Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Talk Talk Hack

  • 23-10-2015 2:24pm
    #1
    Registered Users, Registered Users 2 Posts: 1,456 ✭✭✭


    a quote from the BBC business live page

    A significant proportion of denial of service attacks are masking another form of attack aimed at stealing data. Recent studies have shown that up to a third of attacks on businesses are simply obscuring a deeper attack. SQL injection is a well known form of attack. Anyone building a website that connects to a database should be designing it from the outset to prevent SQL injection, and it is standard testing to look for this vulnerability. Hackers themselves conduct this testing on a vast scale with automated tools to identify vulnerable sites. They work on the principle that if they rattle enough door handles they will find one that is unlocked. For that to be a major company like TalkTalk is disappointing, unless the hackers have found some new form of this attack, which I doubt.
    Professor Alan Woodward Surrey University

    I thought SQLi was so old that you would have to be a technological dinosaur to build something vulnerable to it.


Comments

  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    FSL wrote: »

    I thought SQLi was so old that you would have to be a technological dinosaur to build something vulnerable to it.

    The OWASP Top 10 came out in 2001. The idea was that it would raise awareness of these issues so that developers could design applications with them in mind, and then next years Top 10 would be new, different vulnerabilities. Injection vulnerabilities, including SQLi has been there from the start, and the list for the most part has changed very little in 14 years.

    Speaking as a Pen tester I regularly see SQLi, often in Internet facing applications. The state of Internet Security in my experience is shocking. Nothing surprises me anymore.


  • Registered Users, Registered Users 2 Posts: 793 ✭✭✭reklamos


    I think the most shocking part is this:
    "Asked by the BBC whether customers’ bank details had been encrypted by TalkTalk, she said: “The awful truth is, I don’t know”"
    How is this company still allowed to operate?
    There will always be holes or zero day vulnerabilities but that is why there should be multiple layers of security and encryption is one of them.


  • Registered Users, Registered Users 2 Posts: 486 ✭✭Treepole


    Young lad from Antrim arrested in relation to this.........


  • Banned (with Prison Access) Posts: 138 ✭✭Berkieahern


    15 year old lad!


  • Registered Users, Registered Users 2 Posts: 8,184 ✭✭✭riclad


    I read on another website ,alot of the data is not encrypted .
    How is a large company ,in 2015 with millions of customers at this point ,
    not using strong passwords .And encrypting user data by default .
    Did the large companys not learn anything from the sony hack .
    There should be a law ,if you have over a few 1000 customers ,
    all data should be encrypted .
    Large companys should employ independent security experts ,to test all
    their website,s for known vunerabiltys .
    And make sure all their pcs are updated with security patches and are not running windows xp.
    Every six months .
    IT seems every month theres a large us company being hacked .


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,116 ✭✭✭ItHurtsWhenIP


    Fixed that for you:
    riclad wrote: »
    I read on another website ,alot of the data is not encrypted .
    How is a large company ,in 2015 with millions of customers at this point ,
    not using strong passwords .And encrypting user data by default .
    Did the large companys not learn anything from the sony hack .
    There should be a law ,if you have over a few 1000 customers ,
    all data should be encrypted .

    Large companys should employ independent security experts ,to test all
    their website,s for known vunerabiltys .
    And make sure all their pcs are updated with security patches and are not running windows xp.
    Every six months .
    IT seems every month theres a large us company being hacked .
    ;)


  • Registered Users, Registered Users 2 Posts: 2,626 ✭✭✭timmywex


    15 year old from Antrim arrested for this.

    Interesting given that ransom demands have been made, a Lulzsec member claimed they were responsible for the DDoS etc.


  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    The word encryption is thrown around a lot in relation to this hack. Surely it depends on exactly what was encrypted and where in the chain the encryption was done? The keys have to live somewhere accessible to the web application.


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    If there's one thing this breach highlights it's that we really really do have serious problems when it comes to InfoSec reporting in the media. FireEye claimed it was Russians, Lulzsec claim responsibility for part of it, the Mirror (prompted by the BBC) said it was a Jihadist Cyber Holy War and in the end it's looking like it's a 15 year old Irish kid....


  • Registered Users, Registered Users 2 Posts: 1,456 ✭✭✭FSL


    The 15 year old has been released on police bail. What's the betting his computer was compromised and was part of the ddos attack?


  • Advertisement
  • Closed Accounts Posts: 1,322 ✭✭✭dbit


    Whatever came of the Belfast Child ? tee hee ?


Advertisement