TalkTalk breach: a comedy of security errors


TalkTalk has been breached; we know that much. What else we know about it is, in actual fact, very little indeed at this stage.

We are in good company, of course, as anyone tuning into the myriad media appearances of the hapless TalkTalk CEO, Baroness Dido Harding, will appreciate that she and it seems to know sweet diddly squat as well. In fairness, the start of any breach investigation is going to have more questions than answers, that is the nature of investigations after all. However, Baroness Harding has managed to compound the image of TalkTalk as the corporate equivalent of a headless chicken by apparently not knowing the answer to anything.

The BBC asked if credit card data was encrypted and Harding answered with the awful truth is, I don’t know. She told ITV that, “this is a crime, a criminal has attacked TalkTalk systems and we are not the only ones, whether it is the US government, Apple, a whole host of companies. Cyber-crime is something we all need to get better at defending ourselves against.”

Certainly TalkTalk does, given that this is now the third serious breach in just 12 months. Back in December 2014 customers were exposed to scam calls from Indian-based con men, and in February 2015 more scam calls were reported after another breach involving what the company described as ‘non-sensitive’ information.

What we do know, from reading the various statements coming out of TalkTalk and analysing the interviews that have been given, is that the attack itself appears not to be anything particularly new or clever. Indeed, it seems to have a touch of the ‘Old Skool’ about it; no Advanced Persistent Threat tactics here, no zero-days being exploited to open a hole in the TalkTalk defences.

Actually, defences would appear to be the wrong word in the case of TalkTalk which has pretty much proven itself to be lamer than one-legged duck (and a sitting duck at that). We know from what has been said that TalkTalk came under DDoS attack, and that this is a very common ‘smoke and mirrors’ tactic used to distract security teams from the real operation target which, as far as this attack is concerned, was data exfiltration.

Although purely speculation at this stage, there has been a lot of talk within the IT security industry that a simple SQL injection attack was used against TalkTalk. Ordinarily I would have thought this highly unlikely, given the size of the company concerned, the nature of the business it is in and the fact that it has been exposed to two successful (if smaller) breaches already during the past year.

However, given that a well briefed CEO (and if she wasn’t well briefed why was she allowed anywhere near a TV camera or radio microphone?) could not confirm that data was encrypted, which most people will tell you is a pretty good indicator that it wasn’t, nothing can surprise me anymore.

I mean, come on, your company has already got itself a well-earned reputation as not being the best at protecting customer data after two breaches in a year (three if you include the Carphone Warehouse breach which impacted 2.4 million TalkTalk Mobile customers) and you still don’t fully encrypt sensitive data? I hope the eventual fine from the Information Commissioners Office is suitably large, suitably well publicised when it finally lands and does a suitable job of reminding those with their hands on the purse strings at TalkTalk that skimping on security investment is even worse for public relations than having a clued-down CEO.

Do I trust Harding and TalkTalk when they say the company takes security very seriously? Don’t be silly, how could I when a company that has been breached twice already doesn’t respond in a serious enough manner to mitigate the risk potential of another successful attack?

I’d like to think that a company the size of TalkTalk would understand that DDoS smokescreens are a common tactic

As Tim Erlin, Director of Security and Product Management at Tripwire says “Security isn’t simply a setting that you can turn on after a breach. For any large organization, rolling out significant security measures can take months, if not years. Very simply, if you collect, store or transmit personal information, it needs to be encrypted at rest and in transit. It’s not a change that occurs overnight, but it should be a clear requirement. Even encryption isn’t a perfect solution to data theft. The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use.”

Then there’s that DDoS attack thing, which may well have been a smokescreen but should it have been happening at all? A company the size of TalkTalk, and one that is in the business of Internet service provision, should have DDoS mitigation sewn up. How any major ISP and telco cannot have adequate DDoS mitigation in place is, quite frankly, beyond me.
By adequate I mean something that would not only divert the DDoS traffic for scrubbing in an efficient and timely manner, but also do it in a way that doesn’t require the entire security team to go and take a look at it.

I’d also like to think that a company the size of TalkTalk would understand that DDoS smokescreens are a common tactic, so the first thing that the security team should do when the DDoS mitigation system alerts them to attack is check everything else to make sure nothing untoward is occurring.

As Dave Larson, CTO at Corero Network Security which specialises in DDoS mitigation, says “Internet service providers, due to their significant subscriber base, and excessive bandwidth capacity must be better prepared for DDoS attacks with real-time detection and mitigation solutions to remove the attack traffic before it ever have the chance to permeate the network. In doing so, service availability is maintained, and personally identifiable data remains better protected.”

