Why?
Why ask BAE to look into your IT security? They don't even deal with their own IT security, they contract it out to CSC.
Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had "completed" a security audit. In its annual report, published in June, …
Because they own what "Dettica" the company behind the implementation of Blairs National Identity Card scheme.
Hmmm.
WTF that would make them qualified to deal with infosec, pen testing or anything is a bit beyond me.
Perhaps their plan to vacuum up everyone's personal details and keep them updated forever gives them some insight into wholesale data thieves?
No, this is good advice and standard practice.
If only Dido had stuck with it.
I think her public appearances to discuss the attacks were straight out of the good PR book and basically the right thing to do: admit to a problem; look concerned about it and busy trying to fix it. But, she should have stuck to the script that any lawyer or police would have given her an not commented on any details because of the ongoing investigation. Better still would have been a joint appearance with the police.
But she had to put her foot in her mouth.
"Also, everything I've read so far (okay, I might have missed this or that) suggested, BAE infosec was hired after the last hack."
It was carefully worded to imply that was the case without clarifying the situation beforehand, so you would come to that conclusion.
It is known as doublespeak and is the enemy of truth.
Frequently used by those in authority and institutional media organisations.
Exactly. A pentest means nothing - what did they pentest exactly? Just the public facing websites? public facing ip addresses? Just one application? Mobile apps? Was it an internal pentest?
What might be more probable, was that the vulnerability was identified in the pentest report, it's just since it was in June, they hadn't gotten around to fixing it. If my experience is anything to go by, vulnerabilities identified in pentests in a production environment take at least 3-4 months to fix.... especially if you're in a company that doesn't understand/care about IT security.
Even in organizations that aren't simply paying lip service it can take that long depending on the vulnerability.
Where I work we have a system vulnerable to Heartbleed. It's been cordoned off so it no longer has any public facings. It hasn't been patched because, well Sun wasn't supporting it any more even before Oracle acquired them. But it's a key system for tens of thousands of people and the folks who built it back in the stone ages are long gone and nobody knows exactly how it works, so nobody knows how to migrate it. Yes, it is a basic system. Yes, it seems like it OUGHT to be straight forward. But it isn't.
BAE Systems informed The Register that "prior to the incident [we provided monitoring support, but this] was limited to monitoring the corporate non-market facing network."
I assume then that the market facing network is the one that got hit (ie the one exposed to the whole world via the internet).
Very devious of these hackers to attack through a route that BAE hadn't thought of.
Their quote suggests to me: "We were hired for our skills and knowledge, but did the bare minimum and only did exactly as our (less knowledgeable) client asked."
Unless there's more to it that hasn't been reported, that quote really doesn't reflect well on their work ethic, their commitment to computer & information security, or the quality of their customer service.
All a formal audit means is that they followed procedures and got ticked off as following procedures.
Nothing at all is done to check whether the procedures are appropriate, nor is it the auditor's place to say anything if they're not.
BAE probably operate the Talk Talk B2B product security monitoring, probably via some offshoring tentacle.
BAE (ex-Detica) were probably brought in after the hack to advise on beefing up security on the Consumer side of the business.
2 different divisions of BAE, 2 different Talk talk products - their BAU/Production Services arm vs their high end consulting.
As for the B2B guys who got hit - I saw in the Reg comments a lot of the smaller businesses were moved onto the Consumer product.
Do keep up El Reg & Commentards.
Doesn't change the fact that Talk Talk have failed everyone badly.
The time holds the hardlink. Right click the time of the comment and choose (Copy URL/Link Address/Link/etc)
Like here http://forums.theregister.co.uk/forum/containing/2694525
TalkTalk have a severe credibility gap. Sure, they can talk talk until they're blue blue in the face about "sophisticated cyber attacks", but when the perpetrators are teenagers younger than the well known vulnerability they used to own you, well, only an idiot would listen. "Sophisticated" ain't a word my folks would have used to describe me as a teenager.
Secure computing isn't easy, but taking basic foundation steps isn't hard either, once you face the truth of it - Being reasonably secure online is not cheap. You may not keep out well funded or determined hackers, but you ought not to be getting spanked on international telly by script-kiddie children.
Given how many trougher C-Suite directors they have, all of whom were evidently out of their depth throughout the past year, some of that bonus money would have been better spent on some professional developers and some competent infosec staff.
TalkTalks shareholders need to get a firm grip on this ineffective leadership team at the AGM. If the board of directors won't replace them, then you must replace the board. Organisational lessons are only learned when heads have visibly rolled.
It doesn't matter who you are or what your knowledge is, if you have a public facing website that has any sort of database behind it then you have to know about the very basic security issues of XSS and SQLi.
SQLi to mainly protect your system, XSS to mainly protect your customers.
After that you can learn about more advanced secure coding techniques.
OWASP top 4 (1-4 in terms of risk and prevalence)
2007 : XSS, SQLi, Malicious File Execution, Insecure Direct Object Ref.
2010 : SQLi, XSS, Broken Auth/Session Mgmt., Insecure Direct Object Ref.
2013 : SQLi, Broken Auth/Session Mgmt., XSS, Insecure Direct Object Ref.
plus ça change
Yes but how do you think the board would look to the shareholders if they say 'Hey, your dividends are down this year because we beefed up our IT security...'
The shareholders would move quickly then!
I have no sympathy for these companies. I work for a security consultancy and inform staff about how, usually, poor they are. I offer recommendations and they are mainly ignored because, as you say, it isn't a couple of grand fix.
The most annoying things to plague information security are 'Frameworks'. Literally, yeah it's a 'framework' but companies see them as a compliance criteria that once met means they are impenetrable.
And speaking of impenetrable, the game moves on at a fast pace. You have to have a continuing program to keep pace. All too often it's the age old 'Well we bought a new firewall two years ago so we're secure.' And then the phishing email comes in to the uneducated staff....
"TalkTalks shareholders need to get a firm grip on this ineffective leadership team at the AGM"
Yes, they should. But no, they won't. Because they don't care. Because they didn't buy shares in order to take any responsibilities. They bought shares to make money (not earn - make). They are not investors as such, they are speculators.
Most telcos/ISPs use existing commercial software which can be mix and matched to create the processes required for the organisation to function.
The commercial developers of these systems come under pressure to completely decouple the software from the back end database, where information is stored.
Many organisations have, or plan to have contracts in place with a database vendor.
The software creators want their application software to work with as many databases as possible, at the minimal cost.
To achieve this all the niceties built into the database are rignored, so no encryption, no stored procedures, no integrity. Anything to make the implementation of their application software over any backend exactly the same.
So if a hacker gets to these DBs, the world is their oyster. Putting some kind of security in place ahead of the application that accesses the data is of no effect.
Having looked closely at the designs of several supposedly confidential systems in development in Britain, I have seen that repeatedly provision has been made for data matching/access from "trusted" sources.
Small sample size I know, but of five folks I know who are TT customers, three are off to Virgin Media, one to Sky and the other is undecided.
Apparently they got a very good offer from Virgin when they said they were currently with TT (the one moving to Sky is not in a cabled area).
What if this is all a ruse and in actual fact this is not a hack by some script kiddies and rather an instance of "oops we lost your data on a train for spy agency to conveniently find". Talk Talk get told to remain as is by agency, data is lost, blame game ensues, make it look like a legit hacker.
I am off to get my tinfoil hat. My large brain requires the entire roll.
- S.A
Oh you mean they changed their minds after you told them that they cannot leave contracts early, because it wasn't your fault, but that of sophisiticated attackers (in the age range of 15-20 years, none of them so far being charged with anything).
"Our role is to provide confidential advice to our client," - apparently, this doesn't appear to extend to advising their client that their "market-facing network" should be monitored too, regardless of what their client asked for initially. They were hired for their expertise after all.
Also, the implication TalkTalk hired BAE *after* the hack could easily be an assumption on the part of those reporting it (looking at the screenshot posted). The quote from TalkTalk visible in the image doesn't say or imply that BAE were just brought in. With the knowledge now that BAE already did work for TalkTalk, it doesn't read at all like that.
Obviously, TalkTalk weren't going to say anything that draws attention to the work BAE did for them previously, as the hack since makes them both look bad. But it's a quote that's not explicit enough either way, that would have allowed TalkTalk and BAE to save a little face when the average journalist has the propensity to report what they think or believe is there, rather than what actually *is* there...
"Our role is to provide confidential advice to our client," - apparently, this doesn't appear to extend to advising their client that their "market-facing network" should be monitored too
It's too early to say that.
A more likely situation, IMO, is that they gave all sorts of advice to their client - who didn't bother implementing anything. But that's speculation as well...
Vic.
I think that El Reg is being too nice to BAE. An *Evil* reporter would point out to BAE how they really fk'ed it up with TalkTalk given the fact that they not only got hacked, but apparently with vulnerabilities so easy to hack a child could do it. Because that *is* the reality of it. Kind of makes BAE look like the last company you'd want to use to secure anything. Perhaps BAE would like to comment on that?
Also, given that we don't know the details of how the hack occurred, and given how BAE had been contracted only months before, is it not possible that BAE itself was in some way responsible? I.e. bad advice left TalkTalk *more* vulnerable than it was before, or even worse, maybe a BAE employee, privy to inside information, leaked something?
Just a ThoughtThought! (me Walk[walk]s away whistling)
Oh... whilst I'm posting, don't know if anyone saw that BBC Panorama about hackers that was on recently, but the guy who the US is trying to get extradited for hacking (you know, he looked like Rodney's mate, Micky from Only Fools and Horses), well he seemed to think that TalkTalks site was still vulnerable. Whilst that isn't exactly concrete evidence of incompetence at TalkTalk, he (Micky) does still have slightly more credibility than TalkTalk do!
Just cancel your direct debit, write to TalkTalk, send them a cheque for the value of any service up to today's date so that you're fully paid up, tell them that as they have breached their due care you are unilaterally terminating your contract with them, you will no longer consume their services (I.E. unplug everything), you require them to release your MAC with immediate effect, and that you reserve the right to take further civil or criminal action against them in the event of any losses incurred, including any loss caused by not being able to use phone/Internet caused by them delaying the release of your MAC, and any legal costs incurred if they force you to take the matter to court.
"TalkTalk takes cyber security extremely seriously and we have increased investment in this area by a third over the last three years"
1. Increasing expenditure by a percentage is only meaningful if you say what the previous expenditure was. And even so....
2. It's not the inputs that matter, it's the outputs, in this case the security of the systems.
And that's ignoring the usual ritual "we take it very seriously".
Do these MBA types actually believe all this stuff they spout or does it just flow from textbook to mouth without passing through the brain?
There are a lot of people here bagging BAE Systems over this, but regardless of how you feel about that particular organisation, it's massively naive to think in terms of Talk Talk got pwned, Talk Talk outsourced their security to BAE, therefore BAE are crap.
BAES is a bloody big business, and incorporates some pretty smart people through acquisitions like Detica, Stratsec, Norcom, SilverSky etc (Though they do struggle to hang on to them). BAE don't outsource their Security to CSC afaik.
The sad fact is that the ISP business has very thin margins, and security consulting services do not come cheap.
You don't 'outsource your security' like you outsource your window cleaning, it's not a binary thing. You outsource specific components like your mail scanning, or your identity solution etc, and then you perhaps engage your preferred partner for project based sec testing, like pentest my new web application, or please look at how our firewalls are configured etc.
In reality, you never have enough money to test absolutely everything, so you do your best with the budget you have (And having worked for ISP's myself, I can tell you that's roughly about 5% of what you think you need, and the fact they could afford to engage BAE for anything surprises me)
Security testers have a limited time to find all the vulns in a single environment, by contrast, attackers have as long as they like to find one single problem in absolutely everything, so it's no surprise that they got pwned multiple times.
What I found unforgivable was the way Dodo handled, and continues to handle the PR.
She should have stuck with her singing career..
She will go down with this ship
And She won't put her hands up and surrender
There will be no white flag above her door
She's unemployed and always will be
> However, following delivery of the company's first half financial results for 2015/16 this morning, TalkTalk CEO Dido Harding downplayed churn concerns – the fear that customers would leave for a rival. She stated that customers who had initially attempted to leave after the breach had changed their minds, adding that there were "very early indications that customers think that we're doing the right thing."
No, I am pretty certain that it is because you are charging them to leave - the full amount of the contract up to the end. Which I will add, is very poor service.
"Of the four Britons arrested in connection with the TalkTalk breach, three were teenagers. All have been bailed until March 2016 and none are believed to be responsible for the ongoing bank account thefts that TalkTalk customers are reporting to The Register."
ok.. But did they (or one of them) sell or pass on the stolen data?
It's not as if they are in the clear..