Page 2 of 3 FirstFirst 123 LastLast
Results 17 to 32 of 44

Thread: Talk Talk Hacked

  1. #17
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,026 times in 677 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS

    Re: Talk Talk Hacked

    Quote Originally Posted by TheAnimus View Post
    https://paul.reviews/value-security-avoid-talktalk/

    I'd hope heads would have rolled last time, but I doubt it.

    Drupal and PHP simply shouldn't be used when anything needs any kind of security, the practices both the language and platform encourage are incongruent to a safe secure software development lifecycle.
    "We don't support HTTPS under any circumstances" is a pretty core issue, and unrelated to choice of dev framework

  2. #18
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Talk Talk Hacked

    I wonder how many fraudulent claims for compensation will be made?
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  3. #19
    Senior Member
    Join Date
    Jul 2003
    Location
    3rd Rock from the sun..
    Posts
    463
    Thanks
    15
    Thanked
    4 times in 3 posts
    • Dave_07's system
      • Motherboard:
      • MSI X99A Gaming 7
      • CPU:
      • Intel Core i7 5930k (6 core) @ 4.3Ghz
      • Memory:
      • 16Gb Corsair DDR4 2800Mhz
      • Storage:
      • 2x 500Gb SSD's (Raid 0)
      • Graphics card(s):
      • 2x SLI MSI GTX 980
      • PSU:
      • EVGA 1000w PSU
      • Case:
      • Corsair C70
      • Operating System:
      • Windows 7 Pro 64Bit
      • Monitor(s):
      • G-Sync AOC G2460PG 1080p and LG Flatron W2261VP
      • Internet:
      • 17.5Mb Broadband.

    Re: Talk Talk Hacked

    TT have posted an update:

    https://help2.talktalk.co.uk/oct22incident
    Intel Core i7 5930k @ 3.7Ghz Turbo
    MSI X99A Gaming 7
    16Gb Corsair DDR4 2667Mhz
    2x SLI MSI GTX 980
    2x 500Gb SSD's (Raid 0)
    EVGA 1000w PSU
    Windows 7 Pro 64Bit
    G-Sync AOC G2460PG 1080p
    LG Flatron W2261VP

  4. #20
    Admin (Ret'd)
    Join Date
    Jul 2003
    Posts
    18,481
    Thanks
    1,016
    Thanked
    3,208 times in 2,281 posts

    Re: Talk Talk Hacked

    I agree, and I don't either BUT .... what reassurance do we have that other companies are any better? Or for that matter, haven't previously been hit and lost customer data, but managed to keep it quiet?

    I've been accused of tin-hatism over my attitude to privacy in the past, because my attitude is that I guard ALL aspects of my privacy jealously, UNLESS there's a convincing reason why it's in MY interests to release it. In part, my reasoning is that I don't want any company, any at all, no exceptions, building a profile on me for marketing purposes, but another aspect is that I have no way to know how carefully they protect, or don't protect, that data.

    So, who here knows what data their ISP or mobile provider gathers? What happens to historic geo-location data, call or text metadata, and so on, to the nth degree? When you use a store card, who knows what transaction data they keep, what profiling data may have been mined, what data sources it's been cross-referenced with, and for that matter, what country it's stored in, and with what procedures and/or software security measures, are in place? What data is encrypted? Which servers are hardened, and if they are, does the person hardening them know what they're doing. And are those protections regularly updated, by someone competent, or did the data owner call in some consultants five years ago, and assume that once hardened, job done? If so, they're idiots.

    The real message in this is not that TalkTalk are incompetent idiots, though that's looking likely too, but that :-

    - ANY data you provide ANYBODY is at risk, because you don't KNOW how well it's protected, and

    - the ONLY way to minimise your risk is for YOU to take all reasonable steps to minimise exposure.

    Short of living a hermit-like life, without modern telecom's (or at least any registered to you), never buying online, paying cash for everything and not having bank accounts, it's impossible to avoid virtually all risk. Using just about any modern device, and most obviously smartphones, opens up the very real prospect that ANY data gathered vua them WILL, sooner or later, be compromised. Same applies to giving websites data, ordering online, card and or contactless payment systems, and so on.

