rashbre central: don't talktalk about it

Saturday, 24 October 2015

don't talktalk about it


CBBC star Hacker T Dog.
The current hack into TalkTalk's website creates an interesting taste of living in the cloud. The perpetrators are now claiming to have 4 million customer records and apparently have even issued a ransom note like something from a TV plot.

We've all got far more data than we care to think about lodged away in systems which increasingly work in the cloud. Part of that is because we all also want to be able to access these systems from smartphones and browsers, rather than sit on interminably long calls to so-called help desks.

Another reason is because industry is all being persuaded that it is economically sound to put their systems into cloud computing environments.

Systems like Google also progressively tie all our data together, so that even if you want to have a separate personal and professional appearance in the internet, the G+ robots will eventually catch up.

I use one of those automatic password generators for my own access to systems. It comes up with passwords along the lines of:

ryeX-Uc-bEv-jaw-oD-fIn-inG

And nope, I'm not actually using that one and I've selected randomised lengths too, so the syntax of my actual passwords will differ.

Of course I can't remember them all, and have to use 1Password to wrangle them.

The problem comes when people use passwords like -er- qwerty12345 or asdfg-0987 or password1992 or CFC4evva. It's because there's a high social engineering probability that this type of user will be using the same password elsewhere. So browsing through an unencrypted list of users, there'll be some that are probably easier to target, simply based upon the type of password they use.

Back to TalkTalk. The story goes that the hackers used a denial of service attack first as a diversionary tactic, whilst the slurping of data was taking place. The thieves even put up an extract of the data they stole onto a website to illustrate what they've done.

The data (if genuine) was still being displayed today, Saturday, some four days after the attack.

If I was John who drives taxis, Hadyn, Norma, Fraser, Catherine, Dolph or Amanda, amongst many others, I'd be pretty annoyed that my record was still on public display. If I was Ben or Rahmet, I'd be even more annoyed that my entire TalkTalk order was listed (update it's all still there on 26 Oct)

I'm not buying it though. Getting into a website is one thing. Like that opening sequence in Homeland the other day when the dodgy internet club managed to hack into the CIA. Then they immediately started downloading files that were at the core of the CIA's best secrets in Germany.

Yeah, right. It's sometimes hard enough finding files on one's own systems, let alone on a secret CIA station in Berlin.

But that seems to be what these hackers claim to have done as well.

Not only did they flood the TalkTalk system to make it run slowly, they then claim to have used this same period to get inside, and somehow find the exact files where the cellphone and SIM orders were kept, in clear (i.e. not encrypted format), and all comma delimited.

The method of intrusion as described is all a bit too tidy.

This smacks to me more of something purposeful conducted from inside TalkTalk's walls. It could be a whole lot simpler too. The conditions: Someone with access to the right files runs/introduces a pre-formed SQL query generating an Excel CSV (comma separated values) file and then downloads it to a memory stick, or via bluetooth to a phone.

This could be in a central location (operations or development), or possibly even from a helpdesk if there's local copies of the customer file. No wonder the class of tools to do these kind of dubious things are called Mole, Pangolin (scaly burrowing anteater) and Injector.

I guess it will all play out over the forthcoming days and weeks. It might also explain why the note accompanying the upload of the stolen data contains a message which says things like:

"We Have Made Our Tracks Untraceable Through Onion Routing, Encrypted Chat Messages, Private Key Emails, Hacked Servers."

Why bother to say These Things And With So Many Capital Letters? It's a bit like the villain's speech to explain the next logic jump to James Bond.

There's more, but it starts getting into a more lurid and fundamentalist area which I won't document here. The slightly juvenile style looks quite different from the increasingly common attacks on casino sites with distributed denial of service and BitCoin as ransom.

The eventual after-effect of this TalkTalk attack will probably be to create even more layers of security for not just TalkTalk's site, but everyone else.

Coincidentally, a few days ago I described a situation where a big commercial site had mis-transcribed my address in a way that meant they would only send things to a (wrong) address to Plot (wrong Number) in (wrong town) Shellsea in order to identify me.

A few days later I saw a different example on television, where (wrong name) Dr.Occupier was being incorrectly billed for electricity but could not change it because the security questions needed his/her name "Dr.Occupier" to be specified.

I suppose we can't have all this smartphone cloud access without the attendant security, so cue those sayings about the indolent falling prey to the active or about freedom, liberty and vigilance - I'm sure we'll be hearing them all over the next few days.

No comments: