiary, Amplia. While I have heard but not met a namesake in Trinidad and Tobago, I strongly suspect that there are not 37 of us with the same name. Of course, that search doesn’t tell you what sort of documents and information was leaked. Why is my name in a data dump when I’m not a direct customer? Peculiar, suspicious, and enough to make one wonder a little bit about whether TSTT is co-mingling it’s information across subsidiaries.

Even more disturbing has been how many people misunderstand the data breach in their own personal context. The fact that a telecommunications provider, with a majority share owned by the government of the Republic of Trinidad and Tobago, mishandled this from information security to being honest with their customers should boggle any sane person.

Unfortunately, this is not the first data breach in Trinidad and Tobago. There have been some announced, such as when the Judiciary got locked out of their system and no cases could continue their slow moonwalk toward progress. These are the obvious breaches, the advertised breaches.

It’s the silent breaches we should be worried about.

There’s so many questions that people need to be asking that it’s hard to write just one article about it.

Caribbean Internet Connectivity and Big Tech.

~ Taran ~ Leave a comment

When I wrote about the recent internet outage in Trinidad and Tobago, I was waiting to find out what the actual cause was so I could follow up. As usual, the talking heads did not have anything of worth to say.

In fact, what they had to say seemed pretty insulting to me.

What TSTT did manage to do was give people free mobile data for the day, which certainly helped those who were using their mobile data, but did nothing for the people who were subscribing to TSTT/bmobile/Amplia for internet access that wasn’t mobile.

But the explanation explained nothing.

…In a recording attached to the release, CEO Lisa Agard apologised for the disruption and its impact on customers.

“To demonstrate our regret, we have decided that all customers will be given free data until midnight.”

She explained, “The disruption was triggered by an unexpected circumstance which regrettably persisted until 11 am.”…

TSTT restores services, gives customers free data for rest of day“, Trinidad and Tobago Newsday, Vishanna Phagoo, Wednesday 9 August 2023

“The disruption was triggered by unexpected circumstance” is the equivalent of a 5 year old explaining something as, “Fall down go BOOM!”.

I’d like a better answer, but I’m used to non-answers by politicians and their corporate cousins, CEOs, who are politicians as well.

To balance that observation, I’ll point out that she has said very smart things too – such as here:

After comparing how much Big Tech – Meta, Alphabet, Netflix, TikTok, Amazon and Microsoft – pays in other countries, CEO of the Telecommunications Services of TT (TSTT) Lisa Agard said Trinidad and Tobago earns only two per cent, since they already pay in South Korea, Australia and the US.

Speaking at Canto’s 38th annual conference and trade exhibition at JW Marriott Turnberry, Miami on Tuesday, Agard said, “We are in an existential crisis, and the crisis is driven by Big Tech operators generating a considerable amount of traffic on our networks.”

She said Big Tech is responsible for 67 per cent of the total internet traffic in the Caribbean, but offers no network investment…

Over US$500m for network upgrades, only 2% back from Big Tech“, Trinidad and Tobago Newsday, Vishanna Phagoo, Wednesday 19 July 2023

I’m not saying that the two are related. Trinidad and Tobago is rarely known for project efficiency, and TSTT suffers ownership by the Government of Trinidad and Tobago which is certainly not known to citizenry for efficiency. That being said, TSTT has a pretty good track record. I use Amplia presently, which was bought by TSTT, and I’d say that the service overall is world class.

What I’m saying is that they could be indirectly related.

However, what is interesting, and a bit refreshing, is that a data driven approach is presented in the latter quote, where the case is made that 67% of traffic in the Caribbean goes to the big technology companies. It begs the question about how much internet traffic the Caribbean gets on the global scale. It’s hard to say, since the amount of traffic hides in how one defines the Caribbean.

Internet penetration is something worth looking into, where we find Aruba at the top for 97.2% and Trinidad and Tobago at the bottom at 79% as of January 2023.