    I get that most, or nearly all, people seem to regard smartphones as mandatory these days, and so many people seem to just trust that their data is guarded assiduously. Newsflash - it isn't. Or at the very least, you have zero grounds to believe it is, and plenty of incidents suggestjng it isn't, and that's just the ones large enough to have gone public.

    So here's the thing. By all means indulge in all these modern telecom's devices and practices. Just don't be surprised, let alone shocked, when this sort of thing blows up and your data is lost. It WILL happen, and signs are, increasingly frequently, and about the ONLY thing that will protect you is when public anger makes the business risk of not devoting adequate money and resources to customer data security so serious that boards give it the funding it deserves.

    For that reason, I hope this cripples TalkTalk or puts them out of business entirely. Just maybe, a really serious backlash woukd motivate others. It looks like good times comming for security consultancies. Maybe I ought to start one, called Paranoia Ltd.

    But right now, them taking our security seriously is simply another unwelcome, and avoidable, overhead.

    I mean, even after a couple of days investigating, TalkTalk's MD doesn't even seem to know what was and wasn't encrypted? Their IT guys/gals ought to be able to have told her that in 5 minutes. The fact that they couldn't, and that the MD clearly hadn't taken this seriously despite two previous incidents (this year, IIRC) screams of negligence, and/or gross incompetence, to me.

    So TalkTalk got burned, along with 4m customers. But what grounds are there for believing any other large company, never mind small ones without the same resources, are any better?

    Nobody should be complacent about this.

  5. #21
    Senior Member MrNeil's Avatar
    Join Date
    May 2012
    Location
    Here
    Posts
    559
    Thanks
    23
    Thanked
    63 times in 38 posts
    • MrNeil's system
      • Motherboard:
      • Gigabyte Z490 VISION G
      • CPU:
      • Intel i7 10700KF
      • Memory:
      • 16gig G.Skill Trident Z 3200Mhz
      • Storage:
      • x2 Kingston 240GB HyperX SSDWD + 480gig evo 500GB Caviar Blue Hard
      • Graphics card(s):
      • Vega 56 Red Dragon
      • PSU:
      • 850W EVGA SuperNOVA G2,
      • Case:
      • NZXT H440 STEEL Mid Tower
      • Operating System:
      • Window 10 64bit
      • Monitor(s):
      • AOC G2770PF 144Hz and a HP 27hq
      • Internet:
      • TalkyTalk 76mb

    Re: Talk Talk Hacked

    http://www.bbc.co.uk/news/uk-34627541

    Not as bad they say !!
    My opinion is that TT did all the right actions and think the media made things spin a bit like they always do .

    If there is a problem behind the door then keep it locked until the problem is sorted . They done that !!


    this my opinion !

  6. #22
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Talk Talk Hacked

    While no-one should be complacent, it is worth remembering that every time you write a cheque, you are disclosing your bank account name, number and sort code. However the authentication mechanism is your signature and the possession of those details does not enable remote access to the funds in your account.

    A credit card number on its own is of limited use. For Card holder present transaction, you need either a pin or a signature, and a signature based transaction will require authorisation, which may not be granted, depending on circumstances. Credit card issuers have fairly sophisticated mechanisms for detection fraudulent activity. For Cardholder Not Present (CNP) transactions the authentication method is the CVC number, often augmented by the Visa or MasterCard verification system. There is a caveat in that it assumes the retailer is PCI (Payment Card Industry) security compliment which does not permit recording of CVC numbers.

    To re-emphasise, that is not a cause for complacency, but just to add a little perspective to it.

    I said in an earlier post that I wondered how many fraudulent claims for compensation would be entered on the back of this - a comment prompted by a news item where someone claimed to have had their bank account emptied as a result of this latest leak - reported with glee by the media, without apparently looking into the precise circumstances.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  7. #23
    Senior Member
    Join Date
    Jul 2003
    Location
    3rd Rock from the sun..
    Posts
    463
    Thanks
    15
    Thanked
    4 times in 3 posts
    • Dave_07's system
      • Motherboard:
      • MSI X99A Gaming 7
      • CPU:
      • Intel Core i7 5930k (6 core) @ 4.3Ghz
      • Memory:
      • 16Gb Corsair DDR4 2800Mhz
      • Storage:
      • 2x 500Gb SSD's (Raid 0)
      • Graphics card(s):
      • 2x SLI MSI GTX 980
      • PSU:
      • EVGA 1000w PSU
      • Case:
      • Corsair C70
      • Operating System:
      • Windows 7 Pro 64Bit
      • Monitor(s):
      • G-Sync AOC G2460PG 1080p and LG Flatron W2261VP
      • Internet:
      • 17.5Mb Broadband.

