Teenage boy bailed until November over TalkTalk incident The 15-year-old boy arrested in connection with the investigation into the alleged data theft from the TalkTalk website has been bailed until a date in November. Arrested on the evening of Monday, 26 October, a 15-year-old was taken into custody by officers from the Police Service of Northern Ireland (PSNI), working alongside …
Take a look at the youtube video linked to on another of the many talktalk threads (courtesy of Pseudo Nym www.youtube.com/watch?v=Fp47G4MQFvA). It shows just how easy it is to do a sequence [sic] attack.
TT have set new secuity standards - below slapdash. And they claim to be the best in the industry? Sounds like spoof and bluster to me.
And regardless of which if TalkTalk had taken their role as custodians of their customers data seriously there wouldn't of been a sql injection vulnerability... if that's the truth at all, and the company wasn't breached years ago by a good old fashioned unpatched computer and an email.
I think it's neither. I think it's very likely a lone hacker who humiliated large firm and stole data of its customers, putting himself in a serious legal trouble in the process. Let me explain why: since this was apparently SQL injection, with the added diversion of DDoS, it should not be beyond single young and relatively talented hacker to carry this attack. Both SQL injection and DDoS are easy to perform (later can be bought), assuming website security was as poor as it (at this moment) appears to be.
One thing that troubles me is the certainty that this lone hacker will be punished with the full severity of law, while those responsible for (not) protecting their customers data will not. And thus the hacks will continue, every time we will hear about "sophisticated attacks" and none will stop to think how come they were carried by a single teenager from his bedroom.
That's exceptionally harsh for a minor.
Teenagers can be amazingly stupid in some ways, what he needs is not punishment for retribution's sake. If he is indeed some mastermind expert blackhat then he needs corralling and training up as a white hat. There needs to be some element of punishment to deter him, but ideally you'd harness such a talent rather than waste it.
The point of the justice system should be rehabilitiation where possible, not retribution. If some kids did trash my place, it'd be much better that they were put to work fixing it than costing me money in prison on top of the cost of putting my gaff right.
"since this was apparently SQL injection, with the added diversion of DDoS"
Do we know for sure there was any actual DDoS attack or active diversion; or is that just how Talk Talk and observers have characterised it, or a consequence of second guessing what actually happened?
Talk Talk say their web site "came under sustained attack" but that could equally have been someone hammering URLs, a flood of SQL injection or login attempts, until they found the magic incantation.
I think it's very likely a lone hacker who humiliated large firm and stole data of its customers
I suspect not.
We've heard several times of phone scams using data taken during this attack. That seems like quite a sophisticated crime for a 15-year old.
My bet is that there were several groups having a go - it would appear that TT's security was somewhat south of "non-existent". This guy just got caught - perhaps he was the one that sent the extortion email or something.
Vic.
How did TalkTalk discover customer data had been stolen?
The site was locked up by a DDoS attack and they found evidence of the theft when they were looking through the log files? They don't seem like the sort of company to have tripwires and honeypots scattered around.
So this vulnerability could have been exploited by goodness knows how many people before last week for all they know?
All the objective research into crime & punishment shows that there is in fact little correlation between the amount of crime and the severity of the punishment, and that that exists at all is the reverse of what you think it is. Yet people still cling to the false notion that increasing the severity of the sentence will lead to a reduction in crime, whereas all it actually does is increase the *cost* of crime (because most punishments cost society real money either directly or indirectly - even fines).
Hold on a minute..... assuming it is this kid (and your guess is as good as mine whether it is or not), for any real damage to be done he would either have to have sold the data already, which would require a buyer, which he would probably have had to source beforehand, or he has used the data already.
Neither of those scenarios seems likely to me, especially if he is, as expected, a script kiddie doing it for the lulz.
If he has still got the data and the only copy wasn't on the equipment seized by the cops then he will have to do something with it very shortly, which would take a great deal of nerve, as I would imagine he has been shaken up enough by the whole experience.
Of course it could be nothing to do with him (maybe he was just running a Tor exit node or something).
Either way we haven't heard the last of this yet, that's for sure.
He's British, not Irish, from Northern Ireland, and from a neighbourhood where most people vote for parties, go to them or do childishly silly things amid posters of Star Trek galaxies and Star Wars dolls and signed photographs of who's that girl with the strange haircut?
Princess someone?
My totally uninformed speculation - an email along the lines of 'i hv all urs data - snd a beeeeleon bit coins or the kitty gets it' - and the full force of the law arrives, black helicopters and all.
(and you must be really bricking it if you used your Talk Talk phone to set up those Ashley Madison assignations....)
The English speaking draconian democracies are starting to target children now. In the US incidents like a 6 year old being arrested for possession of an indelible marker are very common.
We all know about the clock. A 15 year old showing some curiosity about science and the internet was lifted out of it by security agencies and the police.
Young people who take an active interest in science should be respected and given a lot of encouragement and support.
> Following the arrest of the child on suspicion of the Use of his Parents Computer Act, TalkTalk claimed that "cyber criminals are becoming increasingly negligent and pranks against companies that do business online are becoming damagingly obvious".
I know I should have sent the comment to tips and corrections but it was obvious. You should have known by the way the use of NoScript makes your own site usable.
Meanwhile the d'oh d'oh winky wanky bird whose cloaca nests in place absurd has talk talk that is clearly heard. Rather than expessing thanks, when tipped the wink the lame bird tanks, with ratings in the lowest ranks because every time it winks it wanks.
"Meanwhile the d'oh d'oh winky wanky bird whose cloaca nests in place absurd has talk talk that is clearly heard. Rather than expessing thanks, when tipped the wink the lame bird tanks, with ratings in the lowest ranks because every time it winks it wanks."
I had to check the byline to see if this was AManFromMars then I realised it made a sense of a sort and even had rhythm and rhyme.
According to TalkTalk nothing important was stolen anyway acording to there customer letter, below, so there should be no charges...
our TalkTalk account number: nnnnnnnn
Dear xxx,
We know it’s been a worrying and frustrating time since Wednesday’s cyber attack on our website. We’re doing everything we can to get to the bottom of what happened as soon as possible and to keep you updated. Our investigations are currently showing the following:
• The number of customers affected and the amount of data potentially stolen is smaller than originally thought. Our website was attacked, but our core systems weren’t and remain secure.
• On its own, none of the data that may have been accessed could be used to leave you financially worse off.
• We don’t store unencrypted credit or debit card data on our site, so any card details which may have been accessed have the 6 middle digits blanked out. For example, it would appear as 012345XXXXXX6789. This means it can’t be used for financial transactions.
• No My Account passwords have been accessed.
• No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.
We will continue investigating and promise to keep you updated as we know more. In the meantime, we strongly encourage that you:
• Sign up to your free credit reporting service using this code: TT231. We have partnered with Noddle, one of the leading credit reference agencies, to offer 12 months of credit monitoring alerts for all customers. You can find out more at www.talktalk.co.uk/secure.
• Stay vigilant - TalkTalk will NEVER call customers and ask you to provide personal details or passwords. Please take all steps to check the true identity of any organisation that calls requesting personal information. If you have any doubts, please call us on 0800 083 2710 or 0141 230 0707.
We are sorry for the concern this week’s attack has caused, but want to reassure you that we are doing everything possible to keep your information safe.
For more information, please visit: www.talktalk.co.uk/secure.
Yours sincerely,
TAHanison
Tristia Harrison
Managing Director, Consumer
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
