back to article TalkTalk hired BAE Systems' infosec bods before THAT hack

Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had "completed" a security audit. In its annual report, published in June, …

  1. CrashM

    Why?

    Why ask BAE to look into your IT security? They don't even deal with their own IT security, they contract it out to CSC.

    1. Yet Another Anonymous coward Silver badge

      Re: Why?

      Who subcontract it to BT who get Huawei in to do it.

    2. John Smith 19 Gold badge
      Unhappy

      "Why ask BAE to look into your IT security? "

      Because they own what "Dettica" the company behind the implementation of Blairs National Identity Card scheme.

      Hmmm.

      WTF that would make them qualified to deal with infosec, pen testing or anything is a bit beyond me.

      Perhaps their plan to vacuum up everyone's personal details and keep them updated forever gives them some insight into wholesale data thieves?

    3. Tom 13
      Unhappy

      Re: Why?

      Because when the male bovine waste hits the oscillating air mover, it's more important that you have a fall guy than that you were taking prudent measures to secure your systems.

  2. Your alien overlord - fear me

    "Clearly I can’t go into detail about the specific measures we are taking" - cos (a) I'm in marketing and don't understand technology and (b) we don't really have any specific measures apart from the in house bar on a Friday afternoon.

  3. allthecoolshortnamesweretaken Silver badge

    "Police told us not to answer questions"

    Oh how very convenient.

    Also, everything I've read so far (okay, I might have missed this or that) suggested, BAE infosec was hired after the last hack. So, what's all this, then?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Police told us not to answer questions"

      "Lawyers told us not to answer questions"

      Fixed

    2. Charlie Clark Silver badge

      Re: "Police told us not to answer questions"

      No, this is good advice and standard practice.

      If only Dido had stuck with it.

      I think her public appearances to discuss the attacks were straight out of the good PR book and basically the right thing to do: admit to a problem; look concerned about it and busy trying to fix it. But, she should have stuck to the script that any lawyer or police would have given her an not commented on any details because of the ongoing investigation. Better still would have been a joint appearance with the police.

      But she had to put her foot in her mouth.

    3. Anonymous Coward
      Anonymous Coward

      Re: "Police told us not to answer questions"

      "Also, everything I've read so far (okay, I might have missed this or that) suggested, BAE infosec was hired after the last hack."

      It was carefully worded to imply that was the case without clarifying the situation beforehand, so you would come to that conclusion.

      It is known as doublespeak and is the enemy of truth.

      Frequently used by those in authority and institutional media organisations.

  4. A Non e-mouse Silver badge

    An audit means nothing

    An audit does not mean that you've made your systems secure. It's just a (paper) exercise to tell you how (in)secure you currently are.

    1. Anonymous Coward
      Anonymous Coward

      Re: An audit means nothing

      Exactly. A pentest means nothing - what did they pentest exactly? Just the public facing websites? public facing ip addresses? Just one application? Mobile apps? Was it an internal pentest?

      What might be more probable, was that the vulnerability was identified in the pentest report, it's just since it was in June, they hadn't gotten around to fixing it. If my experience is anything to go by, vulnerabilities identified in pentests in a production environment take at least 3-4 months to fix.... especially if you're in a company that doesn't understand/care about IT security.

      1. Charlie Clark Silver badge
        Coat

        Re: An audit means nothing

        Yes, the pen works fine…

        1. Anonymous Coward
          Anonymous Coward

          Re: An audit means nothing

          "your security policy says you does not say you must encrypt customer data. Do you know if you have encrypted your customer data"

          "yes I do know that we have not done that"

          "audit question passed the moment you said 'yes i know' ".

      2. Anonymous Coward
        Anonymous Coward

        Re: take at least 3-4 months to fix

        Even in organizations that aren't simply paying lip service it can take that long depending on the vulnerability.

        Where I work we have a system vulnerable to Heartbleed. It's been cordoned off so it no longer has any public facings. It hasn't been patched because, well Sun wasn't supporting it any more even before Oracle acquired them. But it's a key system for tens of thousands of people and the folks who built it back in the stone ages are long gone and nobody knows exactly how it works, so nobody knows how to migrate it. Yes, it is a basic system. Yes, it seems like it OUGHT to be straight forward. But it isn't.

  5. Anonymous Coward
    Anonymous Coward

    Hmmmm

    BAE Systems informed The Register that "prior to the incident [we provided monitoring support, but this] was limited to monitoring the corporate non-market facing network."

    I assume then that the market facing network is the one that got hit (ie the one exposed to the whole world via the internet).

    Very devious of these hackers to attack through a route that BAE hadn't thought of.

    1. mark 120

      Re: Hmmmm

      So they were responsible for securing the intranet, yes?

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmmm

        So they were responsible for securing the intranet, yes?

        The statement is a bit vague, so it isn't clear exactly what they were responsible for overall. All the statement says is that they were monitoring what was presumably the intranet.

    2. VinceH Silver badge

      Re: Hmmmm

      "Very devious of these hackers to attack through a route that BAE hadn't thought of weren't tasked with looking at."

      FTFY.

      I could be wrong - I'm only making an assumption, after all, the same as you. However, that's what the bit you quoted suggests to me.

      1. Cari

        @VinceH Re: Hmmmm

        Their quote suggests to me: "We were hired for our skills and knowledge, but did the bare minimum and only did exactly as our (less knowledgeable) client asked."

        Unless there's more to it that hasn't been reported, that quote really doesn't reflect well on their work ethic, their commitment to computer & information security, or the quality of their customer service.

  6. Anonymous Coward
    FAIL

    "and previously told investors it had "completed" a security audit."

    Which we failed.

    1. Richard Taylor 2 Silver badge
      Facepalm

      Re: "and previously told investors it had "completed" a security audit."

      No, they passed the formal audit....

      1. Alan Brown Silver badge

        Re: "and previously told investors it had "completed" a security audit."

        All a formal audit means is that they followed procedures and got ticked off as following procedures.

        Nothing at all is done to check whether the procedures are appropriate, nor is it the auditor's place to say anything if they're not.

  7. Trollslayer Silver badge

    Scum

    No text needed.

  8. Gordon 10 Silver badge
    Mushroom

    Oh FFS its not complicated

    BAE probably operate the Talk Talk B2B product security monitoring, probably via some offshoring tentacle.

    BAE (ex-Detica) were probably brought in after the hack to advise on beefing up security on the Consumer side of the business.

    2 different divisions of BAE, 2 different Talk talk products - their BAU/Production Services arm vs their high end consulting.

    As for the B2B guys who got hit - I saw in the Reg comments a lot of the smaller businesses were moved onto the Consumer product.

    Do keep up El Reg & Commentards.

    Doesn't change the fact that Talk Talk have failed everyone badly.

  9. Omgwtfbbqtime Silver badge
    Holmes

    Called it.

    Here

    and here

    No hard links to comments anymore? Or am I just blind?

    1. DaLo

      Re: Called it.

      The time holds the hardlink. Right click the time of the comment and choose (Copy URL/Link Address/Link/etc)

      Like here http://forums.theregister.co.uk/forum/containing/2694525

      1. Omgwtfbbqtime Silver badge

        Re: Called it.

        thanks

    2. allthecoolshortnamesweretaken Silver badge

      Re: Called it.

      Hey it's friday, pub o'clock and all that... and maybe the intern is sick or something...

  10. LucreLout Silver badge

    Credibility gap

    TalkTalk have a severe credibility gap. Sure, they can talk talk until they're blue blue in the face about "sophisticated cyber attacks", but when the perpetrators are teenagers younger than the well known vulnerability they used to own you, well, only an idiot would listen. "Sophisticated" ain't a word my folks would have used to describe me as a teenager.

    Secure computing isn't easy, but taking basic foundation steps isn't hard either, once you face the truth of it - Being reasonably secure online is not cheap. You may not keep out well funded or determined hackers, but you ought not to be getting spanked on international telly by script-kiddie children.

    Given how many trougher C-Suite directors they have, all of whom were evidently out of their depth throughout the past year, some of that bonus money would have been better spent on some professional developers and some competent infosec staff.

    TalkTalks shareholders need to get a firm grip on this ineffective leadership team at the AGM. If the board of directors won't replace them, then you must replace the board. Organisational lessons are only learned when heads have visibly rolled.

    1. DaLo

      Re: Credibility gap

      It doesn't matter who you are or what your knowledge is, if you have a public facing website that has any sort of database behind it then you have to know about the very basic security issues of XSS and SQLi.

      SQLi to mainly protect your system, XSS to mainly protect your customers.

      After that you can learn about more advanced secure coding techniques.

      1. Anonymous Coward
        Anonymous Coward

        Re: Credibility gap

        OWASP top 4 (1-4 in terms of risk and prevalence)

        2007 : XSS, SQLi, Malicious File Execution, Insecure Direct Object Ref.

        2010 : SQLi, XSS, Broken Auth/Session Mgmt., Insecure Direct Object Ref.

        2013 : SQLi, Broken Auth/Session Mgmt., XSS, Insecure Direct Object Ref.

        plus ça change

    2. Anonymous Coward
      Anonymous Coward

      Re: Credibility gap

      Yes but how do you think the board would look to the shareholders if they say 'Hey, your dividends are down this year because we beefed up our IT security...'

      The shareholders would move quickly then!

