Talktalk......cyber attack

[peterward]

Just to clarify I originally was with talktalk but changed to BT keeping my talktalk e mail address so this will not affect me is that correct?

change your password

 

[Vegas Seagull]

To be fair, I can relate many stories of ddos attacks emanating from the Far East and the Middle East that we catch and send to various " cleaning houses"

99% of attacks are not reported, only the ones that hit the big corporations.

There is anecdotal evidence that the young 10 year old in his bedroom ******* over his ability to bring apple down is just as capable of attacking systems that state sponsored banks of hackers trying to get into security systems. This is the new terrorism.

Be assured that the ability of these attacks to get bank details and drain your account is actually very small and it is more around flooding sites with bogus mails and huge self spawning data files that actually gum up the works and will cause a web site to " crash" as it can't process the data is has. The bank thing tends to be where they have your number and try to arrange loans on it. If the lenders are following their protocols, this would also be hit and miss and if it's fraudulent, then the banks tend to write off the debt anyway as malicious fraud.

The things we recommend is change your passwords every 30 days
Never use simple passwords....letmein...password1...brighton123...that sort of thing
Never ever give your passwords or pins to anyone who calls.
Make sure you set your computer to " clear cache"every night...including "passwords".

Apart from that, just be aware.

I'll wager that 20,000 of those at the match tomorrow have 'seagulls' as a password for something

 

[peterward]

A bit I read only yesterday on how to do passwords better: http://www.washingtonpost.com/news/...al&utm_source=twitter.com&utm_campaign=buffer

have always done that with important passwords, pick a random phrase/acronym to remember it. use first letters, all alpha o's become numeric 0, i's become 1, all too or to would become 2.

i.e

On the eighth day of Christmas
my true love sent to me:
eight maids a milking.

0t8d0cmtls2m8mam

 

[Lethargic]

In the US companies have to announce any breach of personal information within 24 hours or get big fines. We don't have that here... yet. In 2016/2017 the new EU Data Protection Directive, which will force companies to announce breaches within 24 hours, and if they're found negligent they'll be fined 2% of worldwide revenue. That's a game-changer in Europe, as all member states will be forced to comply. The business case for security will be much easier.

Assuming the UK is in Europe of course

We sure hope so Tim it will make our jobs easier but I fear many companies will still live in their own bubble of denial, after all they can only report breaches once they are aware of them and many companies don't yet have the capabilities to detect breaches until/unless they are bleeding obvious.

The simple approach for the immediate future is that the internet is a scary place and not to be trusted, that does not mean it cant be used but its a bit like the wild west for the time being and people should use caution on all internet related actions.

 

[Dave the OAP]

It's all sound advice but in many cases, like this one - none of the above makes the slightest bit of difference. If the host system is compromised then your data is available to the miscreants. Then you just have to hope that they do use strong 1-way encryption on your password with them and that they protect card details in a PCI DSS compliant manner.

I agree. We have just gone through the huge pain of making all out devices PCI DSS compliant, but even that was not enough for a far eastern based bank that we heard about which had gone through the PCI route, where someone working out of Saudi drove a horse and cart through their multiple firewall covered infrastructure and left a message on the banks CEO's desktop!

Fortunately it was not one of ours, but a competitor almost went to the wall by lawsuits being thrown around like confetti.

 

[Thunder Bolt]

I'll wager that 20,000 of those at the match tomorrow have 'seagulls' as a password for something

I can remember a hilarious morning on Nsc a few years ago, when a Palace fan twigged that a couple of posters had either Brighton or seagulls, as their Nsc password.

 

[Lethargic]

I agree. We have just gone through the huge pain of making all out devices PCI DSS compliant, but even that was not enough for a far eastern based bank that we heard about which had gone through the PCI route, where someone working out of Saudi drove a horse and cart through their multiple firewall covered infrastructure and left a message on the banks CEO's desktop!

Fortunately it was not one of ours, but a competitor almost went to the wall by lawsuits being thrown around like confetti.

PCI-DSS is a good start but its is nothing more than that, it does not cover the security across companies it is focused on the credit card PANs as soon as a company can prove a system does not come into contact with credit card details then they don't need to worry about it. The weakest link is still through employees, how many people click on attachments without a concern? That could (and has been) enough to get access onto the corporate network and off you go searching for useful information, it's that simple.

We can improve ours and companies security with technology and should do but people habits must change as well. its more work but wherever possible never store credit card details on internet sites when given the option no matter how much easier it seems and do not store passwords when given the option.

 

[Dave the OAP]

PCI-DSS is a good start but its is nothing more than that, it does not cover the security across companies it is focused on the credit card PANs as soon as a company can prove a system does not come into contact with credit card details then they don't need to worry about it. The weakest link is still through employees, how many people click on attachments without a concern? That could (and has been) enough to get access onto the corporate network and off you go searching for useful information, it's that simple.

We can improve ours and companies security with technology and should do but people habits must change as well. its more work but wherever possible never store credit card details on internet sites when given the option no matter how much easier it seems and do not store passwords when given the option.

100% agree

 

[Mr Putdown]

As for the high street, a former colleague of mine went to a cashpoint on payday, and found her account had been wiped clean. It turned out that she had been shopping in TKMax a couple of months earlier who had had their rubbish stolen at the back of the store with debit/credit card transaction slips unshredded.

Thats pretty impressive considering the Merchants copy of a credit or debit card transaction only show the last four digits of a customers card number....

 

[Deleted member 2719]

I'll wager that 20,000 of those at the match tomorrow have 'seagulls' as a password for something

And about 10 fans have 'Lilywhites' as their passwords

 

[Thunder Bolt]

Thats pretty impressive considering the Merchants copy of a credit or debit card transaction only show the last four digits of a customers card number....

It's only in the last few years that all stores have done that. It was seven years ago when this happened.

 

[Greyrun]

Head of Talk Talk says she doesn't know if the data was encrypted,amazing.

 

[BensGrandad]

Tried to change e mail password and it said that Talktalk was unavailable but all the time it was unavailable there was no need to change any passwords. When it returns they will give advice on what to do.

 

[Cheshire Cat]

It's all sound advice but in many cases, like this one - none of the above makes the slightest bit of difference. If the host system is compromised then your data is available to the miscreants. Then you just have to hope that they do use strong 1-way encryption on your password with them and that they protect card details in a PCI DSS compliant manner.

Nsc went down for a bit about the same time this week - are we safe?

 

[Dave the OAP]

As I suspected it started as a DDOS attack, which is a gumming up of the system and then an SQL syntax thread which would fool the system to send a set of data to what it thinks is another part of its own code, when actually it is a malicious see file that the hackers have placed in the system.

We use a company that protects our and our customer data from this sort of thing almost every day. There are thousands of ddos attacks on a daily basis across the Internet and stopping them is almost like the current battle to stop anti-biotics from becoming useless as virus's become immune and mutate to combat the healing properties. That is what is happening every day

I can't believe talk talk didn't have ddos protection in place. It is an absolute no brainer now.

 

[Westdene Wonder]

I can't speak for all of NSC but it won't put me off shopping online.

There have been numerous big breaches over the last few years but (from a layman's perspective) it seems like very damage is actually done as long as the impacted company has made a point of encrypting their data in the first place...if they don't...well, careless.

However safe the website is if you enter your credit card details on your PC its only a question of time before your details become common knowledge,I use online to check best prices then contact best firms by phone,no problem

 

[Bry Nylon]

Tried to change e mail password and it said that Talktalk was unavailable

I think I am beginning to see what may have caused Talk Talk's websites to grind to a halt and crash...

 

[beorhthelm]

the alleged nutters who have my details, posted loads of email, bank and personal data as proof and ended with this

"We Have adapted To The Security measures Of The Web,, We Cannot Be Stopped. We Have Made Our Tracks Untraceable Through Onion Routing, Encrypted Chat Messages, Private Key Emails, Hacked Servers. We Will Teach our Children To Use The Web For Allah.. Your Hands Will Be Covered In Blood.. Judgement Day Is Soon
WE Are In The Soviet Russia And Near Place, Your Europe, WE control Asia, We Control AMERICA"

whoever posted that isnt the hacker, they dont have much knowledge of IT judging by some of the half cocked phrases in there.

 

[Cheshire Cat]

Wretched site is down again - no e-mail access this evening. I'm getting a timed out error message.

Anyone else having trouble?

 

[nicko31]

Wretched site is down again - no e-mail access this evening. I'm getting a timed out error message.

Anyone else having trouble?

All fine as far as I can see..