Hacker News new | past | comments | ask | show | jobs | submit login
TalkTalk cyber-attack: boy, 15, arrested in Northern Ireland (theguardian.com)
38 points by rocketbop on Oct 26, 2015 | hide | past | favorite | 45 comments

TalkTalk spent the weekend in full PR mode claiming the attack was the work of cyber jihadi's[0] and suggesting huge resources were used to target and overcome their defenses (i.e. the "no-one could have withstood this sort of attack" defense) and then switched to a defense of "no legal requirement to encrypt customer financial data" when people got upset about their bank details being pilfered[1] and reports of bank accounts being emptied started to emerge.

Now we find out the likely candidate is a spotty teenager. I wonder how TalkTalk plan on trashing this kid now.

[0] http://www.standard.co.uk/news/crime/talktalk-hack-by-cyber-... plus many others [1] e.g. http://www.theregister.co.uk/2015/10/26/talktalk_crypto_obli...

Paul Moore covered their weak security a year ago [1]. Worth a read. I've always avoided TalkTalk because they keep sending me junk mail reminding me that they offer free broadband if I take out a phone package, etc. It just screams race to the bottom.

1. https://paul.reviews/value-security-avoid-talktalk/

>free broadband if I take out a phone package //

Monthly phone has been about £18-22 per month for a few years, whilst broadband has been <£5 per month. Once you have the phone they're in profit, the cost of sending you a router has to be a few quid, paid for in the first month. I don't know what wholesale bandwidth costs but I can't imagine they can lose. They want you on broadband with them so that you don't move to another provider, it locks you in to their phone for 2 years [standard contract period in UK at the moment] securing them a profit.

Once you have the broadband they heavily push their TV packages.

Yes it's a race to the bottom but for POTS with broadband everything beyond your home socket to their servers is the same as with any other standard provider AFAICT.

They don't appear to do that much for their av.package x ~4.3 Million customers per month gross income; there should be considerable competition at the low end for what is essential a commodity.

WRT the review, I wouldn't use an ISP for my email provision but that's based primarily on lock-in; the company have https for their account pages and such (the Thawte cert is dated April 2014 FWIW).

> TalkTalk said it would only let customers leave without penalty in the “unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack”.

Man, I would hate to get stuck with the carrier that got breached for "bank details and personal information of its four million customers" by a 15 year old kid. That sort of lack of security should in and of itself constitute a severe breach of customer trust and confidence.

Not sure that 15-year-old kids are any less competent at hacking than adults. What they may lack in experience, they compensate for with a fresh, original mind, and nothing-to-lose. We've seen this picture many times before. I'd suggest that TalkTalk would be less competent if the hacker had been a greybeard rather than a kid, because greybeard's IT stack and MO is entrenched, conventional, and defendable-against, unlike Kiddo over here whose mind will skateboard around the pros leaving them standing.

Going by Kreb's analysis of the attack [1] it would appear that the breach was a run-of-the-mill SQL Injection attack. Proper security 1-0-1 stuff.

[1] http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded...

You would be suprised... There are startups out there who say "we don't care about an attack we're too small... we're going to write all of our sql by hand."

Just because they "write all of [their] sql by hand" doesn't mean they will be vulnerable to an attack as simple as this. This is just pure and unmitigated incompetence.

Yes. Preventing SQL injection attacks is very, very easy. To have something like that in your code in 2015 is inexcusable.

It's not just startups. The stuff I've seen at some very large companies would make you cringe.

As a colleague developer of mine says: I don't want any of my personal information on the internet because I know how developers think.


fair enough, though I think the idea that 15-year-olds are somehow to be dismissed as greenhorns is incorrect. We surely have a disproportionate distribution skewed towards the young among the hackerati, even if we take into account the fact that 50+ age groups didn't have computers in their childhood.

When you combine the potential lack of punishment for juveniles with the biological reality that prefrontal cortex development in adult humans doesn't really complete until the mid twenties, you get teenagers who don't think bad outcomes are possible, and whose brain is less capable of long term risk assessment.

I would think that the 50+ crowd would be far more hampered by their risk assessment of the negative outcomes of these behaviors than by their skillsets alone.

A teen is in it for the lulz, or the glory, or whatever, but a greybeard could lose his retirement, leave his spouse high and dry, lose his ability to see and support his family...

So they're less risk averse even if they're less competent. Probably right. Though I think there's also something intellectually liberating about having no risk constraints, which might allow for attack vectors that are unconventional.

What you should be really afraid of is 50 year olds without risk aversion. Like the decision-makers at banks, politicians who will never personally go to war or the welfare line, etc.

I totally agree. The stuff I myself was doing at 15 was more sophisticated than the "security consultants" I talk to professionally even consider.

At that age you have intelligence, lack of considering consequences and importantly lots of time. That's a dangerous combination.

