Ex-TalkTalker TalkTalks: Records portal had shared password. It was 4 years old Fraudsters who attempted to scam TalkTalk customers by using records of their maintenance engineer visits are thought to have bought that info from current or former staff. According to one ex-TalkTalk employee, who asked not to be named, the company uses a third-party system called Qube Portal to book visits and record …
Back when RM did modified builds of Windows 98, there was a guest account that anyone sane would disable; this had elevated 'teacher' privileges including the tool teachers could use to reset a pupils password without having to go and find someone from IT. You can guess where this is going, can't you.
An eon ago I went on a DEC security course. During the morning coffee break I sneakily logged into the site's terminal server using the default password of "password" and changed it to something else. The "security guru" teaching us about DEC security was somewhat puzzled when he couldn't access his server but he did see the funny side when I told him I'd changed the password.
You heard it here first folks (after reading it on USENET decades ago anyway) but I can present to you an exclusive scoop of the TalkTalk security memo that was sent out last year informing all employees on proper security practices. If you read the list carefully you can see they were using an ultra-secure method to pick their passwords so this was clearly an inside job by lunix hackers.
============================
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.
3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.
4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.
5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.
7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.
Why would a company bother spending lots of money in their IT systems, when if it's perceived that "if it ain't broke, don't fix it"? Money spent securing internal systems that customers can't see doesn't return any profit on that investment. At the end of the day, the business exists to make money for it's shareholders, not to keep customer data secure nor deliver an amazing customer experience. They want to get away with the bare minimum, and when something goes wrong the PR department spin it as "well it was a sophisticated attack and we take every effort to protect our customer data" and "our customers privacy is very important to us".
Liars. Their customers dollar is important to them, not the fact their details aren't secure and can be sold to all and sundry.
Except sadly, that's a very short sighted approach and is exactly the reason TalkTalk has shed customers by the bucketload, and profits with them. Strong, well enforced and audited security = secure customer data = reduced risk to profit. Not exactly rocket science, yet for some reason our biggest ISPs and Telco's seem to be ignorant in this area...
"Strong, well enforced and audited security = secure customer data = reduced risk to profit."
TalkTalk may have lost customers. Their profits may have been dented. But, unless you have numbers, I speculate the cost of doing this right will exceed their losses. We need a regulator who can give them a good kicking in the dividends and whistle blowers who are willing to testify.
>> I speculate the cost of doing this right will exceed their losses.
I disagree with that. The cost of doing this right IN THE FIRST PLACE would have been less than they will lose from the incident. By the time you factor in the lost customers, the help desk costs to handle the increased calls, the incentives they've made to those customers to encourage them to stay plus the significant costs they've had in hiring in security consultants to bolt the stable door, that's going to be far in excess of the relatively low costs to do things right in the first place by employing competent staff (devs + managers) and to pen test the system.
"I disagree with that. The cost of doing this right IN THE FIRST PLACE would have been less than they will lose from the incident."
Talk Talk says (PDF) the "trading impact [was] £15m" and they're estimating 0.6% customer loss due to the cyberattack. (Offcom says they have 16% of the UK's 27 million households so about 26,000 people were pissed off enough to move.) That churn is 50% more than normal.
It looks like they moved sales to helpdesk, and are blaming that for reduced sales and lower customer numbers. For that reason they missed out on revenues of £40-£45 million.
I guess the £15 million includes the consultancy fees. But those fees would have had to have been paid at the start to make sure it was right (they're a corporation: they don't believe their staff unless a consultant agrees) and they would have no doubt incurred on-going costs in ensuring continued compliance.
But lets say you're right and they could have spent £1 million over four years and been £50 million richer. So what? They expect to grow dividends. They're profits might grow slightly slower than they'd hoped. But the message to shareholders is everything is recovering and there's nothing to worry about. QED
We need a regulator who can give them a good kicking
I'd like to see a law that puts manglement in the firing line.
If you have a database of customer details, your management team's details need to be in there as well. If it contains bank details, management's accounts are there as well.
So if the database gets taken - the team who penny-pinched the security face the same consequences as their customers.
It needs tuning of course - e.g. to prevent them setting up bank accounts specifically to circumvent this - but the guts of the idea is there...
Vic.
The cyber attack on Talk Talk according to their board cost no more than £35m including remedial measures.
However the share price dropped by £750m - not just due to the cyber attack but that was a major contributory factor.
Source Anthony Hilton in the Evening Standard 13th January
I am sure this will have seriously kicked their dividends....
"Money spent securing internal systems that customers can't see doesn't return any profit on that investment"
This is one of the main jobs that we expect governments to perform; regulation of business so that companies who do the right thing (providing safe products, protecting personal data etc.) are not at a competitive disadvantage to those who don't.
Fines should be big enough to affect the profit of a non-conforming company so that it makes the decision that doing things correctly is a profitable investment.
Part of the difficulty is that the security gurus have gotten so paranoid, the tools you'd use to implement certain things have been disabled. For example, the government office in which I work has no approved tool to change the local admin passwords on any of the PCs. So it never gets touched.
"For example, the government office in which I work has no approved tool to change the local admin passwords"
This is a case of Dunning Kruger effect writ-large and the "security gurus" being well out of their depth in the first place.
"Fines should be big enough to affect the profit of a non-conforming company"
Fixed fines are part of the issue. The ones which allow "up to N% of turnover" are the ones which hurt most, provided regulators are brave enough to impose them.
Rewriting laws so that fines can't be claimed as tax-deductable would help a lot too.
Not at all surprised.
I remember seeing a green screen application some years ago at a big company. Most of the staff had access to this, without needing any form of security control. I believe that they had something like 400,000 customer details in that particular system.
That was a system based / managed in India. Used by some call centre staff there, but also by several call centres in the UK.
If the customer is appearing like this for their own dubious, presumably sexual, gratification, I think it's perfectly reasonable to note it down, particularly if it becomes a repeat performance. Would you want you wife, husband, partner, etc. becoming a part of a customer's lifestyle choice just because they happened to be assigned that particular call. Not all situations are as humorous/desirable as a 70s-style Confessions Of A Window-cleaner and could be genuinely alarming for someone simply trying to do their job.
Thumbs down - seriously? I know El Reg is a broad church, but I didn't realise it was such a hotbed of adult nappy wearing. FFS, do as thou shalt but don't involve the rest of us, please.
Truly, speaking as someone who has done this kind of job, you do find yourself being part of peoples' "other interests" and it's not fair. Someone appearing at the door in a state of undress is a legitimate concern, particularly if it became a habit. That is offender's register stuff, whether you choose to believe it or not.
"Some of these reports can be somewhat humorous. For example: 'Customer answered door wearing an adult nappy'."
Doesn't sound like this private data is needed for the bisness purpose that TT is supposed to be providing.
If the customer concerned had these details leaked* and this particular bit of information, I'd say [IANAL] they'd be sue the crap** out of TT.
* No. Just no.
** Still no.
TT are the people who refused to log a fault with a landline because the person who was reporting the fault didn't have a mobile for TT to call them on.
Not only did the person with the Landline not have a Mobile they lived in a 'Not-Spot' where none on the carriers had a usable signal.
The Indian droid on the end of the phone refused to believe this.
Bribed a friendly OpenReach bod with a few 'at the weekend pints' to fix the issue.
Moved from TT the next day.
Why is this company allowed to do business? It is one abject failure after another.
Come on OFCOM close them down before they do any more damage.
Fucking cunting bunch of motherfucking wank-shit cockwombles!
And they won't let people leave prematurely. That business is not fit to call itself a provider of any services!
- shared password known by thousands
- 1000s of staff in a foreign territory not covered by our laws
- reports of criminal behaviour at these foreign sites
- password not changed in years
They are a shambles, utterly and totally. Wouldn't trust that dildo woman in charge to pour piss out of a boot with the instructions written on the heel!
Why do they need your date of birth?
So that they can know if it's legal to ask for a credit card or if it's legal to offer the service to them. In some jurisdictions people have to be at least <yearsOld> to be legally able to get credit cards. Someone younger than <yearsOld> would probably have to pay by cash, assuming that they could legally be sold the product at all, something unlikely. For many service calls, the dispatcher will state that there must be an adult who can legally make decisions on the account be present throughout the call.
We have had a "BT Engineer" calling us trying the same scam. His downfall though was that he simply wasn't credible as a BT call based engineer, he wasn't Indian and I could understand what he was saying, so immediate alarm bells there from the outset.
If anyone from a services company calls you ALWAYS ask for the name and a call reference and tell them you will call back. Go online, find the relevant number on the website and call that and give them the reference and name.
^^THIS
Unfortunately the banks, utilities etc. and everybody who is always nagging customers to "be safe" have been the principle agents in softening up people to the point they'll answer all manner of personal questions on the phone. I never [1] take such calls.
[1] I'd be prepared to take a call from an entity that could prove it's identity, and we all know that it is technically possible, but I have yet to come across one that actually can.
This post has been deleted by its author
Can we have the obligatory "The security of our customers is our Number 1 priority" PR drone speech now?
>What the hell were they thinking or in this case not thinking?
Probably "I'm much too important to be bothered with these technical details. How much money did we make last week? How's the share price? And can you see if Dave and George are free this weekend for a spot of Cotswold cockwombling?"
At my current assignment the local admin password on the desktops hasn't changed since I got here in spring of 2013. We've got 5 support techs at the moment and four network techs. I'm aware of at least four people who have cycled through. Not sure when it was first set, but based on tales I've heard I'm guessing it's at least 7 years. Granted, it's a nice complex password even though it's easy to remember after hearing the tale about WHY it was set, but still...
Anon for obvious reasons.
engineering companies used by TalkTalk and several other providers....
"...We understand that customers of other companies may also have been targeted in the same way during this period."
So first they denied it happened at all and now it's "well, it's not our fault, look, other companies use these people too and look, they had the same problems too.
Well, boo fucking hoo. TT have a contract with the customer. Them choosing to use a possibly dodgy 3rd party company isn't the customers problem and TT are still liable.
Even worse, how did TT manage to find out in just a few days that the "3rd party" companies other customers have also been scammed in the same way? Either that was some uncharacteristicly fast work, some uncommon inter-company honesty, or they ALREADY KNEW about it and were ignoring it.
The depressing side of this is what is happening to the TalkTalk customers when they get hit with this phone call. It is a clever call involving a number of "departments".
People on TalkTalk are often on it because it is "cheap" and they don't know better service exists. They are rarely computer literate. A lot of retired people are on this network. Unluckily a lot of retired people are too polite to hang up on phone scammers. Among my clients it is noticeable that those who have fallen to scams tend to be older and believe the scammer on the phone. I know of three people (aged 73, 80 and 96) who were all caught on this TalkTalk scam. They lost between £1500 and £7000 each! And they have no one to turn to as bank can't recover the cash due to the way the customer hands over all their financial details to the scammer. I also don't expect local police to get very far on this either.
I don't blame the scammer for the loss - I directly blame TalkTalk. Someone needs to take them to court over this mess.
I don't blame the scammer for the loss - I directly blame TalkTalk. Someone needs to take them to court over this mess.
Actually, if you think about it, they both are to blame. One for being a miscreant and scamming innocent people who are probably the one's who can least afford it, and the second for having lousy security and abusing their customer relationship by engaging in less than honest dealings. The BS coming out of the TT front office is appalling.
Why would the Qube portal store the end user's date of birth? This is a portal used by various companies to book Qube engineer tasks. I just don't see why Qube as a contractor would need to know anything more than the end user's name, contact number and address. Working, as I do, for an ISP I have never come across a sub-contractor (sorry, service partner) portal that needs any more information than that, plus of course service details, task details and free text fields for special instructions such as access arrangements (usually RARA).
I've come across this twice. Its the result of using an off-the-shelf solution and being too cheap to customise it.
The second case was slightly more complex: they picked the cheapest quote and then got upset when the vendor submited an extra bill for "variations" that weren't explicitly part of the original quote. The vendor put them on the bottom of their priority list, I presume on the basis that paying customers come first and this job wasn't profitable. In the end they got sued by the supplier for non-payment. The vendor made a loss and they ended up with a shitty system that only partially did what they needed.
But I digress, the result was a number of mandatory fields that are inappropriate or pointless. The solution we suggested was to fill them in with standard but nonsense data. If it got "lost" or "stolen" at least it would raise an instant red flag when someone tried to use it.
Breaking news, BCS, the Chartered Institute for IT, wants the government to make 'reckless' disclosure of data through inadequate security to be a criminal offence. Not sure who's going to decide what "reckless" means or what the thresholds are. But surely TalkTalk looks like an excellent test case?
Several years ago one of my clients changed to TalkTalk - without telling me. It was a pub in Birmingham with a few Wifi boxes and a Smoothwall firewall. After 5 HOURS on the phone to them all they could come up with was to reset to factory defaults - which was not going to happen as it would break everything else. Yes they do like to talk Talk Talk ....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
