
TalkTalk cyber-attack: boy, 15, arrested in Northern Ireland - paublyrne
http://www.theguardian.com/business/2015/oct/26/talktalk-cyber-attack-boy-15-arrested-in-northern-ireland
======
pascalmemories
TalkTalk spent the weekend in full PR mode claiming the attack was the work of
cyber jihadi's[0] and suggesting huge resources were used to target and
overcome their defenses (i.e. the "no-one could have withstood this sort of
attack" defense) and then switched to a defense of "no legal requirement to
encrypt customer financial data" when people got upset about their bank
details being pilfered[1] and reports of bank accounts being emptied started
to emerge.

Now we find out the likely candidate is a spotty teenager. I wonder how
TalkTalk plan on trashing this kid now.

[0] [http://www.standard.co.uk/news/crime/talktalk-hack-by-
cyber-...](http://www.standard.co.uk/news/crime/talktalk-hack-by-cyber-jihadi-
group-sees-personal-data-of-millions-leaked-a3097661.html) plus many others
[1] e.g.
[http://www.theregister.co.uk/2015/10/26/talktalk_crypto_obli...](http://www.theregister.co.uk/2015/10/26/talktalk_crypto_obligation/)

------
aembleton
Paul Moore covered their weak security a year ago [1]. Worth a read. I've
always avoided TalkTalk because they keep sending me junk mail reminding me
that they offer free broadband if I take out a phone package, etc. It just
screams race to the bottom.

1\. [https://paul.reviews/value-security-avoid-
talktalk/](https://paul.reviews/value-security-avoid-talktalk/)

~~~
pbhjpbhj
>free broadband if I take out a phone package //

Monthly phone has been about £18-22 per month for a few years, whilst
broadband has been <£5 per month. Once you have the phone they're in profit,
the cost of sending you a router has to be a few quid, paid for in the first
month. I don't know what wholesale bandwidth costs but I can't imagine they
can lose. They want you on broadband with them so that you don't move to
another provider, it locks you in to their phone for 2 years [standard
contract period in UK at the moment] securing them a profit.

Once you have the broadband they heavily push their TV packages.

Yes it's a race to the bottom but for POTS with broadband everything beyond
your home socket to their servers is the same as with any other standard
provider AFAICT.

They don't appear to do that much for their av.package x ~4.3 Million
customers per month gross income; there should be considerable competition at
the low end for what is essential a commodity.

WRT the review, I wouldn't use an ISP for my email provision but that's based
primarily on lock-in; the company have https for their account pages and such
(the Thawte cert is dated April 2014 FWIW).

------
Zikes
> TalkTalk said it would only let customers leave without penalty in the
> “unlikely event that money is stolen from a customer’s bank account as a
> direct result of the cyber-attack”.

Man, I would hate to get stuck with the carrier that got breached for "bank
details and personal information of its four million customers" by a 15 year
old kid. That sort of lack of security should in and of itself constitute a
severe breach of customer trust and confidence.

~~~
vegabook
Not sure that 15-year-old kids are any less competent at hacking than adults.
What they may lack in experience, they compensate for with a fresh, original
mind, and nothing-to-lose. We've seen this picture many times before. I'd
suggest that TalkTalk would be _less_ competent if the hacker had been a
greybeard rather than a kid, because greybeard's IT stack and MO is
entrenched, conventional, and defendable-against, unlike Kiddo over here whose
mind will skateboard around the pros leaving them standing.

~~~
radicalbyte
Going by Kreb's analysis of the attack [1] it would appear that the breach was
a run-of-the-mill SQL Injection attack. Proper security 1-0-1 stuff.

[1] [http://krebsonsecurity.com/2015/10/talktalk-hackers-
demanded...](http://krebsonsecurity.com/2015/10/talktalk-hackers-
demanded-80k-in-bitcoin/)

~~~
monksy
You would be suprised... There are startups out there who say "we don't care
about an attack we're too small... we're going to write all of our sql by
hand."

~~~
0942v8653
Just because they "write all of [their] sql by hand" doesn't mean they will be
vulnerable to an attack as simple as this. This is just pure and unmitigated
incompetence.

~~~
tsotha
Yes. Preventing SQL injection attacks is very, very easy. To have something
like that in your code in 2015 is inexcusable.

------
paublyrne
I immediately thought of Jonny Lee Miller's character in Hackers, who is
caught in a major hack as a child and banned from using computers until he is
over 18.

Of course it is now many times more difficult to avoid computers than it was
in in the early 1990s.

~~~
dominicgs
Samy Kamkar was banned from using a computer for three years in 2006
[https://en.wikipedia.org/wiki/Samy_Kamkar#Samy_worm](https://en.wikipedia.org/wiki/Samy_Kamkar#Samy_worm)

~~~
pyvpx
the USSS evidence sticker on his PowerBook was a real conversation starter.

------
just_curioussss
Imagine what would happen if serious hackers decided to go after this company.
Maybe they will implement https this time.

The kid exposed a major security problem and overall helped everyone, even the
company in the long term.

~~~
cm2187
Unless he turned himself in, he didn't expose a security problem, he exploited
a security problem.

~~~
marrs
He exploited and exposed it

------
seccess
Man, I have some real cognitive dissonance when it comes to physical versus
cyber crimes. If someone were to leave their car unlocked then have items
stolen out of it, I would find the criminal despicable; people make mistakes
and don't deserve to be robbed for it. When a company leaves its data
vulnerable and someone steals from it, I find the company despicable, as if
they were "asking for it". Apparently the hacker was trying to extort
TalkTalk, so its hard to sympathize with him, but I still find myself blaming
TalkTalk first. Its really hard to know what the right attitude towards these
breaches is supposed to be.

~~~
just_curioussss
Your comparison is not analogous. It should be; a car owner that left the car
unlocked with a bunch of private information inside.

~~~
aidos
I hadn't considered that angle before. That helps me reconcile it – imagine
it's health records left more or less unattended.