      I have no sympathy for these companies. I work for a security consultancy and inform staff about how, usually, poor they are. I offer recommendations and they are mainly ignored because, as you say, it isn't a couple of grand fix.

      The most annoying things to plague information security are 'Frameworks'. Literally, yeah it's a 'framework' but companies see them as a compliance criteria that once met means they are impenetrable.

      And speaking of impenetrable, the game moves on at a fast pace. You have to have a continuing program to keep pace. All too often it's the age old 'Well we bought a new firewall two years ago so we're secure.' And then the phishing email comes in to the uneducated staff....

    3. allthecoolshortnamesweretaken Silver badge

      Re: Credibility gap

      "TalkTalks shareholders need to get a firm grip on this ineffective leadership team at the AGM"

      Yes, they should. But no, they won't. Because they don't care. Because they didn't buy shares in order to take any responsibilities. They bought shares to make money (not earn - make). They are not investors as such, they are speculators.

  11. Uberseehandel

    Systems Designed To Fail

    Most telcos/ISPs use existing commercial software which can be mix and matched to create the processes required for the organisation to function.

    The commercial developers of these systems come under pressure to completely decouple the software from the back end database, where information is stored.

    Many organisations have, or plan to have contracts in place with a database vendor.

    The software creators want their application software to work with as many databases as possible, at the minimal cost.

    To achieve this all the niceties built into the database are rignored, so no encryption, no stored procedures, no integrity. Anything to make the implementation of their application software over any backend exactly the same.

    So if a hacker gets to these DBs, the world is their oyster. Putting some kind of security in place ahead of the application that accesses the data is of no effect.

    Having looked closely at the designs of several supposedly confidential systems in development in Britain, I have seen that repeatedly provision has been made for data matching/access from "trusted" sources.

  12. Greem

    Churn

    Small sample size I know, but of five folks I know who are TT customers, three are off to Virgin Media, one to Sky and the other is undecided.

    Apparently they got a very good offer from Virgin when they said they were currently with TT (the one moving to Sky is not in a cabled area).

    1. Alan Brown Silver badge

      Re: Churn

      Moving from TT to Sky or Virgin is a bit like moving from a moving from a shit pile to an offal pile or a silage pile.

      There are much better ISPs out there if you're willing to pay 5% more each month.

  13. Sir Alien

    What if...

    What if this is all a ruse and in actual fact this is not a hack by some script kiddies and rather an instance of "oops we lost your data on a train for spy agency to conveniently find". Talk Talk get told to remain as is by agency, data is lost, blame game ensues, make it look like a legit hacker.

    I am off to get my tinfoil hat. My large brain requires the entire roll.

    - S.A

  14. Anonymous Coward
    Anonymous Coward

    "customers who had initially attempted to leave after the breach had changed their minds"

    Oh you mean they changed their minds after you told them that they cannot leave contracts early, because it wasn't your fault, but that of sophisiticated attackers (in the age range of 15-20 years, none of them so far being charged with anything).

  15. Cari

    "Our role is to provide confidential advice to our client," - apparently, this doesn't appear to extend to advising their client that their "market-facing network" should be monitored too, regardless of what their client asked for initially. They were hired for their expertise after all.

    Also, the implication TalkTalk hired BAE *after* the hack could easily be an assumption on the part of those reporting it (looking at the screenshot posted). The quote from TalkTalk visible in the image doesn't say or imply that BAE were just brought in. With the knowledge now that BAE already did work for TalkTalk, it doesn't read at all like that.

    Obviously, TalkTalk weren't going to say anything that draws attention to the work BAE did for them previously, as the hack since makes them both look bad. But it's a quote that's not explicit enough either way, that would have allowed TalkTalk and BAE to save a little face when the average journalist has the propensity to report what they think or believe is there, rather than what actually *is* there...

    1. Vic

      "Our role is to provide confidential advice to our client," - apparently, this doesn't appear to extend to advising their client that their "market-facing network" should be monitored too

      It's too early to say that.

      A more likely situation, IMO, is that they gave all sorts of advice to their client - who didn't bother implementing anything. But that's speculation as well...

      Vic.

  16. Peter X

    BAE... bah!

    I think that El Reg is being too nice to BAE. An *Evil* reporter would point out to BAE how they really fk'ed it up with TalkTalk given the fact that they not only got hacked, but apparently with vulnerabilities so easy to hack a child could do it. Because that *is* the reality of it. Kind of makes BAE look like the last company you'd want to use to secure anything. Perhaps BAE would like to comment on that?

    Also, given that we don't know the details of how the hack occurred, and given how BAE had been contracted only months before, is it not possible that BAE itself was in some way responsible? I.e. bad advice left TalkTalk *more* vulnerable than it was before, or even worse, maybe a BAE employee, privy to inside information, leaked something?

