This what happens when you sack the IT people when they have done all the work.
Chaos reigns at TalkTalk as the telco appears to be claiming that a distributed denial of service (DDoS) attack led to customer data being compromised – despite that being technically infeasible. A contradictory series of claims in a TalkTalk statement published this morning has suggested the company does not understand the …
Friday 23rd October 2015 12:19 GMT Credas
Friday 23rd October 2015 12:35 GMT Dan 55
Sunday 25th October 2015 07:49 GMT smartypants
Languages don't 'sanitise input'...
There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input. If there's anyone out there relying for their security on a choice of language, then they're not going to last very long because it is not going to help in the slightest.
Perhaps there are some IT bods out there patting themselves on the back right now because they don't use PHP and are therefore 'secure'. Perhaps people this clueless were working at Talk-talk too.
Sunday 25th October 2015 21:02 GMT Vic
Re: Languages don't 'sanitise input'...
There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input.
There *sort of* is.
Most SQL databases allow "prepared statements", in which the SQL command - sans data - is set up, and the data then supplied to it. This means that the parsing of command vs. data occurs long before the data turns up. Thus, once the data is applied, the DB will not confuse the two; SQL injection is obviated, even if the programmer "forgets" to sanitise the data.
Note, however, that the term "prepared statements" can be misused: I found a Python SQL library that promised prepared statements, but actually just used string formatting to create a simple statement. The result was that the library appeared to offer the protection I've outlined above, but actually didn't.
Friday 23rd October 2015 18:17 GMT John Smith 19
"appallingly poor measures implemented to protect stored customer data "
Perhaps they where hoping their Chinese website spying partner would have alerted them to so much traffic, when they started running low on space to store so many users data flows?
"Stalk Stalk" have let their customers down.
Friday 23rd October 2015 13:00 GMT Anonymous Coward
This is an all too common theme.
1) Outsource your IT (somewhere really cheap, no dedicated resource, high staff turn over - go on guess, you know where)
2) Get rid of the only people who know how the systems work
3) Put in management who only see security as a barrier to cheap infrastructure, and seek to undermine it whenever they can
4) Have no processes in place to govern anything, let alone access to sensitive data
Been there, seen it, tried to stop it. If only they did t-shirts.....
Friday 23rd October 2015 13:36 GMT Gordon 10
WHERE IS THE CIO
And why didn't he vet the press release?
Even if the he's a PHB I would have expected clearer language than this. It's blatantly obvious that whoever wrote that release doesn't know a website from a webserver.
Hmm - looks like they may have a "CTO" and that they are CIO-less at the moment. (Ad heavy links)
Friday 23rd October 2015 11:35 GMT Anonymous Coward
Friday 23rd October 2015 12:48 GMT Anonymous Coward
Friday 23rd October 2015 14:37 GMT David McCarthy
"Harding previously said the company had assumed a worst-case scenario that all the personal data relating to its customers was compromised until TalkTalk could confirm exactly what was taken. She has apologised to customers for the third cyber-attack affecting the telecommunications firm in the past 12 months, but said the breaches were “completely unrelated”.
That is, only related by the fact that their security still isn't up to scratch!
Friday 23rd October 2015 22:47 GMT Oh Homer
Re: "I blame North Korea, China or Russia"
Looks like someone beat you to it and has already blamed "Islamic extremists".
Well, yes. Obviously.
Basement-dwelling geeks and career criminals apparently feature very low on the British Establishment's list of likely suspects, strangely enough.
Friday 23rd October 2015 11:40 GMT Anonymous Coward
Friday 23rd October 2015 13:30 GMT Anonymous Coward
Friday 23rd October 2015 18:07 GMT John Smith 19
Saturday 24th October 2015 10:02 GMT Anonymous Coward
Re: Experian - the Facebook of credit rating agencies.
"Until Facebook takes over that task as well."
You do know that somebody in government wanted to use Facebook for reliable online identification of people?
Presumably a senior civil servant who had been given an iPad for Christmas and now considered himself an expert on IT.
Saturday 24th October 2015 09:54 GMT AlbertH
Are they for real?
A free subscription to identity theft protection by one of the credit reference agencies.
These cretins should be paying significant (ie: £ks) to every customer and their senior management should be in Court.
Has anyone calculated the time required to change all ones Banking details, passwords and Credit / Debit cards? Has anyone actually put a figure on what this will cost each customer? TT shouldn't just offer a worthless "subscription" to Experian (who are entirely useless anyway) - they should be paying serious amounts of compensation to EVERY one of their customers.
Friday 23rd October 2015 14:39 GMT sysconfig
Monday 26th October 2015 10:26 GMT Anonymous Coward
Maybe the crims should just call TalkTalk and cancel all those accounts, as they apparently have all the data they need to do that. That would send a message that even management understands
But how do you know your account has been compromised, it wont be from the bank still paying them, that's standard practice for TT?
TT kept debiting me monthly for over 7 months after I left them, it took about 2 hours of phone calls and an email to a director to stop them, the crims would be bored shitless trying to cancel more than one in a lifetime
Saturday 24th October 2015 08:33 GMT macjules
So what kind of compensation arrangements do TalkTalk intend to offer?
If you would trust us (again) with your credit card details, your bank details, your home address, date of birth and other personal details then we will send you a free voucher worth 1 hour of broadband usage against your monthly bill.
