As it's that season,
fall guy
https://en.wikipedia.org/wiki/Autumn
https://en.wikipedia.org/wiki/Guy_Fawkes_Night
A 15-year-old boy has been arrested by police probing the hacking of Brit ISP TalkTalk. The internet provider admitted on Thursday last week that someone had waged "a significant and sustained cyberattack," upon its website, and potentially swiped copies of sensitive information on four million subscribers. This info could …
Seeing as how the flaw was probably as old as the hills, who says that it was just one individual who was onto it? The fact that assorted Black Hats have been conducting social engineering attacks on Talktalk customers for a couple of weeks now suggests the following:
1) The flaw is an easily-exploited one.
2) The flaw was either widely known in the Black Hat communities, or was easily discovered.
3) Insufficient information could be gleaned from the attack to compromise credit or bank accounts using just that information, hence the extra social engineering seen.
What we may well be seeing is the aftermath from a series of different attackers. The kid so far collared will be just one of many, and the DDOS attack may well be only slightly connected with the other attacks. Black Hats are not all geniuses, indeed many are as thick as two short planks. The DDOS may well be down to one of the stupid outfits who were unable to understand that an SQL injection attack didn't need a noisy cover to succeed.
Indeed, the DDOS might well have been an attempt at extortion, when the SQL injection didn't yield the vast treasures that someone was told it would yield.
They are suggesting that TalkTalk's security was so bad it could be compromised by a school child?
Yes, quite. It's even worse when you consider that the exploit he used (Sql Injection) is actually a lot older than he is!
How on earth can we be nearly 20 years down the line since Sql Injection was first openly discussed and still we have people writing utter utter garbage and calling it code? When does it end? How much more damage has to be done?
If you qualified with a degree in politics & economics, well, go do that. You didn't qualify with a degree in software engineering. If you qualified with a degree in accountancy, well, guess what? You are not a coder.
I'll freely admit some of the best programmers I've worked with had no formal qualifications, but they almost universally have their own children older than TalkTalks own Little Bobby Tables. If we as an industry are going to be able to move forward then we have to regulate who is and who isn't capable of practicing the profession.
A 15 year old school boy using an 18 year old technique just rooted the hell out of a company in what is likely to be a matter of minutes to get in and days or weeks to extract the data. Things have got to change.
I think your conclusion is a little unfair.
A process which puts nothing between worker Bob shoddy code and production deployment is a strategic business decision to save money on IT, it's a gamble and one that has paid off for TalkTalk year on year.
I've sat in an all-hands meeting about a year ago, and witnessed a platform change (routing) causing an api call go from sub millisecond (approx 350 mu) to 400+ milliseconds, raising the AWS cost drastically, unfortunately I had no influence there as it was outside of my remit. The chap presented a solid business case, a sound technical argument, and he was summarily overruled.
So like everybody else, I watched them do something completely unwise against the advice of their staff.
Would I be totally far from the mark to suggest you've seen analogous situations?
If you qualified with a degree in politics & economics, well, go do that. You didn't qualify with a degree in software engineering. If you qualified with a degree in accountancy, well, guess what? You are not a coder.
@LucreLout: You appear to believe that acquiring a degree in something is the way to learn how to do it professionally. I'm afraid I have unwelcome news for you.
@Kubla Cant
You appear to believe that acquiring a degree in something is the way to learn how to do it professionally
Not at all, but it is the best way to ensure a bare minimum foundation of knowledge and capability before beginning acquiring professional experience. IT has never had apprenticeships (real ones, liek the shipyards had).
I do not have a law degree, and so I am prohibited from practicing law. And yet I may produce all of the software upon which they depend.
I do not have a medical degree, and so I am prohibited from practicing medicine. And yet there is nothing stopping me from writing the software for the medical machinery or robot surgeon.
I do not have a pilots licence and years of experience, and so I am prohibited from flying a 777. And yet, I can write the engine control software that keeps it in the sky.
It is illogical not to have a regulator ensuring minimum standards in IT are met. Why must our industry be plagued with the low quality output of failed accountants or politics students, who know as little about professional software as I do about professional accountancy?
If IT is to deliver its potential to the world, we have to purge the cowboys. Sql Injection is now old enough to vote. Do we, as a profession, wish to wait for it to collect its pension before we deal with the woeful lack of minimum ability with which our industry is beset? We have to start making progress or we won't be a profession much longer.