15 year olds also have a hell of a lot of time to invest in whatever takes their fancy. Never underestimate the single minded focus of an inquisitive teenager!

> they compensate for with a fresh, original mind, and nothing-to-lose

And time.

but mostly a false sense of invulnerability.

Man, when I think back to the stupid things I did on the internet as a teenager that simply earned me a glare or a stern warning email.... I'm so glad I was a teenager in the 90s, because if I'd done that shit today, I'd be in jail.

> because greybeard's IT stack and MO is entrenched, conventional, and defendable-against

this is utterly ridiculous

What is ridiculous about it? I have been coding for 30 years and am happy to pronounce that younger coders have a far more nimble mind than me. I'll destroy them on complex software engineering but I'm constantly impressed by their innovations. Anybody who finds this "ridiculous" is either a rare evergreen genius, or more likely, self-satisfyingly complacent.

I'm quite young and I'm curious about those "innovations" myself.

So you're still writing code in Delphi or maybe Zortech C++ ?

We're still shipping Delphi, yes.

try Reddit. Your (zero insight) posts are not constructive here.

I think his point was you don't to be "entrenched" in an old stack.

How "nimble" your mind is really isn't important, and surely you don't think that a 15 year old can be more competent than you in a given stack.

It's just that you're not exposing yourself to the new stacks.

If it was my job to penetrate remote systems, you can bet that I wouldn't still be using the same stack and MO I was 30 years ago, in the just the same way that I'm not using an Amiga.

The OP is ridiculous that it cannot be imagined that someone needs to be a child to break into systems.

I'm at University and I run rings around my 20 something cohort.

The point is not that one needs to be a teenager ("child") to break into systems. None of what I have said is incompatible with the assertion that older coders have more skills, a point with which I agree. However it is not a contradiction to say that innovation does not require huge experience, and indeed is sometimes hampered by it.

I still stand by my original assertion :

> because greybeard's IT stack and MO is entrenched, conventional, and defendable-against

this is utterly ridiculous

I stand by my original assertion:

> this is utterly ridiculous

A vacant comment devoid of insight, by a self-satisfied person oblivious to their predisposition to complacency.

our HN colleagues think otherwise

I immediately thought of Jonny Lee Miller's character in Hackers, who is caught in a major hack as a child and banned from using computers until he is over 18.

Of course it is now many times more difficult to avoid computers than it was in in the early 1990s.

Samy Kamkar was banned from using a computer for three years in 2006 https://en.wikipedia.org/wiki/Samy_Kamkar#Samy_worm

the USSS evidence sticker on his PowerBook was a real conversation starter.

Imagine what would happen if serious hackers decided to go after this company. Maybe they will implement https this time.

The kid exposed a major security problem and overall helped everyone, even the company in the long term.

They didn't use https? That will teach me not to read the article.

Talk Talk are negligent, I hope a newspaper covers that angle.

Unless he turned himself in, he didn't expose a security problem, he exploited a security problem.

He exploited and exposed it

Man, I have some real cognitive dissonance when it comes to physical versus cyber crimes. If someone were to leave their car unlocked then have items stolen out of it, I would find the criminal despicable; people make mistakes and don't deserve to be robbed for it. When a company leaves its data vulnerable and someone steals from it, I find the company despicable, as if they were "asking for it". Apparently the hacker was trying to extort TalkTalk, so its hard to sympathize with him, but I still find myself blaming TalkTalk first. Its really hard to know what the right attitude towards these breaches is supposed to be.

For me, it's not a question of physical vs cyber, it's securing your own vs securing other's stuff.

If I paid for a car parking service that had the practice (not a one time incident) of leaving all their clients' cars unlocked, I'd definitively find them despicable.

While at the same time, if someone was hosting their own little personal server and forgot to apply a security patch and someone hacked it and used it for spam or as a botnet, I'd find the attacker despicable.

It's more akin to a bank not protecting their clients assets. It doesn't make the robber less of a criminal but doesn't make it ok for the bank.

Perhaps class actions against negligent companies with big payout would push their insurers to breath down their neck and would result in better security.

But make no mistake, the #1 problem is incompetence among developpers. I am sure it's not a direct order from the CEO to code in a way that leaves them exposed to sql injections. It doesn't cost more money to use a parameterized query. It's just that so many people call themselves developpers and simply just don't have a clue.

Your comparison is not analogous. It should be; a car owner that left the car unlocked with a bunch of private information inside.

I hadn't considered that angle before. That helps me reconcile it – imagine it's health records left more or less unattended.

There are two crimes. One is theft, the other negligence.

Negligence in this incident is a civil issue, not criminal.

Please take a moment to actually read the Data Protection Act 1998.


75 matches for 'offence' on that page.

Sections 61 and 47 are particularly relevant. European data protection legislation really does have teeth, though the Commissioner has to have the will to use it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact