For the third time this year the UK broadband provider
TalkTalk have seen their online defenses fall to cyber attackers.
While the company
has been quick to notify their customers of the breach (it was observed on
Wednesday this week and reported the following day) and are currently working with law
enforcement, details are still relatively sparse. Given the very short period between
detection of the attack and public notification, it is unlikely any significant
cyber forensics exercise has been conducted… so it’ll likely take those tasked
with the investigation a couple of weeks to get a solid understanding of the
scope of the breach and what was likely touched or stolen by the attackers.
Regardless, the stories currently being published as to the
nature of the breach and what has actually been stolen are confusing and the
details often contradictory (see Business
Insider, The
Telegraph, BBC, and AOL).
It would appear that the names, addresses, dates of birth, email addresses,
telephone numbers, TalkTalk account information, and credit card and/or bank details
of some 4,000,000 subscribers may have been stolen and that the data may not
have been (completely?) encrypted… or maybe the encryption keys were similarly
stolen.
Claim for the latest hack are also being attributed by some
to a Russian Islamist group (referred to as the “Th3 W3b 0f H4r4m”) who has
posted a claim online along with samples of the data purporting to have come
from the TalkTalk site (see Pastebin - http://pastebin.com/HHT4BxJA).
Some stories refer to there
being a DDoS attack or component. A DDoS attack isn’t going to breach an
internet service and result in data theft, but it’s not unheard of for
attackers to use such a mechanism to divert security teams and investigative resources
while a more focused and targeted attack is conducted. It’ll be interesting to
see if this actually happened, or whether the DDoS (if there was one) was
unrelated… although it would be difficult to tell unless the attackers really
messed up and left a trail of breadcrumbs – since DDoS services can be procured
easily over the Internet for as little as $50 per hour from dozens of illicit
(but professional) providers.
If there are lessons to be
learned so far from this hat-trick breach, they include:
- Hackers are constantly looking for easy prey. If you’re easy pickings and you get a reputation for being a soft target, you should anticipate being targeted and breached multiple times and likely by different attackers.
- There should be no excuse for not carefully encrypting customer data, and using cryptographic techniques that make it impractical for attackers that do breach an organizations defenses to profit from the encrypted data they stole.
- Calling an attacker or the tools they use “sophisticated” and expecting the victims of the breach to consul themselves with the knowledge that the organization charged with protecting their data was defeated by a supposedly more advanced adversary is wrong. It simply underlines a failure to understand your adversaries and invest in the appropriate security strategies.
-- Gunter Ollmann
No comments:
Post a Comment