Member Info for Gcoffey

Not a pen tester by trade no, however I do work in IT and one of the main areas I focus on is the implementation of application & server security to comply with PCI DSS. I won't go into too much detail, but to say that the configuration of TalkTalks application servers is fairly inconsistent and hardening of configuration does not appear to have been applied everywhere. So for example, when you make a connection to a web server, via your web browser, the server returns information in what is called 'Response headers’ you wouldn’t normally see these in your web browser as it only displays the body content. The information in the response headers can tell an attacker specific things about the server, that information can then be used by the attacker to determine what vulnerabilities could be exploited. This can be mitigated quite easily by making configuration changes to the web server to reduce the information it returns in headers, and also by applying the latest operating system & application patches.

Please highlight the information I have posted that you believe is false. I actually stated my opinion that maybe with 3 months there would be a breach, and that is based on past disclosures from the company, coupled together with the outstanding vulnerabilities that I have disclosed to the company. At no point did I state that 4 million customers would leave, your statement is false. Again please highlight the FCA rules I have breached, without the information to back it up your statements are dumbfounded. Sometimes the truth is hard to digest but if you understand what I have posted it should be crystal clear.

I don't believe I have attempted to talk down the share price. I have provided information on the company. Likely not the information you like to hear and would rather plead ignorance to. If its too discomforting for you, feel free to filter my posts.

Lame attempt to ramp. Have TalkTalk made any further announcement to reassure customers such as stating they are addressing all issues with their systems and applying security fixes. No. Has the CEO responded to the information I disclosed to her re. vulnerabilities that still exist in TalkTalks systems? No. TalkTalk do not want to admit any liability in this case, its much easier for them to say it was the attacker. Bottom line is the attacker exploited the systems that TalkTalk staff configured, insecurely. They still have insecure systems and are leaving themselves exposed to further attacks.

Are you implying I work for a competitor? You are sadly mistaken.

If your definition of long term is until the next data breach then maybe 3 months but given shorts have increased their positions in the past week it may not have bottomed out yet. TalkTalks business is driven by customers subscribing to their services if they don't look after the customer they will lose subscribers and revenue will follow suit.

Richard I have noted that a number of TalkTalk online services have been down for over a week, this includes TalkTalk Business services (webmail, billing etc). This should give people here an idea of the scale of problems TalkTalk are now having to fix, and these fixes will primarily be securing the servers, network & applications that they setup, manage and offer online services to their customers through.

What reason would customers have to remain loyal and not cancel? Would be interesting to hear.

Only the ones I have a vested interest in I.e. I'm a customer and where they have failed to implement basic security measures. As I said before I am not deramping and have no interest in the SP I'm merely stating the facts from a customer and IT professional stand point. If you are worried about your investment you should look back at the 1 year chart after news of the previous breach.

Sadly data is not safe. However, companies have an obligation to take all reasonable measures to ensure any data they hold is secured I.e. Encrypted where required and not shared with third parties. Companies can mitigate the threat of attack by implementing processes and systems that work to proactively monitor and block attacks such as SQL injection. Further to that, companies can also apply a defence in depth strategy whereby they place controls at every layer of their network / systems / application. Most major players I have worked with, pile a healthy amount of budget into bolstering their security. Lets just clarify something, TalkTalk has vulnerabilities that an attacker exploited via targeted attack. Other companies may be attacked but the thing that matters is whether they have vulnerabilities that would result in a successful attack.

I'm not deramping & don't work for a tabloid, I'm telling it how it is. Now you could do as Curly does and try to misinform investors by playing it down and saying everything will be alright. Please tell me where my logic is off the mark, perhaps you do not understand what I am talking about. And what exactly does application, server & database security have to do with telecommunications? Are you aware of PCI DSS?

Account numbers & sort codes where not encrypted. Email addresses where not encrypted. Name & address information was not encrypted. Had the data been encrypted the attackers would have no way to decrypt the data without having the correct encryption keys. Moving forward, for the 3rd time, why would TalkTalk decide to tighten up this time? Surely the previous breaches would give one a 'kick up the backside', but it appears the fundamentals of what they do and how they do it have not changed. 13 days is a long time to get things fixed, however, aspects of the TalkTalk web site are still appear vulnerable today based on information that is publicly available to anyone visiting their sites. I have raised these issues with the CEO directly and I wish I could say something positive to bring some sort of assurance to customers, but these issues still remain.

