According to BBC News, the phone and broadband provider has said hackers accessed up to 28,000 obscured credit and debit card details, with the middle six digits removed, and 15,000 customer dates of birth. It said any stolen credit or debit card details were incomplete - and therefore could not be used for financial transactions - but advised customers to remain vigilant against fraud. True in isolation, but nevertheless still information that will be of great value and used by those with malicious intent to build or carry out social engineering attacks.
The latest cyber-attack to affect the company is thought now to have begun as early as last month. It is the third time in less than a year the firm has been successfully targeted by hackers. TalkTalk faces hacking compensation bills running into millions. Whatever happens to its share price (a measure of what financial markets think of the problem), consumers and Government have already taken a dim view of the hack. MPs will launch an inquiry into the attack, with culture minister Ed Vaizey saying the government is not against compulsory encryption for firms holding customer data (see below).
We can’t say precisely what methods were used in the TalkTalk attack, but the fact a number of young people have recently been arrested suggests the company’s website was attacked via the internet from outside; perhaps – although it’s not yet certain – by a relatively straightforward method such as script injection.
We don’t know yet how they did it, but a DDoS (Distributed Denial of Service) attack followed by SQL injection script injection has been publicly suggested as the modus operandi in this particular attack. [Source: TalkTalk hack: what you need to know]
Script injection / SQL injection
A several classes of attacks commonly referred to as “injection attacks” including SQL injection, LDAP injection and others combined with “Cross-Site Scripting” (XSS) have become increasingly popular – especially with opportunistic hackers having access to “one-click” exploitation tools. Sound familiar? Unfortunately, the number of applications vulnerable to these attacks is quite frankly staggering, and the varieties of ways attackers are finding to successfully exploit them is on the increase. Our experience as penetration testers tells us that the majority of sites are vulnerable to many different methods and much of their content is at risk.
Cross-site scripting (XSS) attacks exploit vulnerabilities in web page validation by injecting client-side malicious script code. One common type, SQL injection, is where an attacker injects malicious SQL commands that that are then executed by the database.
Aleksander Gorkowienko, leading Penetration Testing team at 7Safe says: “Identification and exploitation of injection-type vulnerabilities by “script kiddies” is much easier these days. There are plenty of tools you can download from the web and then just press a button - the software would do the exploitation for you. This automatically increases the risk to be exploited many times. So if a web application or web service is vulnerable and is publicly available in Internet – you may be absolutely sure that someone would challenge the security features of your application. And this would happen rather sooner than later. That’s why routine penetration testing is a key for finding and eliminating serious security holes before hackers can find them”
Web application security testing
A web application security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. The test focuses only on an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found are presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution. [Source: OWASP].
Web application security testing methodology explains how to test for evidence of vulnerabilities within the application due to deficiencies with identified security controls. Experienced pen testers who specialise in website vulnerabilities know what to look for every time a new vulnerability is identified, because that is part of their job. They also know what the old vulnerabilities look like before they’re fixed, and often find them, year after year, in the same systems - only to be ignored again when they recommend they be fixed!
Problems like finding unencrypted confidential data as a result of an attack on websites like the one developed by TalkTalk are, sadly, all too common. The UK’s Information Commissioner’s Office gives sound advice on how to protect confidential personal data like bank account numbers and home addresses held on your database server:
“Personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with the organisation’s security policy and using best practice methodologies such as using the International Standard 27001.” [Source: www.ico.org.uk page headed: Encryption].
And what does the ISO 27001:2013 standard say on the subject of data encryption? Its Clause 10.1, covering cryptographic controls, states:
“There should be a policy on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management.”
This is an obvious security gap that UK legislators should address in 2016.
Thoroughly testing for web application vulnerabilities is a ‘must do’. To quote SANS: “Having a second set of eyes check out a critical computer system is a good security practice”. Testing a new system before it goes on-line is quite simply an essential phase of the ‘app’ development process. A full penetration test will also give the IT department a chance to respond to an attack without inconveniencing consumers. These tests need to be repeated at regular intervals, or when there are significant changes to the business systems and processes, and not just once a year.
Painful Lessons for the C-Suite
“The events of the last two weeks are a perfect illustration of why the C-suite need cyber security expertise on hand to advise them when things go wrong, either in-house or using teams like ours," comments Stephen Bailey, Managing Consultant at 7Safe, a leading provider of cyber security and digital investigation advice, education and technical services to all technology-enabled organisations.
Stephen also cautions that companies should be very careful when speaking publicly that they don’t say anything that increases the chances of their customers becoming victims soon after a serious data breach. For example, a statement like “The email that we are sending out does have a link that clicks you through to our help site.” could cause more harm than good. It is much better to just tell people to go the website directly as it is far too easy to send/change an email so that the link looks genuine. Likewise, telling your customers on air to “Have a look at the header of the email and you will see the email address that it has come from and usually when you are getting a scam email it is not from what looks like a normal TalkTalk.co.uk email address” is especially dangerous in the circumstances. Stephen says: “It is incredibly easy to spoof your email address when you send an email. I will be very surprised if there aren’t hackers out there now trying to find TalkTalk customer email addresses to send them a phishing email where the from address says firstname.lastname@example.org.”
New data protection laws – not just Talk
In the opinion of many within the cyber security industry, the voluntary approach has failed to persuade most organisations to put in place even the basic cyber hygiene controls and penetration test so as to achieve acceptable levels of cyber resilience. The truth of this situation is experienced by pen testers virtually every working day, pointing to the problem: a failure to comprehend the likelihood and impact of the risk on businesses.
Regulation is tough love. But then who would want to be Dido Harding in recent weeks? The Guardian reports that “Regulators must be given significant new “US-style” powers to tackle the escalating problem of online fraud” – note “US-style” powers. Unless I am much mistaken, the USA is the hallowed home of free-market economics, and if they think legislation is needed, then the UK must surely follow?
Former home office minister Hazel Blears said the TalkTalk data breach was "a wake-up call". She said it should prompt a debate about whether further regulation was needed "because this is probably the biggest threat to our economy".
It does look as though this breach has started a debate that could end in further legislation. And if nothing else, all CEOs will be taking note of the public cost of a cyber-attack.
Read more about developing your cyber capabilities by visiting the 7Safe website where you can download a 6-page brochure with ideas for combatting cybercrime:
For all enquiries contact: Michael Shuff, Marketing Executive, 7Safe, on +44 176 326 7639