    Just a ThoughtThought! (me Walk[walk]s away whistling)

    Oh... whilst I'm posting, don't know if anyone saw that BBC Panorama about hackers that was on recently, but the guy who the US is trying to get extradited for hacking (you know, he looked like Rodney's mate, Micky from Only Fools and Horses), well he seemed to think that TalkTalks site was still vulnerable. Whilst that isn't exactly concrete evidence of incompetence at TalkTalk, he (Micky) does still have slightly more credibility than TalkTalk do!

  17. Stu J

    TalkTalk customers - have some balls!

    Just cancel your direct debit, write to TalkTalk, send them a cheque for the value of any service up to today's date so that you're fully paid up, tell them that as they have breached their due care you are unilaterally terminating your contract with them, you will no longer consume their services (I.E. unplug everything), you require them to release your MAC with immediate effect, and that you reserve the right to take further civil or criminal action against them in the event of any losses incurred, including any loss caused by not being able to use phone/Internet caused by them delaying the release of your MAC, and any legal costs incurred if they force you to take the matter to court.

  18. Anonymous Coward
    Anonymous Coward

    so easy to hack a child could do it.

    no comment needed

  19. Doctor Syntax Silver badge

    Same old same old

    "TalkTalk takes cyber security extremely seriously and we have increased investment in this area by a third over the last three years"

    1. Increasing expenditure by a percentage is only meaningful if you say what the previous expenditure was. And even so....

    2. It's not the inputs that matter, it's the outputs, in this case the security of the systems.

    And that's ignoring the usual ritual "we take it very seriously".

    Do these MBA types actually believe all this stuff they spout or does it just flow from textbook to mouth without passing through the brain?

  20. Anonymous Coward
    Anonymous Coward

    Job vacancies at TalkTalk

    "...the company did not employ a Chief Information Security Officer."

    Sounds like they haven't got an Ethics Officer either.

    However, the Smoke, Mirrors and Misdirection Officer position has already been filled...

  21. David Roberts Silver badge

    Hacking kids?

    Didn't the kids just get accused of DDoS attacks?

    These aren't the data stealers you are looking for.......

  22. Anonymous Coward
    Anonymous Coward

    Dido Dodo DooDoo

    There are a lot of people here bagging BAE Systems over this, but regardless of how you feel about that particular organisation, it's massively naive to think in terms of Talk Talk got pwned, Talk Talk outsourced their security to BAE, therefore BAE are crap.

    BAES is a bloody big business, and incorporates some pretty smart people through acquisitions like Detica, Stratsec, Norcom, SilverSky etc (Though they do struggle to hang on to them). BAE don't outsource their Security to CSC afaik.

    The sad fact is that the ISP business has very thin margins, and security consulting services do not come cheap.

    You don't 'outsource your security' like you outsource your window cleaning, it's not a binary thing. You outsource specific components like your mail scanning, or your identity solution etc, and then you perhaps engage your preferred partner for project based sec testing, like pentest my new web application, or please look at how our firewalls are configured etc.

    In reality, you never have enough money to test absolutely everything, so you do your best with the budget you have (And having worked for ISP's myself, I can tell you that's roughly about 5% of what you think you need, and the fact they could afford to engage BAE for anything surprises me)

    Security testers have a limited time to find all the vulns in a single environment, by contrast, attackers have as long as they like to find one single problem in absolutely everything, so it's no surprise that they got pwned multiple times.

    What I found unforgivable was the way Dodo handled, and continues to handle the PR.

    She should have stuck with her singing career..

    She will go down with this ship

    And She won't put her hands up and surrender

    There will be no white flag above her door

    She's unemployed and always will be

  23. -martin-

    "...customers think that we're doing the right thing."

    > However, following delivery of the company's first half financial results for 2015/16 this morning, TalkTalk CEO Dido Harding downplayed churn concerns – the fear that customers would leave for a rival. She stated that customers who had initially attempted to leave after the breach had changed their minds, adding that there were "very early indications that customers think that we're doing the right thing."

    No, I am pretty certain that it is because you are charging them to leave - the full amount of the contract up to the end. Which I will add, is very poor service.

  24. Anonymous Coward
    Anonymous Coward

    There of the four caught were teenagers, in other words the criminal supply chain equivalent of work experience students, not the actual organisers.

  25. anonymous boring coward Silver badge

    "Of the four Britons arrested in connection with the TalkTalk breach, three were teenagers. All have been bailed until March 2016 and none are believed to be responsible for the ongoing bank account thefts that TalkTalk customers are reporting to The Register."

    ok.. But did they (or one of them) sell or pass on the stolen data?

    It's not as if they are in the clear..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019