TalkTalk subsidiary's customer data placed on the web in IIS whoopsie
Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care. The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the …
This topic is closed for new posts.
IIS
nuff said.
No, it isn't. What does the data protection office have to say about all this? Should you not have gone to them for a quote? I bet they would be interested in this sort of thing.
Re: IIS
"What does the data protection office have to say about all this?"
Nothing. They are too busy chasing us for dropping cookies onto users machines.
Meh.
Re: IIS
>They are too busy chasing us for dropping cookies onto users machines.
It was you wot done it, were it? Ooooh. I'm so mad I could crush a grape.
Re: IIS
"No, it isn't. What does the data protection office have to say about all this? Should you not have gone to them for a quote? I bet they would be interested in this sort of thing."
You're kidding right?
The ICO couldn't give a ***** It's not apublic body, so in the view of the Idiot Control Office - no harm done, end of.
And Windows Server
For how much longer will we see fake IT professionals recommending microsoft server technologies that are built with fail, by fail, to fail ...
micros~1 is still profitable, innit?
Even ostensible open source executive guy Matt here on el reg keeps on measuring market size in costs incurred, not useful work done (what places have Combined Heat and Computing plants heating the bulding?) which presumably will drive more of his ilk to do whatever everyone else is doing in their attempts to gain a competetive advantage. So, at a guess, quite a while yet.
And hey, it's not fake. As dear Dominic just expounded: Getting paid by the hour means prolonging the problem. Getting paid more means being more professional. This must be true for the recruiter pro said so.
Re: And Windows Server
I'm sure you're proud of your little mantra there, but you've missed the point, I'm afraid. This is a configuration error, so in the lap of the dip setting it up. Undeniable that it's poor practice to be open to anonymous access by default, but it's the job of the guy setting it up to make sure the setting are right. Saying "Oooh, it's MS therefore destined to fail!" Is cliched, sad and just untrue.
Re: And Windows Server
Boring, tedious, rhetoric once more.
If the thing is configured incorrectly by the person installing it, that is hardly the fault of the software.
It gets exceedingly stale, the constant bashing of anything MS on these forums. It is of course, fantastic that Linux is always perfect and is never misconfigured.
Re: And Windows Server
"If the thing is configured incorrectly by the person installing it, that is hardly the fault of the software."
When the software's default position is "Rape me! Have at my datas you randy hounds!" then I'd say that's a problem.
"It is of course, fantastic that Linux is always perfect and is never misconfigured."
A few points:
1) Linux is a kernel, not a web server;
2) No one claimed it was perfect;
3) No one even mentioned it.
If you had cited Apache (or Tomcat or WebLogic or...) then you might have had a point. Too busy following the old rhetoric of "If they say anything anti MS, they must be a pro GNU/Linux, freedom-lving, fanboi. Engage maximum frothing!"
Re: And Windows Server
There's also the small point that usually one wants his web site to be accessible by the world.
Re: And Windows Server
That's because you don't understand the topic. It's not about misconfiguration, it's about total fail.
He has a file of "hold music" ??
He must be mentally ill, or at least have spectacularly bad taste.
How is the fact that IIS allows anonymous access by default a security issue. It is a web server after all and is meant to be used to publish stuff to the world wide web, if you don't want that data published then you remove the anonymous access user or put it behind a firewall etc.
As someone who owns a hosting business and who administers IIS and Apache day in, day out I can vouch for IIS7 as being a very good web server. I actually think the story poster is talking about having directory browsing enabled and I know that by default that is not enabled in IIS so the server admin must have enabled it.
If it is a fail it is for the person who configured the website not IIS itself.
This sounds more like Linux fan-boys out to discredit something they know nothing about...
Isn't that what the article says?
Hell, it even goes as far as to give the contractor advice on how to secure the server against this (tick a box).
Read the article again.