Should Big Tech be paying for infrastructure upgrades in the Caribbean? Now there’s a ripe question. Honestly, my opinion is that there should be investment – but without knowing how much the Caribbean internet traffic accounts for on a global scale, it’s hard to say how much.

It does fit, though. The Caribbean is a region of kickbacks, and Big Tech isn’t good with kickbacks. They spend most of their money lobbying. Done in the interests of the majority, kickbacks are not corruption.

Net Neutrality and Trinidad and Tobago

~ Taran ~ 2 Comments

Internet Innovation is The Goose That Laid the Golden EggThe global debate on Net Neutrality persists and the consequences are writ large for consumers everywhere.

Yet, there’s almost no interest in the Net Neutrality issues arising lately – I spent my time advocating for it to the uncaring masses who are more intent on other things that they believe are more important.

It is important though. Very important.

David Pogue of Scientific American has a great summarization of the net neutrality debate. I suppose the core of the problems happening over the heads of those in the world – not just the United States – is how the FCC classifies things in an antiquated system rather than create a new classification. The lines between being a provider of telecommunications and providing telecommunication services are said to be blurred, but the reality is that they no longer exist. The people who own the infrastructure are competing with those that don’t.

Businesses that do not own the infrastructure are at a disadvantage. They can be squeezed out by those who do own the infrastructure, effectively monopolizing user services. The end user – us, all of us – doesn’t get the variety that it would otherwise have when those that control the infrastructure can make sure that their services can run faster than their competitors. That’s the core of the issue for users.

The Local Context.

In Trinidad and Tobago and likely throughout the Caribbean, Digicel is cheering the repeal of what was called Network Neutrality (I could say it wasn’t for a variety of reasons). Their premise is actually quite real – they are rolling out infrastructure in the region at a cost, and shouldn’t they get their cost back? Of course they should, why would anyone invest in something that they don’t get paid back for? There is no digital philanthropy here, and Trinidad and Tobago’s National ICT Plans have always pushed broadband penetration, enough so that I’m surprised an over-exuberant feminist hasn’t accused the phrasing of misogyny.

Others in the local context of telecommunications have been relatively silent so far – perhaps wisely so – despite the fact that we’re connected to the U.S. pretty directly economically, through Internet connections, and through other things.

What it means, though, is that applications not owned by local providers – Digicel and bMobile mainly, since the most common data usage is through mobile phones, is that they could create competing applications to… for example… WhatsApp, and make WhatsApp undependable in the same twist. And of course, since these same providers have to report to the government by Law, will give away the encrypted anonymity that seems to only hide poor political commentary and bad pornography. Maybe there’s more to it than that, but I haven’t been added to the LOLCats group (please, don’t invite me).

It means local startup companies will have to get the blessings of those who own the infrastructure and maintain a relationship with them – practically at gunpoint.

Yet Digicel makes a valid point: Why invest in infrastructure if you don’t get paid for it?

The debate is much more nuanced than what is presented – arguably, by design. Show me a Member or Parliament, though, who has taken a stance on network neutrality. They don’t really care too much, and that National ICT plan doesn’t address it in any way. It makes us completely dependent on our own legislation, and our own legislation – despite some bold and debatable efforts by the present government – is not fast, is not as comprehensive as they might like to think, and is going to require more intellectual capital to debate and enforce than anyone seems interested in mustering.

We’re along for the ride in Trinidad and Tobago, hoping for a water taxi but instead getting a ferry to Tobago in a country that should be making strides toward progress… not stagnation. It should be making bold moves – debatable moves – that push the envelope for local talent to strike it’s colours boldly on an infrastructure being built rather than making a mockery of it by making it consumption only with no regard to using it for creating foreign exchange (we can talk about those banks another time, right?).

We could be using our infrastructure to leverage foreign exchange income, subsidizing it’s roll out while diversifying the economy. That’s not what we’re doing, and that’s why Network Neutrality is not even discussed outside of Digicel Press Releases.