    Re: Talk Talk Hacked

    Whilst TT did some things I defiantly do not agree with during this scenario. I'd have to say on the whole, I personally believe they handled things overall with a degree of moral honesty that - to be honest - I have not seen many other companies engage in to a similar extent. That said I defiantly think they got lucky with how much info was eventually deemed to have been accessed. I just really hope they take this whole thing as a huge wake up call and become much more aggressive in their security practices.
    Last edited by Dave_07; 24-10-2015 at 11:03 PM.
    Intel Core i7 5930k @ 3.7Ghz Turbo
    MSI X99A Gaming 7
    16Gb Corsair DDR4 2667Mhz
    2x SLI MSI GTX 980
    2x 500Gb SSD's (Raid 0)
    EVGA 1000w PSU
    Windows 7 Pro 64Bit
    G-Sync AOC G2460PG 1080p
    LG Flatron W2261VP

  8. #24
    Admin (Ret'd)
    Join Date
    Jul 2003
    Posts
    18,481
    Thanks
    1,016
    Thanked
    3,208 times in 2,281 posts

    Re: Talk Talk Hacked

    Quote Originally Posted by Dave_07 View Post
    Whilst TT did some things I defiantly do not agree with during this scenario. I'd have to say on the whole, I personally believe they handled things overall with a degree of moral honesty that - to be honest - I have not seen many other companies engage in to a similar extent. That said I defiantly think they got lucky with how much info was eventually deemed to have been accessed. I just really hope they take this whole thing as a huge wake up call and become much more aggressive in their security practices.
    Is it moral honesty, or pragmatic PR?

    Any decent PR person will tell you that it's far better to be ahead of press reports than playing catch-up, looking like every admission has to be dragged out of you. It's also better to initially saying "potentially really bad" then being able to follow up with "not as bad as we thought", than to underplay it, then have to keep coming back with another bit of bad news. This is for two reasons: the former looks more honest; expectations management means that painting it bad scares people, then they're relieved when it turns out not so bad.

    Also, I'm cynical when initially it's "potentially all customers". That "potentially" leaves wriggle room. Now, we're getting a very vague "not as bad". So, instead of 4m people, is it 100k? Or a 'mere' 1m? Or 2m?

    If they said 1m and it turned out to be 2m, it's a PR nightmare. If they said 4m, and it turns out to be even 3.9m, it's "not as bad".

    Maybe they're acting on a moral basis, but I think it's more likely they got good PR advice. After all, if they were that moral, they'd have made sure after the first two breaches this year that their procedures, systems and defences were state of the art.

    So I'm more cynical. I think they just knew this was really, REALLY bad from a PR perspective, and did the best damage limitation they could. That, they've certainly done well.

  9. #25
    Banned
    Join Date
    Jun 2008
    Posts
    2,129
    Thanks
    13
    Thanked
    189 times in 160 posts

    Re: Talk Talk Hacked

    The media will look for new prey. People will forget about it. Life moves one.

    To paraphrase the above :-

    You are a total mong is you actually think any data (computer or paper based) is secure. Some may be more secure than others, but the reality is that if people want it, they can always get it.

