back to article Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed

Chaos reigns at TalkTalk as the telco appears to be claiming that a distributed denial of service (DDoS) attack led to customer data being compromised – despite that being technically infeasible. A contradictory series of claims in a TalkTalk statement published this morning has suggested the company does not understand the …

Page:

  1. Rono666

    This what happens when you sack the IT people when they have done all the work.

    1. Anonymous Coward
      Anonymous Coward

      I hardly think they'd "done all the work" if the reports here of the appallingly poor measures implemented to protect stored customer data are accurate.

      1. Dan 55 Silver badge
        Alert

        Maybe they did all the work about 10 years ago and since then got someone in to give the website a nice redesign every couple year or two. Something nice in PHP, say, which unfortunately doesn't sanitise input.

        1. smartypants

          Languages don't 'sanitise input'...

          Programs do.

          There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input. If there's anyone out there relying for their security on a choice of language, then they're not going to last very long because it is not going to help in the slightest.

          Perhaps there are some IT bods out there patting themselves on the back right now because they don't use PHP and are therefore 'secure'. Perhaps people this clueless were working at Talk-talk too.

          1. Vic

            Re: Languages don't 'sanitise input'...

            There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input.

            There *sort of* is.

            Most SQL databases allow "prepared statements", in which the SQL command - sans data - is set up, and the data then supplied to it. This means that the parsing of command vs. data occurs long before the data turns up. Thus, once the data is applied, the DB will not confuse the two; SQL injection is obviated, even if the programmer "forgets" to sanitise the data.

            Note, however, that the term "prepared statements" can be misused: I found a Python SQL library that promised prepared statements, but actually just used string formatting to create a simple statement. The result was that the library appeared to offer the protection I've outlined above, but actually didn't.

            Vic.

      2. John Smith 19 Gold badge
        Unhappy

        "appallingly poor measures implemented to protect stored customer data "

        Perhaps they where hoping their Chinese website spying partner would have alerted them to so much traffic, when they started running low on space to store so many users data flows?

        "Stalk Stalk" have let their customers down.

        Again.

    2. Anonymous Coward
      Anonymous Coward

      Expect more....

      This is an all too common theme.

      1) Outsource your IT (somewhere really cheap, no dedicated resource, high staff turn over - go on guess, you know where)

      2) Get rid of the only people who know how the systems work

      3) Put in management who only see security as a barrier to cheap infrastructure, and seek to undermine it whenever they can

      4) Have no processes in place to govern anything, let alone access to sensitive data

      Been there, seen it, tried to stop it. If only they did t-shirts.....

      1. Anonymous IV

        Re: Expect more....

        You didn't work for RBS, did you?

    3. Gordon 10

      WHERE IS THE CIO

      And why didn't he vet the press release?

      Even if the he's a PHB I would have expected clearer language than this. It's blatantly obvious that whoever wrote that release doesn't know a website from a webserver.

      Hmm - looks like they may have a "CTO" and that they are CIO-less at the moment. (Ad heavy links)

      http://www.computerweekly.com/feature/CIO-Interview-Gary-Steen-CTO-TalkTalk

      http://www.computerweekly.com/news/4500248681/Former-TalkTalk-CIO-to-lead-Police-ICT-Company

      1. illiad

        Re: WHERE IS THE CIO

        WHAT ADS??? :D :D thanks, adblock.... :) :P

  2. Anonymous Coward
    Anonymous Coward

    I blame North Korea, China or Russia, might as well get in there before it's announced.

    1. Anonymous Coward
      Anonymous Coward

      According to this article from a few minutes ago some miscreants are demanding money from TalkTalk.

      1. David McCarthy

        "Harding previously said the company had assumed a worst-case scenario that all the personal data relating to its customers was compromised until TalkTalk could confirm exactly what was taken. She has apologised to customers for the third cyber-attack affecting the telecommunications firm in the past 12 months, but said the breaches were “completely unrelated”.

        That is, only related by the fact that their security still isn't up to scratch!

    2. Oh Homer
      Big Brother

      Re: "I blame North Korea, China or Russia"

      Looks like someone beat you to it and has already blamed "Islamic extremists".

      Well, yes. Obviously.

      Basement-dwelling geeks and career criminals apparently feature very low on the British Establishment's list of likely suspects, strangely enough.

  3. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      A free subscription to identity theft protection by one of the credit reference agencies.

      1. mark 120

        Hopefully not Experian though, eh?

        1. Anonymous Coward
          Anonymous Coward

          "Hopefully not Experian though, eh"

          Experian - the Facebook of credit rating agencies.

          1. John Smith 19 Gold badge
            Unhappy

            Experian - the Facebook of credit rating agencies.

            Until Facebook takes over that task as well.

            With predictable consequences

            1. Anonymous Coward
              Anonymous Coward

              Re: Experian - the Facebook of credit rating agencies.

              "Until Facebook takes over that task as well."

              You do know that somebody in government wanted to use Facebook for reliable online identification of people?

              Presumably a senior civil servant who had been given an iPad for Christmas and now considered himself an expert on IT.

          2. illiad

            Re: "Hopefully not Experian though, eh"

            and they ask for ALL your numbers, even the one on the back - you dont really need all that cash, do you??? :D

      2. AlbertH
        Alert

        Are they for real?

        A free subscription to identity theft protection by one of the credit reference agencies.

        Bwahahahahaha!

        These cretins should be paying significant (ie: £ks) to every customer and their senior management should be in Court.

        Has anyone calculated the time required to change all ones Banking details, passwords and Credit / Debit cards? Has anyone actually put a figure on what this will cost each customer? TT shouldn't just offer a worthless "subscription" to Experian (who are entirely useless anyway) - they should be paying serious amounts of compensation to EVERY one of their customers.

    2. sysconfig

      Maybe the crims should just call TalkTalk and cancel all those accounts, as they apparently have all the data they need to do that. That would send a message that even management understands.

      1. Anonymous Coward
        Anonymous Coward

        Maybe the crims should just call TalkTalk and cancel all those accounts, as they apparently have all the data they need to do that. That would send a message that even management understands

        But how do you know your account has been compromised, it wont be from the bank still paying them, that's standard practice for TT?

        TT kept debiting me monthly for over 7 months after I left them, it took about 2 hours of phone calls and an email to a director to stop them, the crims would be bored shitless trying to cancel more than one in a lifetime

    3. macjules

      So what kind of compensation arrangements do TalkTalk intend to offer?

      If you would trust us (again) with your credit card details, your bank details, your home address, date of birth and other personal details then we will send you a free voucher worth 1 hour of broadband usage against your monthly bill.

  4. hatti

    sql injectydddoss thingummajig

    "the following data may have been accessed"

    Most likely unencrypted then.

    1. Anonymous Coward
      Joke

      Re: sql injectydddoss thingummajig

      Oh no, pretty sure the disks were encrypted. Surely that's all you need to do isn't it?

    2. Halfmad

      Re: sql injectydddoss thingummajig

      "may" have been accessed that age old way of softening people up before admitting it too early on.

  5. Your alien overlord - fear me

    The DDos was actually 4 million credit card details being uploaded to the cybercrims. Takes a while and some bandwidth - obviuously not that I did it or anything. Now if you don't mind, just going to pop down to the Silk Road...

    1. Lee D Silver badge

      Sadly, even 4 million credit card details could probably fit on a floppy disk in a ZIP file nowadays. The bandwidth of that is likely zero.

      However, using a DDoS to distract IT and cover your tracks while you plunder their systems? That's an interesting tactic.

      1. cmannett85

        TalkTalk stores the data by writing it down and then talking a hi-res photos of it taken - that's how it's "encrypted".

        1. Martin Evans 1

          Use a doctor to write it down and a pharmcist to decrypt it. 83% secure on weekends

  6. Aristotles slow and dimwitted horse

    Rewrote it for you...

    A representative who we can now only assume will be from TalkTalk claimed it was "contacting all our customers straight away to let them know what has happened and to update all of their nice scrummy payment and user credential information. We might keep them up to date as we learn more. But we might not. As might not actually be us."

    1. Floydian Slip
      FAIL

      Re: Rewrote it for you...

      Yep, they did contact their customers right away, by using the power of the media.

      Certainly didn't contact them in any other way

  7. David Lawrence

    The final straw

    Since they pretty much forced me to sign a two-year contract with them earlier this year, they have put their prices up twice, and now this FFS.

    It is also clear that they don't even know what actually happened and how much damage has actually been done. On the face of it, my personal details were stolen via a sustained DDoS attack. Hmm. Utter bullshit.

    Well I'm off and just let them try levying any termination fees. Its a shame as their TV box is really nice and the (fibre) broadband is pretty good too. Freeview + another ISP + another phone provider = cheaper monthly payments for me anyway so good riddance.

  8. nigel 15

    Sustained???

    They are saying this attack was sustained. In which case how was the data stolen?

    It looks to me like they were distracted by a DDoS, that is the sustained bit. Instead of pulling the servers, they were focused on that and missed the penetration. They handled it badly.

    On another note. How do you DDoS a frikin ISP.

    1. Quinnicus

      Re: Sustained???

      On another note. How do you DDoS a frikin ISP.

      Use more and bigger hammers

    2. rh587

      Re: Sustained???

      "On another note. How do you DDoS a frikin ISP."

      Their applications and services are hosted on servers. Same as the rest of us. You don't have to saturate their network if your attack is designed to bog down their compute resource.

    3. Tim Jenkins

      Re: Sustained???

      "they were distracted by a DDoS, that is the sustained bit. Instead of pulling the servers, they were focused on that and missed the penetration"

      Wasn't that exactly what happened in one of the the big Sony breaches, where the perps used a DDOS to hide the exfiltration of TBs of data?

      Can't imagine even 4 million sets of customer details would be within a few orders of magnitude of that size, though...

      1. nkuk

        Re: Sustained???

        Apparently its a very common technique. Bang hard on the front door and sneak in round the back.

    4. Brewster's Angle Grinder Silver badge

      Re: Sustained???

      Pure speculation, but sending billions of password requests would look like a DDos. And once in a while, one would succeed and the crims would get the user's data. You'd need some poor web design -- e.g. a broken nonce and a system that makes it easy to enumerate users (say nearly sequential account numbers.) Throw in some verbose logging so that the logs hit a quota and most of what's happened is overwritten or not written, because the log is full. It's a line through all the data points.

  9. MarkItZer0

    As secure as possible != encrypted

    Encryption is not a magic, all securing operation - it doesn't mean that data retrieved from the database is automatically rendered unusable. If the data was encrypted at database server or OS level (which is fine under PCI DSS), and there was an application exploit used to extract it (say SQL injection), then the database and OS would dutifully decrypt the data for the application's use, therefore the security flaw would mean the hacker gets the decrypted data anyway.

    The focus should be on application security rather than on encryption. It is possible to encrypt database rows and columns using a key from the application server. However, again as the application server needs to encrypt/decrypt per query, a SQLi attack will probably succeed. It is possible, although very difficult in practise, to implement row encryption in a web application. Complexity is the enemy of security - keep things simple and concentrate on security testing and plugging those vulnerabilities rather than adding unnecessary encryption to stored data.

    1. Anonymous Coward
      Anonymous Coward

      Re: As secure as possible != encrypted

      On the other hand the way that this has been reported shows that it makes sense to stick everything on an encrypted disk just so you can say "Yes it was all encrypted" with total confidence.

  10. Anonymous Coward
    Anonymous Coward

    It's the 3rd time in one year?

    What's going on there? At which point is there going to be customer backlash?

    February 2015:

    http://www.itgovernance.co.uk/blog/fraud-risk-for-thousands-of-talktalk-customers-following-data-breach-some-have-already-lost-thousands-of-pounds/

    August 2015:

    http://geekpower.co.uk/2015/08/carphone-warehouse-talktalk-leak-2-4-million-customers-details/

    1. Anonymous Coward
      Terminator

      Re: It's the 3rd time in one year?

      Surely any of their customers who have a clue about this kind of thing will have walked long ago?

    2. Shooter

      Re: It's the 3rd time in one year?

      Patience - the year isn't over yet.

  11. Anonymous Coward
    Anonymous Coward

    Password brute force

    If their description is in any way accurate, its possible that someone was just brute-forcing the user account population against known potential candidates. Anyone know what data would be visible if you logged in as yourself? Not that we should be treating this stuff as secret in this day and age...

    1. Anonymous Coward
      Anonymous Coward

      Re: Password brute force

      Take a look at the pastebin stuff...they could see a lot of databases and the user account info was more than a screenscrape could get you...they have the customer orders table and the password change log table.

  12. Mike Wood

    Actual e-mail received from Talk Talk

    Hi,

    Here is the actual e-mail e-mailed to me this morning but only to one of the accounts I have with them:-

    Dear Mr Michael Wood,

    We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:

    • Names

    • Addresses

    • Date of birth

    • Phone numbers

    • Email addresses

    • TalkTalk account information

    • Credit card details and/or bank details

    We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

    We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.

    What we are doing:

    • We are contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more.

    • We have taken all necessary measures to make our website secure again following the attack.

    • Together with cyber crime experts and the Metropolitan Police, we’re completing a thorough investigation.

    • We have contacted the Information Commissioner’s Office.

    • We’ve contacted the major banks, and they will be monitoring for any suspicious activity on our customers’ accounts.

    • We are looking to organise a year’s free credit monitoring for all of our customers and will be in touch on this in due course.

    What you can do:

    • Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via http://www.actionfraud.police.uk

    • If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.

    • Change the password for your TalkTalk account and any other accounts that use the same password.

    • Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax. Noddle also allows free access to your credit report for life.

    Please be aware, TalkTalk will NEVER call customers and ask you to provide bank details unless we have already had specific permission from you to do so.

    TalkTalk will also NEVER:

    • Ask for your bank details to process a refund. If you are ever due a refund from us, we would only be able to process this if your bank details are already registered on our systems.

    • Call you and ask you to download software onto your computer, unless you have previously contacted TalkTalk and agreed a call back for this to take place.

    • Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security.

    We understand this will be concerning and frustrating, and we want to reassure you that we are continuing to take every action possible to keep your information safe. If you have any questions, please visit http://help2.talktalk.co.uk/oct22incident for more information, or you can call us on 0800 083 2710 or 0141 230 0707.

    Yours sincerely,

    Tristia Harrison

    Managing Director, Consumer

    TalkTalk Telecom Limited, 11 Evesham Street, London W11 4AR. Registered in England & Wales No. 4633015

    1. Elmer Phud

      Re: Actual e-mail received from Talk Talk

      So, it's up to you to keep an eye on your account?

      And it's nice of TalkTalk to inform you of how to keep bad at bay, though it would have been better, in this case, for them to actually have had some bloody security themselves.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like