TalkTalk Website Hit By Cyber-Attack

I'm assuming you are referring to DDoS attacks against end-users/broadband/fibre customers?
How are these "mitigated" if they (the target) still go offline during the attack?

Unless you mean contained as in it only affects the target and no other customers.

[EDIT] I don't mean to sound as if I'm doubting/going against what you say if that's how it comes across!

Old fashioned DDOS mitigation such as RTBH (remotely trigger black hole filtering) will do exactly as you say, and simply take the host offline, (which isn't really containing anything, it's just protecting the provider network against routing all the botnet traffic down to the egress broadband gateway, and relieving congestion)

But there are other solutions where suspect traffic identified as potential DDOS traffic can be re-directed through a scrubbing farm and "cleaned" which is better for the end host, but more expensive and sometimes not as effective as advertised..

The really cool one, is a newer technology known as BGP flowspec, where a controller inside the network can automatically apply policy to only block the exact DDOS source/destination/ports, and leave other traffic intact,

There are good working solutions out there that people have, but it is quite a difficult and ever changing threat.
 
Old fashioned DDOS mitigation such as RTBH (remotely trigger black hole filtering) will do exactly as you say, and simply take the host offline, (which isn't really containing anything, it's just protecting the provider network against routing all the botnet traffic down to the egress broadband gateway, and relieving congestion)

But there are other solutions where suspect traffic identified as potential DDOS traffic can be re-directed through a scrubbing farm and "cleaned" which is better for the end host, but more expensive and sometimes not as effective as advertised..

The really cool one, is a newer technology known as BGP flowspec, where a controller inside the network can automatically apply policy to only block the exact DDOS source/destination/ports, and leave other traffic intact,

There are good working solutions out there that people have, but it is quite a difficult and ever changing threat.

Ah, I'm assuming general broadband/fibre residential customers are just null-routed then during the attack rather than being routed alternatively for any sort of inspection and filtering.


It's a shame to have to spend at least 10,000x as much of what an attacker can spend, to defend against such an attack.
 
What's the actual cost, and to what extent does it prevent issues like if someone tries to DDOS you? So, say for a company of TalkTalk's size, then one of Overclockers' size, how much would they be spending on their whole web presence, then how much more would what you're talking about cost?

I don't generally do out and out costings tbh, and normally it depends who you are and who you're buying it from - that dictates the cost.

That said, for a large ISP you're talking probably £1-2M (very rough guess) for a full appliance based solution, that would include professional services, design, installation and licensing - there would also be heavy support costs associated with maintaining it, it's not a cheap business.. but I guess it's cheaper than being breaking news with 4 million customers waiting to claim damages around the corner,

For a smaller enterprise like OCUK there are lots of simpler "cloud" based ways of doing it, (Stuff like cloudflare etc etc) but I have no idea on the cost, I suspect it would run into £20k-30k but thats a very rough guess lol.

Ah, I'm assuming general broadband/fibre residential customers are just null-routed then during the attack rather than being routed alternatively for any sort of inspection and filtering.


It's a shame to have to spend at least 10,000x as much of what an attacker can spend, to defend against such an attack.

The problem really is traffic volume, a big ISP like TT will be carrying probably 1Tbps+ of traffic at peak time, to detect DDOS traffic mixed in with this AND re-direct a portion of it for scrubbing, is complicated and expensive (for obvious reasons) most big service-providers use something like Arbor to do the detection, then rely on null-routing (RTBH) automatically, because it's the most cost effective way, when you have enormous amounts of traffic.

Some ISPs have built filtering models where they have their own internal home-grown scrubbing farms, they use something like Arbor to detect the DDOS traffic - then internal policy to forward dodgy traffic through their own scrubbing farm to clean it, (one of my colleagues has done a few of these for some ISPs)

Smaller enterprises tend to use the redirect/scrub model, I did a lot of work for some of the big airlines back in 2010 as they were being DDOSd quite regularly, and we were installing a combination of Verisign/Prolexic solutions, where you advertise a more specific network for the victim's subnet, towards the internet, with a next-hop of the scrubbing centre (located somewhere in the world), the "clean" traffic then makes it's way down to the destination via a GRE tunnel (or something like that) but it often broke stuff more than it fixed lol.
 
Tried to change password as advised by the message they sent earlier, but website down ( understandably, i guess ).

Atleast they are still able to send out bills :rolleyes:

OYAgfg1.jpg
 
Yeah they have to say there is a "chance" because their servers/database have been compromised.

The likelihood that the attackers have managed to extract credit card information would be relatively low, and I highly doubt that if there was infact credit card information stored and that it would be in plain view to see, it will definitely will be hashed/encrypted. If the encryption was not a common one like MD5 etc, then the algorithm would need to be found out and cracked anyway.

Not saying there isn't a chance though but I doubt anyone needs to worry about their financial information. The days are mostly gone where webshops keep CC info stored on their databases for reasons such as this, especially a big company such as TalkTalk.

We're see!

Little would surprise me with TalkTalk. They do not hash or encrypt the passwords as (a) you can see the passwords in the sample data posted on pastebin and (b) they ask you for your password when you call them and, on a couple of occasions when I couldn't remember it exactly they said "close enough" and carried on with my enquiry.

The killer is that I would not normally have given them my bank details but they refused to accept credit card when I set up the account. And it had taken so long to select and ISP and get this far that I reluctantly agreed. I now wish I had not gone with TalkTalk. I regret it a lot.

And to the person asking if they still have ex-customers' data in there, I would lay money on it. Very concerned about this now.
 
It appears to have been an SQL injection vulnerability the led the attackers to steal this data. For those who don't know normally an SQLi vulnerability is where a input parameters passed via a web interface to a back-end database are not properly sanitized and in this case the privilege level of the database account used by the web interface used was likely higher than it should have been.

Don't want to teach fellow techies to suck eggs but sensible steps are:

[1] For your account with Talk Talk if you use the same password ANYWHERE else then change the password on those accounts straight away (and whilst your at it invest in a password manager service - just iMHO).

[2] If Talk Talk used any "security questions" (I.e. what was the name of your first pet) and you've re-used those answers on other accounts, change them straight away.

[3] Watch out for immediate phishing campaigns. These days they are quite decent, they may trick you into thinking the mails are from Talk Talk in response to this hack or from another "involved" party, like your bank, a credit score provider etc... For the time being if in doubt ring the company that the email seemed to come from using a number from Google (not the one they provide in any email comms).

[4] In the medium term, once the data dump becomes public (assuming it does) if you want to check if your in the data dump use a trusted service like https://haveibeenpwned.com/ . You might want to try out your data skillz and search the data yourself, trust me it's not worth it on large data dumps like these, easier to use a service like haveibeenpwned and save the days it might take to torrent the data down.

Given the samples it does seem that Talk Talk did not encrypt users passwords which is just crazy these days. h4rm0ny comments about them asking for password details and then saying the guess was "close enough", if true, means they had access to your clear text password which is just insane.

It seems Talk Talk are already offering users a years free credit monitoring, suggest any Talk Talk users take this up as rather than moniez being directly taken from your account (tricky these days with good monitoring my major banks), applications for credit using your details are more likely.

Lastly, if you are affected consider another ISP, any company that stores your details unencrypted doesn't deserve your hard earned cash IMHO.

Cheers

ul
 
If you are with talktalk leave them, any company that uses bad security practises is not worth your time, day and money. All previous customers for up to a period of 6 years will be effected. The hackers have you details....

** edit **

If the same IT staff have carried out the fixes, more than likely there will still serious security issues with there network and security practises... Do not use their services.
 
Last edited:
Unfortunately a lot of large orgs have this sort of mentality throughout anything IT related, some people still like using 10 year old outdated computers running outdated unsupported operating system, because apparently it "all still works", then when something goes wrong there quick to blame IT.

Story of my life. Still using win 2k servers on our estate.
 
It appears to have been an SQL injection vulnerability the led the attackers to steal this data. For those who don't know normally an SQLi vulnerability is where a input parameters passed via a web interface to a back-end database are not properly sanitized and in this case the privilege level of the database account used by the web interface used was likely higher than it should have been.

Has there been reports it was a sql injection?

Really makes me sad that something relativly easy to prevent isn't secured in such a large company. Maybe PCI isn't stringent enough this day and age.

O2 keep bugging me to set up a DD but between things like this and the £984 bill they randomly produced is enough to make me resist it.
 
Work was crazy today. Non stop people calling up, checking to see if their bank accounts were safe. Not a single incident of fraud detected, at least so far.

Didn't stop half of them wanting new debit and credit cards :/
 
Has there been reports it was a sql injection?

Really makes me sad that something relativly easy to prevent isn't secured in such a large company. Maybe PCI isn't stringent enough this day and age.

It's not been confirmed yet (and I doubt it will be unless the culprits / Talk Talk / Incident Response Team decide to share the details), but the infosec twittersphere is pretty convinced it's SQLi (or at the very least a non advanced actor) and they're usually on the money to be honest. But obviously at this point it's more speculation than fact.

Adherence to PCI DSS does help protect sensitive data but when your Talk Talk I'd be shocked if they didn't have a SoC and a reputable infosec company doing regular audits, which as you rightly point out begs the question why such a simple technique could lead to this leak of 4 million peoples details :( :eek:
 
Anyone know if I can leave for this breach without paying to get out ? only just renewed a few months ago

Same as me. Seen on news they were asked that and they said too early to say anything as they are still trying to find out who has had info stolen. I for one will definitely leave if i can!
 
Looks like TalkTalk security is about as solid as their servers/network.

Seriously why are people on a tech forum even with these jokers?
 
Every non TalkTalk customer (gods upon high horses?) giving the incredibly useful advice of leaving TalkTalk whilst confirming their god status by not being stupid enough to give them their custom back down the line.... Could you also please confirm which ISP's are safe, storing all their customers data encrypted and completely non-prone to this happening? I guess you all have access to a confirmation list of some sort that gives you all the lovely details on how they store your data and how this simply would not happen to them.... After all, that's why they are a few quid more per month than TalkTalk are, for your safety and wellbeing?!?

Virgin, BT, Sky, Zen, Vodafone, EE. They're all more expensive, confirmed OK. Just because.
 
I bought a Netgear router and configured all the securty myself and I didn't even barter with BT for my monthly price on super fast fibre optic. The BT peasant router was rubbish, because I heard so. I drive an Audi and don't have an overdraft..... Dave next door is on the dole and has TalkTalk, doesn't even have a password on his SSID, what a smelly bugger. No wonder his banking details got stolen, what did he expect?
 
Back
Top Bottom