So, you tell me how you'd see that happening that doesn't involve minimum educational requirements and a professional regulator, and I'm all ears?
I do not have a law degree, and so I am prohibited from practicing law. And yet I may produce all of the software upon which they depend.
As a Lawyer you would find the framework of what is acceptable set by other lawyers.
As a Doctor, you would find the techniques and standards set by other doctors.
As a programmer you would find the techniques and practices set by people blessedly free from the most cursory understanding of the issues.
How does a regulator for software / IT professionals help with that?
Ultimately TalkTalk made a business decision to take the risk of some temporary bad PR in exchange for savings on IT.
How do minimal educational standards for practitioners stop them being overruled. The only sanction that exists is to withdraw ones' labour, that's what has to change.
@sed gawk
As a programmer you would find the techniques and practices set by people blessedly free from the most cursory understanding of the issues.
How does a regulator for software / IT professionals help with that?
Take the GMC as an example. They strike you off and you're done. That is underpinned by requirements of professional behaviour and clinical competency. The foundation of these is the educational component, though life long learning and improvement is expected.
Why would that not work with IT? We have well established patterns and practices within software development that if adhered to will almost always produce better outcomes than not doing so. Produce code of sufficiently appauling quality and your colleagues will raise a complaint with the regulator who will audit your work and determine if this is the field for you.
Shrugging our shoulders and saying "Well, there's always been cowboys" hasn't got us very far in the 20+ years I've been doing this. An 18 year old hack by a 15 year old boy that knocks out a 12 year old company rather signifies that it is time for change. The cowboys have got to go. If not now, when?
Take the GMC as an example.
A surgical team runs operations, with no higher authority during that operation. The GMC is staffed by doctors who understand the issues.
Why would that not work with IT?
No large technical operation of my recent experience has had the same autonomy, as is extended to other regulated professions. While you can force someone out of the door for refusing to adhere to bad practice, bad practice will be endemic.
We have well established patterns and practices within software development that if adhered to will almost always produce better outcomes than not doing so. Totally agree, and being told to disregard such practices or find another job, is the issue.
Do you suggest that a large ISP has nobody who raised this issue? How's this for a possible scenario.
PM: in this sprint you will deliver x features, resulting in modifications to the database.
DEV: we'll only be able to do x / factor in this sprint as we need time to review and refactor.
PM: The business only finds values in the specified feature set, any extra effort is waste, do the feature as quickly as possible, and raise all other work as items for the backlog, to be prioritized accordingly.
Produce code of sufficiently appauling quality and your colleagues will raise a complaint with the regulator who will audit your work and determine if this is the field for you.
The rub is "quality" means different things to different people.
I think "quality" is a process that results in an artifact being built, tested, packaged and deployed automatically. That doesn't mean your code looks nice, to some extent the code is not really the point here.
For example, why are all user facing urls not crawled and basic fuzzing performed e.g. curl "http://somehost/webapp/${url}?data"';select 1 from 1' && logwrite "SQL INJECTION FOUND"
Shrugging our shoulders and saying "Well, there's always been cowboys" hasn't got us very far in the 20+ years I've been doing this. An 18 year old hack by a 15 year old boy that knocks out a 12 year old company rather signifies that it is time for change. The cowboys have got to go. If not now, when?
I agree but think the cowboys are much further up the chain than the shop floor, and until that is addressed meaningful change will collectively elude us.
This post has been deleted by its author
So, you tell me how you'd see that happening that doesn't involve minimum educational requirements and a professional regulator, and I'm all ears?
You need to throw a few suits to the lions.
As someone posted above, it is comparatively rare for the coders on the ground to write such shite unless they are shielded from criticism by their management. The bigger problem is when management decide to cur corners in spite of advice against such action by people who know what they're talking about.
So far, when such problems occur, the blame lands on the shoulders of the poor geek who warned about the problem in the first place. What needs to happen is for a high-profile case or two - this one would do nicely - to be shown for the management failure it so clearly is, and for that management to take some personal pain for their actions. I'm not talking about a witch-hunt; merely the pain that someone will feel to be directed at the right person.
Formal qualifications in software are frequently useless. I've had hundreds of high-scoring grads in front of me who can trot out all the buzzwords they think I'll be looking for - but when asked to do a trivial OO design, are entirely incapable. This needs fixing long before we can start requiring such qualifications for work...
Vic.
@Vic
it is comparatively rare for the coders on the ground to write such shite unless they are shielded from criticism by their management
I wish it were so, but it isn't. Every time I have to deal with an inexperienced developer they pull the same shite as the last one, and it takes years to get them up to speed and still longer to eradicate their technical debt.
Every time I deal with someone who only got into the field for the money, at whatever level of experience, I'm met with an utter shambles to which no professional would put their name. How many civil engineers would you allow to continue building bridges if, the second they weren't there to shore it up, the whole shakey edifice collapsed?
Come to think of it, how many doctors or lawyers would you allow to build bridges?
What needs to happen is for a high-profile case or two - this one would do nicely - to be shown for the management failure it so clearly is...
Now I'm not defending management here, I agree they are culpable too.....
Formal qualifications in software are frequently useless. I've had hundreds of high-scoring grads in front of me who can trot out all the buzzwords they think I'll be looking for - but when asked to do a trivial OO design, are entirely incapable.
....As are the educational establishments, but box fresh graddies wouldn't be allowed to architect code anyway - you'd not let a newly qualified surgeon whip out a kidney - they'd have a more experienced professional to hold their hand through the process a few hundred times.
I let my graddies do an OO design, but then I replace theirs with one of my own or someone else better at it, and have them populate that. Code reviews form an integral part of their lives, as does a pretty lengthy reading list I expect them to get through.
And so to the old hands - some people were once good but have long since stopped keeping pace. Some just never "got it" and carried on producing crap of a stadard I'd expect from a grad. They all have to go too.
If we want our profession to hold no more regard and command no greater compensation than an estate agent, then we need change nothing. If we want IT to have a seat at the top table, and in my view the world very much needs that to happen if humanity is to achieve its potential, then we as a whole have to raise our game. If that shakes loose the cowboys, the arts grads, and the dinosaurs, well, that's all good.
I wish it were so, but it isn't. Every time I have to deal with an inexperienced developer they pull the same shite as the last one, and it takes years to get them up to speed and still longer to eradicate their technical debt.
OK, let me re-phrase what I said :-
"it is comparatively rare for the coders on the ground to write be permitted to commit such shite unless they are shielded from criticism by their management"
You will always get inexperienced devs producing rubbish. The reason for a team hierarchy is to enable the seasoned hands to train the new recruits. But, from time to time, you will find teams where one member - often categorised as "highliy productive" or somesuch - just keeps committing petabytes of utter crap, but will be fiercely defended by management who believe that kLOC is better that quality...
I let my graddies do an OO design, but then I replace theirs with one of my own or someone else better at it, and have them populate that
I've met innumerable grads who can't get that far. At interview, they'll spout the buzzwords - but when called on it, couldn't even begin to do a 2-class exercise. No understanding whatsoever of the process. And these are the people with the qualifications.
And so to the old hands - some people were once good but have long since stopped keeping pace. Some just never "got it" and carried on producing crap of a stadard I'd expect from a grad. They all have to go too.
I *mostly* agree. The difficulty is that many of them "stopped keeping pace" because they disagree with the direction in which that pace is travelling. And they are often right as well[1]. It's only with hindsight that we can see what really goes on...
If we want IT to have a seat at the top table, and in my view the world very much needs that to happen if humanity is to achieve its potential, then we as a whole have to raise our game. If that shakes loose the cowboys, the arts grads, and the dinosaurs, well, that's all good.
I'm completely with yoou there - it's your implementation with which I disagree :-) The formal education we currently offer in the field is frequently - nearly universally - useless. If all we did was to require such qualifications, we'd get code every bit as bad - or even worse. To change that state of affairs, we'd need to make a step-change in the quality of grads coming out of university - and that's going to take 20 years to filter through, with all those interim graduates getting a useful education, but a qualification that will be seen as useless for that period. That's hardly fair.
My solution would require companies and individual managers to be held responsible (to some extent) for their code - so when it goes wrong, they can't brush it under the carpet, they can't just blame some peon, they have to take the responsibility for which they've been paying themselves. A couple of rounds of that, and TPTB will actually start to take code quality seriously, because it will cost *them* personally not to do so. So when a dev tells them that the hack they're suggesting will definitely cause the code to fail, there might at least be a few seconds of reflection on whether or not to do it...
