Memo
Memo from TalkTalk to all engineers:
As a security measure, the four year old shared password "password" has now been changed to "123456".
Fraudsters who attempted to scam TalkTalk customers by using records of their maintenance engineer visits are thought to have bought that info from current or former staff. According to one ex-TalkTalk employee, who asked not to be named, the company uses a third-party system called Qube Portal to book visits and record …
Back when RM did modified builds of Windows 98, there was a guest account that anyone sane would disable; this had elevated 'teacher' privileges including the tool teachers could use to reset a pupils password without having to go and find someone from IT. You can guess where this is going, can't you.
An eon ago I went on a DEC security course. During the morning coffee break I sneakily logged into the site's terminal server using the default password of "password" and changed it to something else. The "security guru" teaching us about DEC security was somewhat puzzled when he couldn't access his server but he did see the funny side when I told him I'd changed the password.
You heard it here first folks (after reading it on USENET decades ago anyway) but I can present to you an exclusive scoop of the TalkTalk security memo that was sent out last year informing all employees on proper security practices. If you read the list carefully you can see they were using an ultra-secure method to pick their passwords so this was clearly an inside job by lunix hackers.
============================
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.
3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.
4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.
5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.
7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.
Why would a company bother spending lots of money in their IT systems, when if it's perceived that "if it ain't broke, don't fix it"? Money spent securing internal systems that customers can't see doesn't return any profit on that investment. At the end of the day, the business exists to make money for it's shareholders, not to keep customer data secure nor deliver an amazing customer experience. They want to get away with the bare minimum, and when something goes wrong the PR department spin it as "well it was a sophisticated attack and we take every effort to protect our customer data" and "our customers privacy is very important to us".
Liars. Their customers dollar is important to them, not the fact their details aren't secure and can be sold to all and sundry.
Except sadly, that's a very short sighted approach and is exactly the reason TalkTalk has shed customers by the bucketload, and profits with them. Strong, well enforced and audited security = secure customer data = reduced risk to profit. Not exactly rocket science, yet for some reason our biggest ISPs and Telco's seem to be ignorant in this area...
"Strong, well enforced and audited security = secure customer data = reduced risk to profit."
TalkTalk may have lost customers. Their profits may have been dented. But, unless you have numbers, I speculate the cost of doing this right will exceed their losses. We need a regulator who can give them a good kicking in the dividends and whistle blowers who are willing to testify.
>> I speculate the cost of doing this right will exceed their losses.
I disagree with that. The cost of doing this right IN THE FIRST PLACE would have been less than they will lose from the incident. By the time you factor in the lost customers, the help desk costs to handle the increased calls, the incentives they've made to those customers to encourage them to stay plus the significant costs they've had in hiring in security consultants to bolt the stable door, that's going to be far in excess of the relatively low costs to do things right in the first place by employing competent staff (devs + managers) and to pen test the system.
"I disagree with that. The cost of doing this right IN THE FIRST PLACE would have been less than they will lose from the incident."
Talk Talk says (PDF) the "trading impact [was] £15m" and they're estimating 0.6% customer loss due to the cyberattack. (Offcom says they have 16% of the UK's 27 million households so about 26,000 people were pissed off enough to move.) That churn is 50% more than normal.
It looks like they moved sales to helpdesk, and are blaming that for reduced sales and lower customer numbers. For that reason they missed out on revenues of £40-£45 million.
I guess the £15 million includes the consultancy fees. But those fees would have had to have been paid at the start to make sure it was right (they're a corporation: they don't believe their staff unless a consultant agrees) and they would have no doubt incurred on-going costs in ensuring continued compliance.
But lets say you're right and they could have spent £1 million over four years and been £50 million richer. So what? They expect to grow dividends. They're profits might grow slightly slower than they'd hoped. But the message to shareholders is everything is recovering and there's nothing to worry about. QED
We need a regulator who can give them a good kicking
I'd like to see a law that puts manglement in the firing line.
If you have a database of customer details, your management team's details need to be in there as well. If it contains bank details, management's accounts are there as well.
So if the database gets taken - the team who penny-pinched the security face the same consequences as their customers.
It needs tuning of course - e.g. to prevent them setting up bank accounts specifically to circumvent this - but the guts of the idea is there...
