15 year old six counties male arrested for Talk Talk hacking

Started by T Fearon, October 26, 2015, 08:10:59 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions

thebigfella

#15
October 27, 2015, 09:46:53 AM
Quote from: Orior on October 27, 2015, 09:38:58 AM
Encrypting databases is all fine and dandy, but what if partners and third parties need access? For all I know TalkTalk could have outsourced their finance, payroll, help desk, marketing, big data analysis field engineering, etcetera, all of whom need access to the customer database

Then you build a secure solution to allowing them access.

thebigfella

#16
October 27, 2015, 09:48:19 AM
Quote from: Syferus on October 27, 2015, 08:33:31 AM
Quote from: heganboy on October 27, 2015, 03:43:06 AM
maybe I remember it differently, but at 15 you didn't get caught - you were invincible.

the numpties at TT are admitting to no encryption of customer data, so the fact that they may have fallen to a DDOs with and SQLi is a bloody disgrace. That they asked for 80k in Bitcoin is hilarious, and that they showed Krebs the db table copies is even funnier.

a bit of social engineering, and a AWS / GCE account go a long way. you would have said that the odds were on the side of brute force with low primes, but that they (TT) are saying they have no obligation to encrypt data is going to see them burn... SQLi it is.

People are going to jail, and it really shouldn't be the 15 year old (who will be absolutely hired when he gets out, initiative goes a long way these days)

Again, you're buying into this mythlogy that every two-bit hacker is employable. They aren't because what most of them do is so automated that they'd have little clue how to properly defend against even those basic attacks they perpetrate. The skills to defend against these attacks are very different.

Agreed, the term hack is thrown around too loosely and people assume its like the movies. I'd say a few scripts downloaded from the net, a bit of loose talk about lax security at TT and mostly luck. This is if he actually is responsible too.

Orior

#17
October 27, 2015, 11:07:59 AM
Quote from: thebigfella on October 27, 2015, 09:46:53 AM
Quote from: Orior on October 27, 2015, 09:38:58 AM
Encrypting databases is all fine and dandy, but what if partners and third parties need access? For all I know TalkTalk could have outsourced their finance, payroll, help desk, marketing, big data analysis field engineering, etcetera, all of whom need access to the customer database

Then you build a secure solution to allowing them access.

And that is when the wrong decision is made, because the CIO/CFO thinks it is too expensive.
Cover me in chocolate and feed me to the lesbians

5 Sams

#18
October 27, 2015, 11:31:20 AM
He's obviously not that smart if the cops are able to go straight to his house and scoop him.
60,61,68,91,94
The Aristocrat Years

Syferus

#19
October 27, 2015, 12:28:46 PM
Quote from: Orior on October 27, 2015, 09:38:58 AM
Encrypting databases is all fine and dandy, but what if partners and third parties need access? For all I know TalkTalk could have outsourced their finance, payroll, help desk, marketing, big data analysis field engineering, etcetera, all of whom need access to the customer database

You give them encryption keys or a specifc view on the data that has the information they need and the rest unavailable. Encryption isn't about stopping use, it's about preventing unauthorised people seeing data they shouldn't.

imtommygunn

#20
October 27, 2015, 12:32:23 PM
Was there not talk of some boy getting phoned up and they had specific details? Initally I thought it sounded a bti wider than something one kid would have done unless he sold data on??

Encrypting data is all fine but usually there's an end point where it's not encrypted so it can fall down somewhere... These systems should only have access with logins, https certificates etc.

I'd be interested to see how the kid did it though doubt we will ever know.

I doubt he got all this through sql injection or the like. Spoofing / brute force or something like that.

ziggysego

#21
October 27, 2015, 12:32:38 PM
Quote from: Brick Tamlin on October 27, 2015, 09:01:33 AM
You boys are the sort I would have bullied n school.
Start talkin in lay mans terms ffs.

He found the key to open the magic door to TT's box of customer's secrets.
Testing Accessibility

Muzz

#22
October 27, 2015, 12:54:28 PM
Ah come on now lads - there is no way this lad acted alone.  He was probably part of a wider online community and multiple people attached TT. 

He has probably got caught not because of his actions but because he talked about it or tried to sell the data.

As Tommy has said - customers bank accounts were cleared out and people phoned asking for money.  Did this 15 year old do this on his mobile sitting in his bedroom?  Doubtful.

There will easily be a lot of people involved in this but one young lad stupid enough to over step the mark and give his involvement away.

heganboy

#23
October 27, 2015, 12:59:38 PM
Never underestimate the predictability of stupidity

Syferus

#24
October 27, 2015, 01:02:47 PM Last Edit: October 27, 2015, 01:05:37 PM by Syferus
Quote from: Muzz on October 27, 2015, 12:54:28 PM
Ah come on now lads - there is no way this lad acted alone.  He was probably part of a wider online community and multiple people attached TT. 

He has probably got caught not because of his actions but because he talked about it or tried to sell the data.

As Tommy has said - customers bank accounts were cleared out and people phoned asking for money.  Did this 15 year old do this on his mobile sitting in his bedroom?  Doubtful.

There will easily be a lot of people involved in this but one young lad stupid enough to over step the mark and give his involvement away.

He probably hangs around on the usual IRC channels these 'hackers' do but this could easily be done by one kid, there is no need for there to be anyone else involved. He may have passed the information on or if he was sorta smart - doubtful seeing he was caught so fast - sold the data on the black market.

If anything having to coordinate with someone else would probably be a handicap in this sort of situation.

Muzz

#25
October 27, 2015, 01:19:12 PM
All will be revealed but even TT would have firewalls etc. that would need to have been bypassed unless they really did not have any security what so ever.  In that case can hardly be called a hack.

Was there any reports of DDOS?  A lot of comments and releases so far have not really confirmed or denied what actually happened.  All we know is that the database was not encrypted. 

heganboy

#26
October 27, 2015, 01:27:21 PM
Rapid7 press guy said that
QuoteTalkTalk also mentions seeing a DDoS attack prior to the actual breach. The tactic of inundating an application with traffic to hide the real attack going on at the same time is very common nowadays. By distracting the target, the attacker buys more time to focus on the assets they are really after.
Never underestimate the predictability of stupidity

Muzz

#27
October 27, 2015, 01:50:25 PM
There's no way that this guy could have carried out the DDoS attack on his own then.

imtommygunn

#28
October 27, 2015, 01:53:13 PM
I'd be surprised were he on his own. Has to be more involved. Could be a scapegoat I suspect with a lot of smarter people in on it.

A DDoS attack wouldn't be particularly hard but I think knowing where the database is, what to get etc etc you'd need to be in some way informed to do.
Print
Go Up Pages 1 2 3
User actions