Tuesday, October 27, 2015

TalkTalk breach: a comedy of security errors

TalkTalk has been breached; we know that much. What else we know about it is, in actual fact, very little indeed at this stage. We are in good company, of course, as anyone tuning into the myriad media appearances of the hapless TalkTalk CEO, Baroness Dido Harding, will appreciate that she and it seems to know sweet diddly squat as well. In fairness, the start of any breach investigation is going to have more questions than answers, that is the nature of investigations after all. However, Baroness Harding has managed to compound the image of TalkTalk as the corporate equivalent of a headless chicken by apparently not knowing the answer to anything. The BBC asked if credit card data was encrypted and Harding answered with the awful truth is, I don’t know. She told ITV that “this is a crime, a criminal has attacked TalkTalk systems and we are not the only ones, whether it is the US government, Apple, a whole host of companies. Cyber-crime is something we all need to get better at defending ourselves against.” Certainly TalkTalk does, given that this is now the third serious breach in just 12 months. Back in December 2014 customers were exposed to scam calls from Indian-based con men, and in February 2015 more scam calls were reported after another breach involving what the company described as ‘non-sensitive’ information. What we do know, from reading the various statements coming out of TalkTalk and analysing the interviews that have been given, is that the attack itself appears not to be anything particularly new or clever. Indeed, it seems to have a touch of the ‘Old Skool’ about it; no Advanced Persistent Threat tactics here, no zero-days being exploited to open a hole in the TalkTalk defences. Actually, defences would appear to be the wrong word in the case of TalkTalk which has pretty much proven itself to be lamer than one-legged duck (and a sitting duck at that). We know from what has been said that TalkTalk came under DDoS attack, and that this is a very common ‘smoke and mirrors’ tactic used to distract security teams from the real operation target which, as far as this attack is concerned, was data exfiltration. Although purely speculation at this stage, there has been a lot of talk within the IT security industry that a simple SQL injection attack was used against TalkTalk. Ordinarily I would have thought this highly unlikely, given the size of the company concerned, the nature of the business it is in and the fact that it has been exposed to two successful (if smaller) breaches already during the past year. However, given that a well briefed CEO (and if she wasn’t well briefed why was she allowed anywhere near a TV camera or radio microphone?) could not confirm that data was encrypted, which most people will tell you is a pretty good indicator that it wasn’t, nothing can surprise me anymore.