Talk Talk Hack

FSL · 23-10-2015 3:24pm #1

a quote from the BBC business live page

A significant proportion of denial of service attacks are masking another form of attack aimed at stealing data. Recent studies have shown that up to a third of attacks on businesses are simply obscuring a deeper attack. SQL injection is a well known form of attack. Anyone building a website that connects to a database should be designing it from the outset to prevent SQL injection, and it is standard testing to look for this vulnerability. Hackers themselves conduct this testing on a vast scale with automated tools to identify vulnerable sites. They work on the principle that if they rattle enough door handles they will find one that is unlocked. For that to be a major company like TalkTalk is disappointing, unless the hackers have found some new form of this attack, which I doubt.
Professor Alan Woodward Surrey University

I thought SQLi was so old that you would have to be a technological dinosaur to build something vulnerable to it.

syklops · 24-10-2015 12:10pm

FSL wrote: »

I thought SQLi was so old that you would have to be a technological dinosaur to build something vulnerable to it.

The OWASP Top 10 came out in 2001. The idea was that it would raise awareness of these issues so that developers could design applications with them in mind, and then next years Top 10 would be new, different vulnerabilities. Injection vulnerabilities, including SQLi has been there from the start, and the list for the most part has changed very little in 14 years.

Speaking as a Pen tester I regularly see SQLi, often in Internet facing applications. The state of Internet Security in my experience is shocking. Nothing surprises me anymore.

reklamos · 24-10-2015 7:38pm

I think the most shocking part is this:
"Asked by the BBC whether customers’ bank details had been encrypted by TalkTalk, she said: “The awful truth is, I don’t know”"
How is this company still allowed to operate?
There will always be holes or zero day vulnerabilities but that is why there should be multiple layers of security and encryption is one of them.

Treepole · 26-10-2015 10:20pm

Young lad from Antrim arrested in relation to this.........

Berkieahern · 26-10-2015 10:21pm

15 year old lad!

riclad · 26-10-2015 10:43pm

I read on another website ,alot of the data is not encrypted .
How is a large company ,in 2015 with millions of customers at this point ,
not using strong passwords .And encrypting user data by default .
Did the large companys not learn anything from the sony hack .
There should be a law ,if you have over a few 1000 customers ,
all data should be encrypted .
Large companys should employ independent security experts ,to test all
their website,s for known vunerabiltys .
And make sure all their pcs are updated with security patches and are not running windows xp.
Every six months .
IT seems every month theres a large us company being hacked .

ItHurtsWhenIP · 26-10-2015 10:55pm

Fixed that for you:

riclad wrote: »

I read on another website ,alot of the data is not encrypted .
How is a large company ,in 2015 with millions of customers at this point ,
not using strong passwords .And encrypting user data by default .
Did the large companys not learn anything from the sony hack .
There should be a law ,if you have over a few 1000 customers ,
all data should be encrypted .
Large companys should employ independent security experts ,to test all
their website,s for known vunerabiltys .
And make sure all their pcs are updated with security patches and are not running windows xp.
Every six months .
IT seems every month theres a large us company being hacked .

timmywex · 26-10-2015 11:24pm

15 year old from Antrim arrested for this.

Interesting given that ransom demands have been made, a Lulzsec member claimed they were responsible for the DDoS etc.

Red Alert · 27-10-2015 10:35am

The word encryption is thrown around a lot in relation to this hack. Surely it depends on exactly what was encrypted and where in the chain the encryption was done? The keys have to live somewhere accessible to the web application.

Blowfish · 27-10-2015 3:08pm

If there's one thing this breach highlights it's that we really really do have serious problems when it comes to InfoSec reporting in the media. FireEye claimed it was Russians, Lulzsec claim responsibility for part of it, the Mirror (prompted by the BBC) said it was a Jihadist Cyber Holy War and in the end it's looking like it's a 15 year old Irish kid....

FSL · 27-10-2015 5:44pm

The 15 year old has been released on police bail. What's the betting his computer was compromised and was part of the ddos attack?

dbit · 03-11-2015 3:28pm

Whatever came of the Belfast Child ? tee hee ?

Talk Talk Hack

Comments