Vic.
[1] A customer of a customer of mine has a venerable - and *very* profitable - application written in Forth. It is very robust. But a new broom has come in, and they have set up a group to re-write the whole thing in C#, because it's more modern. That task began at least 8 years ago, and to date has produced *nothing at all*, despite having a much bigger team than is working on the "ancient" codebase. It turns out for them that the old way is indeed very much more effective than the new...
@Vic
But, from time to time, you will find teams where one member - often categorised as "highliy productive" or somesuch - just keeps committing petabytes of utter crap, but will be fiercely defended by management who believe that kLOC is better that quality...
I recently worked with a prime example of this. Within 24 months of leaving the team, which was less time than he'd been in it, every single thing he developed had needed a ground up rewrite. He's still out there, in the industry, doing his thing. And no matter what you tell him, he won't learn, because he doesn't listen. Ultimately, while he may appear productive, all he is really doing is building technical debt - the industry would have less work to do if he were not in it.
My solution would require companies and individual managers to be held responsible (to some extent) for their code - so when it goes wrong, they can't brush it under the carpet, they can't just blame some peon, they have to take the responsibility for which they've been paying themselves. A couple of rounds of that, and TPTB will actually start to take code quality seriously
No they won't. I've been with my current company for about 6 years and in that time I've had 7 bosses. Trying to identify which one is responsible for a given feck-up isn't trivial. Since 4 of them are no longer with the company, assigning any responsibility to them would be challenging.
The only way it gets better is to make the developers better - management will always be inept. While you can roll a turd in glitter, you can't really polish it, so ultimately the quality control has to begin with who is allowed to practice software development professionally, and who isn't.
No they won't. I've been with my current company for about 6 years and in that time I've had 7 bosses. Trying to identify which one is responsible for a given feck-up isn't trivial.
No, but that's because there is no personal responsibility; they can all just play on the blame-go-round until nothing happens. But if the CEO or MD were to be personally responsible unless he can prove who actually is, that would cease; when the big boss doesn't get paid this year, he's going to find out what really happened...
The only way it gets better is to make the developers better - management will always be inept. While you can roll a turd in glitter, you can't really polish it, so ultimately the quality control has to begin with who is allowed to practice software development professionally, and who isn't.
Both are required. It's no use having a superb set of devs if the management force them to cut corners. And Management are going to cut corners if they think it will gain them some advantage because they will get away with it every time. They need to be held responsible for their actions if code quality is going to improve. And once that's happened, they will seek out a talented group of devs, rather than just a cheap set...
Vic.
On a serious note, why not?
If the attack was fundamentally an SQLi, then yes - it is pretty easy for a 15 year old to manage that (metasploit + YouTube tutorials + Computer + broadband = pwnage).
The reality is that most times a company gets popped, despite all the claims about how sophisticated the attacks are, it really boils down to a bored kid with a good imagination and access to a computer. Nothing more, nothing less.
Absolutely! It's not hard to see why this multi-million pound business is brought to it's knees by a kid with a laptop. They didn't bother to encrypt anything inside of HackHack, just plain text because it's cheaper that way, yes? Their CEO is a fucking moron who doesn't even know anything about the business they are running. If you ask me, send the fucking bobbies over to Dildo the CEOs house and arrest her for being an incompetent asswipe making way too much money and having ZERO skills to reference and only the lowest paid staff to mop up her bad decisions. This was almost as funny as the Ashley Maddison Hack! Bravo 15 year olds with laptops! Bravo!
metasploit + YouTube tutorials + Computer + broadband = pwnage
You know what that means, mere possession of these places you as a potential terrorist. I definitely need to place all my security related materials in encrypted containers. At least currently we (U.S.) can't be required to hand over our passwords.
No point in anon, matching my wording is signature enough.
The reality is that most times a company gets popped, despite all the claims about how sophisticated the attacks are, it really boils down to a bored kid with a good imagination and access to a computer. Nothing more, nothing less.
Don't forget to add an Autism in there as a defence of not knowing right from wrong
Seems like a lot of these replies seem to think a 15 year old boy is not capable of such things, probably due to most peoples lack of natural aptitude , Over 40 years ago by the age of 13 Bill Gates was already programming and hacking other systems, i think it is pretty obvious that any naturally bright youth could do this nowadays.