Better than expected revenue forecast for the year of £240m up from guidance of £230m in August. Going from strength to strength

Sharesahoy, this recent attack was by way of SQL injection whereby the attacker uses a web page or web form to change a query being run against a database. Now had TalkTalk had adequate defences in place the attack would have been detected and blocked, its pretty easy to spot SQL injection attacks. The reason a SQL injection attack was possible is due to bad coding by TalkTalk developers and poor monitoring by Database Admins & Security. Developers had not taken appropriate measures to ensure their code was secure or prone to attack, neither did security. This is all pretty basic stuff and in no way constitutes additional or extra security. So TalkTalk essentially left a gaping hole in their security that enabled a third party to steal data. Regular security audit, patching and code review would have prevented this and the other 2 breaches, all of which are things TalkTalk should be doing anyway. So lets just say TalkTalk left the door off the latch and they still have windows wide open.

http://www.talktalkbusiness.co.uk/news-events/news-ttb-listing/video-news/data-breach-costs-revealed/

Card information may be encrypted, albeit questionably... if they are masking only the middle 6 digits. Card numbers range 14 - 19 digits meaning at worst TalkTalk could be displaying 12 digits. Anyway, yes only customer bank account details (account number & sort code) are among the details taken, regardless of what can be done with the data taken I am sure customers did not consent to TalkTalk sharing that information with any third party. Therein where the problem lies. TalkTalk don't believe there has been any wrongdoing on their part as most information for a person can be found on social media etc. The differentiator is TalkTalk had an obligation to protect any data given to them from their customers, and as their privacy policy states they will only share information with organisations outside of TalkTalk with the customer’s consent. When companies make statements like that it completely goes against Data Protection.

I had the misfortune to talk with TalkTalk cancellation team. More like customer retention / credit controllers. They ignored the fact they allowed customer data to be accessed by a third party, they said it was ok because the hackers wouldn't be able to use this data fraudulently. They also reiterated the statement released yesterday in which less data was leaked than previously thought. TalkTalk are obviously taking a firm stance and believe it is OK for any data held by them to be taken and that customers cannot use this as a basis for cancelling their services. In short TalkTalk don't care.

Trying to bring some positivity to a dire situation. Diverting away from the fact it happened in the first place, for the third time. Any loss or access of customer data, whether name and address details or card details, is a major fail. No doubt this will all be forgotten in a month and more than likely another breach will be reported in future unless some serious changes are made. Judging by TalkTalks track record for dealing with breaches there will be no serious culture shift within the company and no serious concern for securing their infrastructure. For a company turning over the money they do its pure laziness that they cant even invest to get the basics right, what's a few 100k to get things right.

Just FYI running an unpatched (for at least a year) version of a popular Linux distribution running a popular web server also unpatched is bad. Running a web server with ssl and compression switched on is stupid, google it and you will find out what BREACH is. These things are so simple to fix yet after 3 breaches TalkTalk still remain lax.

You missed the leak of sensitive customer data in Feb 2015, same issue as the current breach. It doesn't matter which way you try to butter it up, there are serious issues are TalkTalk that need to be addressed. They have put their customers in a compromised position. I hope you aren't a TalkTalk employee, calling your customers stupid pretty much sums up the ethos at TalkTalk that they don't actually care. Freely gave information or where coerced? The latter seems more likely, had TalkTalk secured customer data correctly third parties would not have had access to that information and customers would not have received fraudulent calls purporting to be TalkTalk. As per your terms and conditions you should note that TalkTalk have a duty to secure customer data and not share with third parties, this applies to sharing data for marketing purposes in which customers have the ability to opt-in/out. In this case TalkTalk left a gaping hole allowing customer data to be accessed and siphoned off. For comparison how many breaches have the other major ISPs suffered in the past year?