@drunk.smile
I'd have thought it was obvious he's referring to the fanboys, genius. (Nice that someone else can actually spell it correctly, too.) Read the comments and get a sense of context. Or the bit on the label about alcohol content ...
The article goes into much detail about how this is a problem specific to IIS, even the title "TALKTALK SUBSIDIARY'S CUSTOMER DATA PLACED ON THE WEB IN IIS WHOOPSIE".
This is NOT a problem with IIS and could just have easily have been enabled on Apache or any other web server software. The article poster is also blaming the anonymous user access when the problem is actually having directory browsing being enabled, if you disable anonymous access then not even web pages can be viewed unless the person logs in to the server. Fail on both the cause and the remedy....
"could just have easily have been enabled on Apache"
No it couldn't. No GUI ;)
Re: "could just have easily have been enabled on Apache"
Umm Cpanel, Plesk, ISPConfig, Hosting Controller, DirectAdmin, Kloxo to name just a few GUIs for apache
Really? Both are divisions of the same PLC, run by the same management, accountable to the same shareholders, no?
@AC 09:44
I am a talk talk business customer. A residential one. Freedom2surf was merged with Opal & became TalkTalkBusiness
Re: @AC 09:44
Why don't you change over to TalkTalk Residential and save yourself some money?
Re: @AC 09:44
Static ip address, no cap, allegedly no shaping (though I have my doubts), uk call centres, inertia.
So TalkTalk are basically saying they're not responsible for any data that's not held on their own network? Christ. Given their past phorm form with their StalkStalk product and their run-ins with the ICO, I would have thought they would have raised their game.
@AC 09:31
Teehee! StalkStalk! Really clever! Don't forget to show it to your primary school teacher.
Re: @AC 09:31
Try not to be an annoying, petty, pedantic little nutsack for the rest of your life, eh? Have a day off. Stalk Stalk is what people have been calling this company since 2008 and the Phorm fiasco.
SWAG: It used to mean screwed without a GUI. Now it seems they're screwed even with one.
MCSE: Must consult someone experienced.
Re: @AC 09:31
Talktalk weren't involved with Phorm. You're mixing it up with BT.
Thanks Reg!
My bad. I've fixed it now. Thanks for pointing it out!
Even if this is not their problem, for their rep to come out with "It's not one of our servers, so it's not our problem," is really bad, shows them in a bad, uncaring light and gives the opportunity for negative headlines, although it is quite refreshing to see a straight forward answer with no canned, cliched statements, weasel words or other bullshit that is so common from any big company these days. .
Now if we could just get them to do that AND take responsibility for their actions, we would be going in the right direction.
If you're going to accuse the articles author of inventing quotes then you need to provide evidence. Until then we'll just assume you're the one making things up, ok? You are after all posting as 'anonymous' which doesn't give your version of events any credibility at all.
You are accusing the author of lying, I think that requires some backup even if you don't.
Otherwise you just look bitter.
Suprising
Because Talk Talk are well known for their excellent customer service.
Re: Suprising
my detector of exploding sarcasm detectors just exploded.
slap head
hmm
"Our firewalls are all secure"
A firewall is not a complete way of securing your network or data >_<
Re: slap head
They didn't say their data were secure because of firewalls, just that the firewalls /themselves/ are secure. Or maybe they mean they started the firewall with the "secure/insecure" setting set to "secure".
Re: slap head
"A firewall is not a complete way of securing your network or data >_<"
No, but if someone says that an external system is connecting into your internal network, that's a reasonable part of your response statement.
Re: slap head
And "Our firewalls are all secure" wasn't the answer the the question asked, either.
Hell, there are a bunch of secure firewalls in North Carolina, too....they're still in the box.
Eh?
Since this piece was published TalkTalk has supplied the Register with this statement:
"We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.
We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities."
I realise it is sometimes difficult to understand the 'help desk' but are you certain that the above is correct?
Normal advice is to turn various things on and off.
This topic is closed for new posts.