I have no idea if it was him, but certainly one might assume its reasonable it could be a 15 year old boy or girl. Maybe he just had a compromised PC that was being used a proxy but who knows, certainly would not rule him out due to his age.
To all the naysayers: do you not remember how bright you were at 15* - we all didn't suddenly become intelligent at [18/21/30/40]. Add to that how much spare time you had before uni/jobs/drinking/family/rest of the grown-up stuff
* Life experience aside
I've not used it, but look at videos on using SqlMap and I am certain a 15 year old who is a bit into computing could have done it.
Like nearly all hacks, there's not some David Lightman level of hacking going on. It's nearly always someone leaving a port open or a SQL Injection attack. The idea that the government needs to protect incompetent twunts like Sony and TalkTalk is risible.
I messed about with Metasploit on a test VM a while back (was looking at possibly doing security stuff as part of the day job, test VM was part of a learning series) and it's pretty damn easy to use. Avoiding detection when running it on someone's site and then actually using the exploit are the bits that might be fiddly, and a 15 year old would have plenty of spare time to work it out
I do think it's less likely that a 15 year old would be doing a DDoS attack to cover his tracks along with the ransom threat though. It's possible, but it seems more likely a 15 year old would go the direct route of just hacking them rather than setting up a more coordinated scheme like this.
At 16 I was doing some fun stuff with other people's computers that would probably have gotten me locked away for a few years if I had done it today. This was during the mid-to-late 90's though.
Don't under-estimate intelligent, bored, curious teenagers with all the time in the world to figure stuff out and get up to mischief.
This sort of thing needs to be redirected constructively instead of litigated or prosecuted though.
@Scoot76
Sorry but If you're going to grab a lot of data you don't shit in your own back yard (i.e. ISP I.P. address)
You might if you were a bright 15 year old seeking an infosec career.
You're below the age of criminal responsibility so its a clean record at 18, and given the likelihood of the courts protecting your identity, this will cause zero emigration concerns or visa problems. The only people that will know will be those to whom you send your postgrad CV.
Equally, you might if you were a less than bright 15 year old who'd downloaded some script-kiddie tools from the interwebs and had at it, with no thought or knowledge of how to cover your tracks.
@Crisp
Yes, so it is, and thanks for the correction. However it would appear that the child will, assuming they finish school, attend college and then university, leave with both a degree and a clean record, as it is declareable for a maximum 6 years from conviction (even on a DBS check).
http://disclose.me.uk/question/how-long-will-my-conviction-stay-on-record/
Assuming it is a first offence and he pleads guilty on day one in court, then he's looking at 2/3rds off any sentence the court may have considered, and if that gets him below 2 years then he'd only get a suspended tariff. If he hasn't sold or leaked too much data, he may only be fined, due to his age.
I would be extremely surprised if this has any lasting negative affect on his career, and as I said earlier, he may be able to use it as a positive if he wants to work in infosec. There will be clients that want to hire "the guy that took down TalkTalk when he was only 15".
I really really hope it is this chappie just so TalkTalk can stop it with the sophisticated attack rubbish they keep churning out and get their just desserts. My guess though is he was just the one who decided it would be funny to send the ransom email and actually knows nothing about the real attack.
I doubt he's sorted in security, any script kiddie / moron who has even the most basic of knowledge can craft a basic sql injection with or without a tool.
Of course some penetrations are much more complex but it could have been so simple as to run a pentest tool against the site.
Take the Panopticlick test and see how anon you are :)
Their site says : "In the meantime, we have partnered with one of the three main credit agencies, Noddle, to provide our customers with 12 months’ free credit monitoring." - That phrasing looks like they are doing something useful and generous. Scumbags fail to mention Noddle is *already* free for credit checking, and monitoring add-on is only £20 for a year's worth of alerts. It seems to me like they want to think they are being generous offering a service like Experian, but on the cheap.
If a 15y/o kid can hack the Talk Talk Website single handedly, either their security was so laughably poor that they deserved it, or that kid needs a maths scholarship to Cambridge and a job at MI6.
In reality, he probably send the ransom email for a joke and will get a slap on the wrist from the law and an absolute shoeing from his mum.
More to come from this story I think.