Vic.
The cyber attack on Talk Talk according to their board cost no more than £35m including remedial measures.
However the share price dropped by £750m - not just due to the cyber attack but that was a major contributory factor.
Source Anthony Hilton in the Evening Standard 13th January
I am sure this will have seriously kicked their dividends....
"Money spent securing internal systems that customers can't see doesn't return any profit on that investment"
This is one of the main jobs that we expect governments to perform; regulation of business so that companies who do the right thing (providing safe products, protecting personal data etc.) are not at a competitive disadvantage to those who don't.
Fines should be big enough to affect the profit of a non-conforming company so that it makes the decision that doing things correctly is a profitable investment.
Part of the difficulty is that the security gurus have gotten so paranoid, the tools you'd use to implement certain things have been disabled. For example, the government office in which I work has no approved tool to change the local admin passwords on any of the PCs. So it never gets touched.
"For example, the government office in which I work has no approved tool to change the local admin passwords"
This is a case of Dunning Kruger effect writ-large and the "security gurus" being well out of their depth in the first place.
"Fines should be big enough to affect the profit of a non-conforming company"
Fixed fines are part of the issue. The ones which allow "up to N% of turnover" are the ones which hurt most, provided regulators are brave enough to impose them.
Rewriting laws so that fines can't be claimed as tax-deductable would help a lot too.
Not at all surprised.
I remember seeing a green screen application some years ago at a big company. Most of the staff had access to this, without needing any form of security control. I believe that they had something like 400,000 customer details in that particular system.
That was a system based / managed in India. Used by some call centre staff there, but also by several call centres in the UK.
If the customer is appearing like this for their own dubious, presumably sexual, gratification, I think it's perfectly reasonable to note it down, particularly if it becomes a repeat performance. Would you want you wife, husband, partner, etc. becoming a part of a customer's lifestyle choice just because they happened to be assigned that particular call. Not all situations are as humorous/desirable as a 70s-style Confessions Of A Window-cleaner and could be genuinely alarming for someone simply trying to do their job.
Thumbs down - seriously? I know El Reg is a broad church, but I didn't realise it was such a hotbed of adult nappy wearing. FFS, do as thou shalt but don't involve the rest of us, please.
Truly, speaking as someone who has done this kind of job, you do find yourself being part of peoples' "other interests" and it's not fair. Someone appearing at the door in a state of undress is a legitimate concern, particularly if it became a habit. That is offender's register stuff, whether you choose to believe it or not.
"Some of these reports can be somewhat humorous. For example: 'Customer answered door wearing an adult nappy'."
Doesn't sound like this private data is needed for the bisness purpose that TT is supposed to be providing.
If the customer concerned had these details leaked* and this particular bit of information, I'd say [IANAL] they'd be sue the crap** out of TT.
* No. Just no.
** Still no.
TT are the people who refused to log a fault with a landline because the person who was reporting the fault didn't have a mobile for TT to call them on.
Not only did the person with the Landline not have a Mobile they lived in a 'Not-Spot' where none on the carriers had a usable signal.
The Indian droid on the end of the phone refused to believe this.
Bribed a friendly OpenReach bod with a few 'at the weekend pints' to fix the issue.
Moved from TT the next day.
Why is this company allowed to do business? It is one abject failure after another.
Come on OFCOM close them down before they do any more damage.
Fucking cunting bunch of motherfucking wank-shit cockwombles!
And they won't let people leave prematurely. That business is not fit to call itself a provider of any services!
- shared password known by thousands
- 1000s of staff in a foreign territory not covered by our laws
- reports of criminal behaviour at these foreign sites
- password not changed in years
They are a shambles, utterly and totally. Wouldn't trust that dildo woman in charge to pour piss out of a boot with the instructions written on the heel!
Why do they need your date of birth?
So that they can know if it's legal to ask for a credit card or if it's legal to offer the service to them. In some jurisdictions people have to be at least <yearsOld> to be legally able to get credit cards. Someone younger than <yearsOld> would probably have to pay by cash, assuming that they could legally be sold the product at all, something unlikely. For many service calls, the dispatcher will state that there must be an adult who can legally make decisions on the account be present throughout the call.