  10. #26
    Senior Member MrNeil's Avatar
    Join Date
    May 2012
    Location
    Here
    Posts
    559
    Thanks
    23
    Thanked
    63 times in 38 posts
    • MrNeil's system
      • Motherboard:
      • Gigabyte Z490 VISION G
      • CPU:
      • Intel i7 10700KF
      • Memory:
      • 16gig G.Skill Trident Z 3200Mhz
      • Storage:
      • x2 Kingston 240GB HyperX SSDWD + 480gig evo 500GB Caviar Blue Hard
      • Graphics card(s):
      • Vega 56 Red Dragon
      • PSU:
      • 850W EVGA SuperNOVA G2,
      • Case:
      • NZXT H440 STEEL Mid Tower
      • Operating System:
      • Window 10 64bit
      • Monitor(s):
      • AOC G2770PF 144Hz and a HP 27hq
      • Internet:
      • TalkyTalk 76mb

    Re: Talk Talk Hacked

    Always be the same !

    Damned if you don't and damned if you do ! They are not going to win either way so you'll never will know the true extent of it all !!

    Im still happy with them , I got the email and was given all the ongoing updates keeping me informed !

  11. #27
    Orbiting The Hand's Avatar
    Join Date
    Mar 2004
    Location
    Lincoln, UK
    Posts
    1,580
    Thanks
    170
    Thanked
    96 times in 73 posts
    • The Hand's system
      • Motherboard:
      • Gigabyte AB350 Gaming-3
      • CPU:
      • AMD Ryzen 5 2400G
      • Memory:
      • 16GB Patriot Viper DDR4 3200mhz (8GBx2)
      • Storage:
      • 2TB Kingston SSD
      • Graphics card(s):
      • Asus Geforce RTX 2060 Super 8GB Dual Series
      • PSU:
      • Corsair HX 520 Modular
      • Case:
      • Coolermaster Praetorian
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Sony 32 inch HD TV
      • Internet:
      • 20Mbps Fibre

    Re: Talk Talk Hacked

    With regards to corporate PR, one of the wonderful ways a certain mobile/telecoms company used to disguise the number of customers affected by a certain issue, was to describe millions of customers as "many hundreds of thousands"... misleading but not necessarily inaccurate..

  12. #28
    Banned
    Join Date
    Jun 2008
    Posts
    2,129
    Thanks
    13
    Thanked
    189 times in 160 posts

    Re: Talk Talk Hacked

    Ask yourself the question... would you prefer to know or not?

    If you prefer to know, then you get this fiasco.

    If you prefer not to know, you simply have no idea.

    * option 2 happens to you more than you think.

  13. #29
    Senior Member MrNeil's Avatar
    Join Date
    May 2012
    Location
    Here
    Posts
    559
    Thanks
    23
    Thanked
    63 times in 38 posts
    • MrNeil's system
      • Motherboard:
      • Gigabyte Z490 VISION G
      • CPU:
      • Intel i7 10700KF
      • Memory:
      • 16gig G.Skill Trident Z 3200Mhz
      • Storage:
      • x2 Kingston 240GB HyperX SSDWD + 480gig evo 500GB Caviar Blue Hard
      • Graphics card(s):
      • Vega 56 Red Dragon
      • PSU:
      • 850W EVGA SuperNOVA G2,
      • Case:
      • NZXT H440 STEEL Mid Tower
      • Operating System:
      • Window 10 64bit
      • Monitor(s):
      • AOC G2770PF 144Hz and a HP 27hq
      • Internet:
      • TalkyTalk 76mb

    Re: Talk Talk Hacked

    http://www.bbc.co.uk/news/business-34631555

    Happening again but with Barclays ??

  14. #30
    Admin (Ret'd)
    Join Date
    Jul 2003
    Posts
    18,481
    Thanks
    1,016
    Thanked
    3,208 times in 2,281 posts

    Re: Talk Talk Hacked

    Quote Originally Posted by abaxas View Post
    Ask yourself the question... would you prefer to know or not?

    If you prefer to know, then you get this fiasco.

    If you prefer not to know, you simply have no idea.

    * option 2 happens to you more than you think.
    I go with option 3 - assume that any available data is, at a minimum, at risk so minimise what data is available. They can't lose what they don't have.

    For instance, buy computer bits at one place, and the relevant data can only be lost if that place is hit. Buy it from 10 places, and you lose it if any of the 10 are hit. Buy from a local supplier, pay in cash, and they don't have any personal data to lose.

    Yes, you might pay a bit more, but that's the price. It's a choice of whether it's worth it.

