Over the past few days it has emerged that TalkTalk have been subjected to a "sustained cyber attack" if you believe the way it's told in the news.
That may be superficially true but rest of the story may be a little less appealing for TalkTalk and it's customers. Based on a number of different security sources I've read, it appears that the site was actually attacked using a mechanism called "a SQL injection attack". The first thing to say about that sort of attack is that it is an incredibly basic attack that ANY website that uses a database should protect against and protecting against it actually isn't difficult.
The next important thing to know is that this isn't an isolated incident for TalkTalk. The rather incredible fact is that this is the third time they've been hacked and lost data in the past 12 months that we know of! For the most serious of those hacks (in terms of quantity of data lost) to have been because of some really poor programming proves that nobody at any level of their organisation is taking data security seriously enough and heads should definitely roll.
Based on data leaking out onto the internet, it looks like TalkTalk didn't actually encrypt much (if any) of the data - in fact there are already plain text passwords coming out in data that is reported to be from the attack. Given that the majority of people take a terrible approach to passwords mean that a very large percentage of those customers will have used the same password for other websites and that's where the real pain can start.
TalkTalk said "a distributed denial of service (DDoS) attack - one that overwhelms a website with traffic, taking it offline - was used as a smokescreen for the attack" - the thing I find strange about that statement is that a DDoS attack is highly unlikely to have any effect on whether a SQL injection attack was possible so that explanation seems itself to be a smokescreen for the press and public.
The last bit of this whole situation that's bothering me is that the Institute of Directors have called for "urgent action to tackle cyber-crime" which the press seem to be reporting as if the Government need to do something. I don't know how the IoD actually meant it but it's actually businesses that need to protect themselves.
This attack is like TalkTalk leaving the doors to their headquarters unlocked while the premises are empty all night and then being surprised when they return in the morning to find they've been burgled. There are definitely things that all businesses should be doing to protect themselves but if they can't get the absolute basics right then they're all screwed!
No comments:
Post a Comment