Do I care who was behind the attack? Not really, not at this stage. The media attention given to attribution is sadly to be expected, but a total red herring. What they were after in terms of data, and what they intend to do with it, will become clear enough in time. Do I care about the pigs’ ear of communicating the breach to customers that Baroness Harding made? You betcha. Sure, it’s great that a CEO is out there talking about a breach, but only if that CEO has something to say rather than just repeating a shambolic ‘I know nuffink’ message from reporter to reporter.

Clarity is key, and there was none other than it was clear she didn’t know anything other than TalkTalk was paddling up shit creek without a canoe. Customers, unlike media commentators and gobby analysts such as myself, do really need to know what data was accessed, what was compromised and what the implications are. Customers do deserve clear answers to straight questions about what data was, or wasn’t, encrypted and why.

If you want to encourage customers to use stronger passwords then taking any weapons out of the password generation arsenal is a seriously bad move.

Customers need to know that anyone who holds their data, especially credit card and banking data, is doing all they can to properly secure it. Which means not relying upon legacy security tools and techniques as Richard Cassidy, Technical Director at Alert Logic explains. “Clearly it’s important to look at how we can better prevent data breaches and implement more effective tools to identify pre and post compromise activity, however CISOs, CSOs and CEOs should take the lessons learned from the countless data breaches we’ve seen this past while and seek to answer the question on how well prepared is the organisation in the event a data-breach does occur and how can customer data be better protected should the worst happen.

“Clearly there are questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after; perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place. Fundamentally organisations need to start with an intrinsic understanding the anatomy of an attack as the first line of defence.

“Organisations have responsibility for protecting our data and perhaps a change is needed in legislation to compensate customers who suffer a financial loss as a result of their data being compromised; all too often we see organisations defer liability when a customer suffers a financial loss at the hands of bad actor groups who used the data they stole from a successful breach to compromise the organisations customers. The vast majority of consumers are not IT or even security savvy, especially the older generation; it can often be incredibly hard to discern from a bogus call purporting to be your provider (using the data they’ve gleaned from a breach) and a legitimate call. It would be far better for organisations of the ilk of TalkTalk to offer up better information to consumers on how to identify how their data could be used in such campaigns and to take more responsibility in supporting customers who suffer a loss as a result.”

I’m a TalkTalk customer myself, but on the TalkTalk Business side of the fence. I was able to access the TalkTalk Business account portal after the breach, and while the consumer one was still closed, to change my password as a knee-jerk precaution. Interestingly, I note that TalkTalk was still insisting that I only use alpha-numerics and disallowing special characters in passwords. Erm, if you want to encourage customers to use stronger passwords then taking any weapons out of the password generation arsenal is a seriously bad move.

I will leave the last word to Yvonne Eskenzi, organiser of Security Serious Week, of which IT Security Thing is a proud supporter and which kicks off on Monday 26th October: “Cyber-attacks, like the one suffered by TalkTalk, are just going to increase in severity and frequency. TalkTalk is just the latest in a long line of companies who’ve been targeted and come up short – Carphone Warehouse, Experian, these are huge companies struggling to keep the hackers out of their databases.

“I firmly believe that the only way we’re going to be able to prevent these incidents is to stop working in silos and come together to share expertise and experiences to make the internet a safe place to trade online. That’s why I’m spear heading next week’s Security Week – a week long timetable of conferences, workshops, training sessions and webinars, all free of charge, starting on Monday aimed at educating users in a number of security disciplines presenting by dozens of the UKs top cyber-security experts. Security Serious is all about those that can’t, learning from those that can its simple really. Leading experts conveying their words of wisdom and industry best practices to those people and organisations who want to become more security savvy.”

Since writing this opinion piece, TalkTalk has issued a new statement (at 3.30pm on Saturday afternoon) which states that it can now confirm the following:
The attack “was on our website not our core systems” and “we now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account.”

TalkTalk also refers specifically to credit cards and has confirmed “we do not store complete credit card details on the website; any credit card details that may have been accessed had a series of numbers hidden and therefore are not usable for financial transactions eg 012345xxxxxx 6789.”

TalkTalk also confirm that account passwords have not been accessed. What does appear to have been stolen, though, are bank account numbers and sort codes. In an interview with Sky News on Saturday, Baroness Harding appeared dismissive of the seriousness of this particular, unencrypted, information by insisting the hackers would have “no more bank account information than is on a cheque.” Of course, quite apart from the small matter of nobody using cheques these days, the hackers wouldn’t have access to our cheque book in the first place.

All of which just goes to reaffirm our belief that TalkTalk have handled the post breach announcements badly, although we would like to change our earlier analogy from a lame one-legged sitting duck to a headless chicken. That seems much more appropriate, given that TalkTalk and Baroness Harding have given the appearance of an organisation and CEO scampering around in blind panic, issuing statements and giving interviews without actually knowing the facts of the matter, and creating far more fear, uncertainty and doubt amongst customers than it looks like was actually necessary.