    It's impossible to eliminate all risk, but we can reduce our exposure profile .... if we care enough to bother. I do.

    Oh, and Peter, it's not just about card payments or accessing bank accounts. Indeed, it's not primarily about that, IMHO, because while it'll cause hassle, you would normally be reimbursed. More malicious is that increased levels of data increases ID theft risks, and that is far more pernicious. We also don't know what happens to data once compromised, but presumably, it's sold on, multiple times. We don't know to whom, and for what. We also don't know what level of combining goes on with data from other sources. But if some corporates combine data from multiple sources, it's probably unreasonable to assume serious criminal enterprises don't. So, a bit of data here, combined with a unique identifier (like NI number) or a series of data items providing a unique combination (like name, address, DOB, etc) can be combined with data purchased from previous (or future) hacks, maybe of a price comparison site you've used or, heaven help us, a credit check agency, and pretty soon you have a comprehensive picture for ID thieves to use.

    The onus is then put on us to be proactive to monitor things, as evidenced by TalkTalk offering 12 months free credit check service, and never mind that the lost data is out there permanently, never mind just 12 months.

    Our lives increasingly rely on digital data, and hence increadingly are at risk from attacks like this.

    Too many people hand over too much information without querying why they're being asked for it. I recently had a call from my utility company and despite them calling me, they wanted me to provide a series of bits of data like DOB, mother's maiden name, etc, for 'security checks'. Well, they're beggar-all use for security if you give them out all over tge place, companies stick it in their database and then get hacked. Next time a fraudster's asked for 'security data', they'll know ours.

    The ID check model needs seriously improving. Those particular items of data are already compromised beyond any serious credibility, yet as that call demonstrated, they're still used.

  15. #31
    Senior Member
    Join Date
    Sep 2012
    Location
    North West, UK
    Posts
    584
    Thanks
    22
    Thanked
    38 times in 32 posts
    • big_hairy_rob's system
      • Motherboard:
      • ASUS Z170-A
      • CPU:
      • Intel I5 6600k
      • Memory:
      • 16GB DDR4 Corsair Vengence (3000mhz)
      • Storage:
      • Samsung 850 500GB, WD Blue 1TB
      • Graphics card(s):
      • MSI Radeon R9 275
      • PSU:
      • EVGA 550W (80 plus Gold)
      • Case:
      • Fractal Design S (Windowed)
      • Operating System:
      • Windows 10 64.
      • Monitor(s):
      • Iiyama ProLite E24B3HS 24", LG Flatron L1950SQ19"
      • Internet:
      • Plusnet (infinity)

    Re: Talk Talk Hacked

    I would be surprised if this did not cost them significantly, however as the majority of their customers have picked them based on price, then I fail to see how these people would care either way.

    My perspective is that this has happened three time, or at least that's the number of times that it has been detected AND reported. I can't help but question how many other times incidents could have happened and just why the company has not taken adequate action to prevent it happening again. Certainly it appears that the hackers hold the skills to break their fixes (if any have been carried out), so they need to tackle this problem a different way, or have game changing sanctions imposed.

    I would be interested to know whether they had employed a penetration/security test after their previous incursions?

  16. #32
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,168
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Re: Talk Talk Hacked

    Quote Originally Posted by directhex View Post
    "We don't support HTTPS under any circumstances" is a pretty core issue, and unrelated to choice of dev framework
    They did use SSL, just not everywhere, and their implementation was bad.

    I would say that framework choice has a part to play in this, some frameworks 'dev mode' can not be used in a production environment easily, things like denying a request that isn't from the same machine as the default config. Then requiring SSL for login say, but also you can have your framework/hosting environment defaults secure too, most people, myself included don't know which SSL modes are 'safe' to use, so we just use the default or what some reputable source says is best practice. Why would a framework say enable TLS_RSA_EXPORT_WITH_DES40_CBA_SHA by default? It's apparently week. For example MS disable SSLv3 and below by default, yet some SSL hosts do not.

    People often say that languages and frameworks shouldn't have the blame because the users are using them badly. It's true in a way, a bad developer will always manage to do things badly, but the language can make it harder than doing things the better way.
    throw new ArgumentException (String, String, Exception)

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •