Deutsche Telekom has teams of IT experts that attack websites, online portals, IT hardware and entire IT systems. Just like cyber criminals, they look for security vulnerabilities that they can exploit. It's all for a good cause, however: improving security. We visited one such team, based in Neuss. It specializes in scrutinizing new Deutsche Telekom developments before they are released to customers and the general public.
It's certainly hard to imagine how there could be any problem, when you see just two simple fields, for entering a user ID and a password. Jan Stohner, standing in front of the screen, makes an entry in the upper field, and then presses "enter" without putting a password in the lower one. He immediately gets an error message, as he expected. But the message is just a little more detailed than it should be, and he can feel the "thrill of the hack" coming on. "This message contains additional information that I can use to refine my entries, i.e. to improve my attack." He tries again, but to no avail. "The developers have protected their system well after all," he concludes. Nonetheless, he'll advise them to make their error messages less informative. "In general, such messages should not provide any clues that smart hackers could use."
What strategies would an attacker use?
Jan Stohner, now 44, began hunting for IT-security vulnerabilities – at his father's place of work – while he was still a teenager. He went on to study computer science and land a position with Deutsche Telekom. Now with Telekom Security, he works in a department that scrutinizes Deutsche Telekom's new digital developments before they are offered to customers. The team he is part of checks whether innovations such as Smart Home, new websites and portals, and new servers and internal systems (such as those used for customer administration) can withstand attacks. "We always ask ourselves what strategies an attacker would use to try to breach a system's protections or obtain a password," Stohner explains.
Driven by curiosity
The team is part of the company's "Privacy Security Assessment" (PSA) area. Deutsche Telekom's data privacy and data security experts support developers throughout the entire product-development process – from idea to rollout – in the interest of customers and their security. Jan Stohner: "While finding security problems is important, eliminating them is even more important. When we find something, we work together to enhance protection and security.”
"There's no such thing as 100% security"
It goes without saying that new technologies engender new attack strategies. On an ongoing basis, the team members attend training events and workshops, in order to stay abreast of the latest developments. As they all emphasize, they are curious – very curious. Without curiosity, they would never succeed at their work. "We want to understand how things work," states Nico Lippmann. At 21, Lippmann is one of the younger members of the team. Now, after completing training in application development, he is taking part in a two-year further-training course that will lead to the title of Cyber Security Professional. Deutsche Telekom has been offering such additional training since 2014, in an effort to address a shortage of IT-security specialists. Lippmann, who began testing Deutsche Telekom products' security right after joining the company, reveals that "vocational school curricula hardly cover cyber security at all." His current work tasks also include supporting the programming of an application that will facilitate preparation of the department's reports.
The team's work and know-how are greatly in demand. Recently, Thomas Kremer, Board Member for Data Privacy, Legal Affairs and Compliance, visited the team to learn more about its services. "There's no such thing as 100% security," he says. "But the team's expert, highly committed work, in the interest of security – and, thus, of our customers' trust in Deutsche Telekom – is impressive indeed, and it certainly helps to reassure us on the security front!"