Friday 23rd October 2015 11:53 GMT hatti
Friday 23rd October 2015 11:56 GMT Your alien overlord - fear me
Friday 23rd October 2015 12:00 GMT Aristotles slow and dimwitted horse
Rewrote it for you...
A representative who we can now only assume will be from TalkTalk claimed it was "contacting all our customers straight away to let them know what has happened and to update all of their nice scrummy payment and user credential information. We might keep them up to date as we learn more. But we might not. As might not actually be us."
Friday 23rd October 2015 12:05 GMT David Lawrence
The final straw
Since they pretty much forced me to sign a two-year contract with them earlier this year, they have put their prices up twice, and now this FFS.
It is also clear that they don't even know what actually happened and how much damage has actually been done. On the face of it, my personal details were stolen via a sustained DDoS attack. Hmm. Utter bullshit.
Well I'm off and just let them try levying any termination fees. Its a shame as their TV box is really nice and the (fibre) broadband is pretty good too. Freeview + another ISP + another phone provider = cheaper monthly payments for me anyway so good riddance.
Friday 23rd October 2015 12:07 GMT nigel 15
They are saying this attack was sustained. In which case how was the data stolen?
It looks to me like they were distracted by a DDoS, that is the sustained bit. Instead of pulling the servers, they were focused on that and missed the penetration. They handled it badly.
On another note. How do you DDoS a frikin ISP.
Friday 23rd October 2015 14:15 GMT Tim Jenkins
"they were distracted by a DDoS, that is the sustained bit. Instead of pulling the servers, they were focused on that and missed the penetration"
Wasn't that exactly what happened in one of the the big Sony breaches, where the perps used a DDOS to hide the exfiltration of TBs of data?
Can't imagine even 4 million sets of customer details would be within a few orders of magnitude of that size, though...
Friday 23rd October 2015 18:45 GMT Brewster's Angle Grinder
Pure speculation, but sending billions of password requests would look like a DDos. And once in a while, one would succeed and the crims would get the user's data. You'd need some poor web design -- e.g. a broken nonce and a system that makes it easy to enumerate users (say nearly sequential account numbers.) Throw in some verbose logging so that the logs hit a quota and most of what's happened is overwritten or not written, because the log is full. It's a line through all the data points.
Friday 23rd October 2015 12:08 GMT MarkItZer0
As secure as possible != encrypted
Encryption is not a magic, all securing operation - it doesn't mean that data retrieved from the database is automatically rendered unusable. If the data was encrypted at database server or OS level (which is fine under PCI DSS), and there was an application exploit used to extract it (say SQL injection), then the database and OS would dutifully decrypt the data for the application's use, therefore the security flaw would mean the hacker gets the decrypted data anyway.
The focus should be on application security rather than on encryption. It is possible to encrypt database rows and columns using a key from the application server. However, again as the application server needs to encrypt/decrypt per query, a SQLi attack will probably succeed. It is possible, although very difficult in practise, to implement row encryption in a web application. Complexity is the enemy of security - keep things simple and concentrate on security testing and plugging those vulnerabilities rather than adding unnecessary encryption to stored data.
Friday 23rd October 2015 12:10 GMT Anonymous Coward
It's the 3rd time in one year?
What's going on there? At which point is there going to be customer backlash?
Friday 23rd October 2015 12:23 GMT Anonymous Coward
Password brute force
If their description is in any way accurate, its possible that someone was just brute-forcing the user account population against known potential candidates. Anyone know what data would be visible if you logged in as yourself? Not that we should be treating this stuff as secret in this day and age...
Friday 23rd October 2015 12:24 GMT Mike Wood
Actual e-mail received from Talk Talk
Here is the actual e-mail e-mailed to me this morning but only to one of the accounts I have with them:-
Dear Mr Michael Wood,
We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:
• Date of birth
• Phone numbers
• Email addresses
• TalkTalk account information
• Credit card details and/or bank details
We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.
We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.
What we are doing:
• We are contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more.
• We have taken all necessary measures to make our website secure again following the attack.
• Together with cyber crime experts and the Metropolitan Police, we’re completing a thorough investigation.
• We have contacted the Information Commissioner’s Office.
• We’ve contacted the major banks, and they will be monitoring for any suspicious activity on our customers’ accounts.
• We are looking to organise a year’s free credit monitoring for all of our customers and will be in touch on this in due course.
What you can do:
• Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via http://www.actionfraud.police.uk
• If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.
• Change the password for your TalkTalk account and any other accounts that use the same password.
• Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax. Noddle also allows free access to your credit report for life.
Please be aware, TalkTalk will NEVER call customers and ask you to provide bank details unless we have already had specific permission from you to do so.
TalkTalk will also NEVER:
• Ask for your bank details to process a refund. If you are ever due a refund from us, we would only be able to process this if your bank details are already registered on our systems.
• Call you and ask you to download software onto your computer, unless you have previously contacted TalkTalk and agreed a call back for this to take place.
• Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security.
We understand this will be concerning and frustrating, and we want to reassure you that we are continuing to take every action possible to keep your information safe. If you have any questions, please visit http://help2.talktalk.co.uk/oct22incident for more information, or you can call us on 0800 083 2710 or 0141 230 0707.
Managing Director, Consumer
TalkTalk Telecom Limited, 11 Evesham Street, London W11 4AR. Registered in England & Wales No. 4633015