In the wake of a recent Distributed Denial of Service (DDoS) attack on TalkTalk, a British mobile phone, internet and pay-TV service provider, government and business leaders are under pressure to quickly provide effective safeguards and solutions. The DDoS attack, remotely controlling hundreds of thousands of compromised machines, collapsed TalkTalk servers, allowing cyber criminals to implement an SQL-injection attack in the ensuing chaos. This second attack used deliberately malformed requests to crash database programs, thereby giving attackers access to database content. It’s been reported that thereafter the hacker/s demanded a ransom for the pilfered data. A 15-year-old Northern Ireland teenager and 16-year-old West London teenager were arrested and bailed in connection with the fiasco, and subsequently a 20-year-old man has been arrested. Though it now appears the attack was for financial reasons, initial speculation included possible terrorist involvement and an impending cybercrime onslaught from stolen personal data.
TalkTalk has now confirmed that although some bank account details have been accessed, not enough information was stolen for thieves to steal money from customer accounts. Dido Harding, TalkTalk chief Executive, has stated that the company’s website was hacked, but not its core systems, and says, “none of our customers’ credit card information has been exposed.” This is the third known cyberattack this year on TalkTalk, and the company has been criticised for keeping silent about this most recent attack for more than a day.
“As computing technology has grown in sophistication and power over the years, so has the criminal element that seeks to exploit it. Individual interest groups, religious factions, even entire countries are at work seeking any and every weakness available inside lines of code, forms, executable files and any other seemingly innocuous paths that can lead eventually to disruption, destruction, theft and chaos…” Read Article by Steve Prentice on the rise of sophisticated cybercrime.
With the growing number of DDoS attacks taking down websites and network infrastructures, industry specialists have a host of solutions at the ready. Cloudflare’s layer 3 and 4 protection is designed to absorb attacks before they reach servers, and its layer 7 protection differentiates between harmful and beneficial traffic. F5 Networks’ Silverline provide massive traffic scrubbing capacity, offering protection onsite, in the cloud, or in combination, across levels 3 to 7. Black Lotus’ service focuses on the hosting industry and includes a patent pending Human Behaviour Analysis technology to improve its service, and Incapsula has received accolades for it’s DDoS protection with its global network of data centres providing more scrubbing centres than any other provider.
Data Privacy & Homomorphic Encryption
In a separate debacle, Apple, finding data theft linked with advertiser Youmi, has removed 250 apps from its app store. Developers of these apps were unaware of the breach, caused simply by using Youmi’s service to display ads. Going to significant lengths to hide their activity, Youmi’s attempts to circumvent Apple’s rules and attain unauthorised access to information were not picked up by Apple immediately. Homomorphic encryption is one technique that can protect against applications leaking secure data. It allows computations to be carried out on ciphertext without any decryption occurring. This technique essentially allows applications to ask questions of data without knowing any specifics of the data that forms the answer.
Though the technical tools are available to provide proper protection, people need to be aware of the simple, interpersonal scamming methods that are often the real cause of theft. TalkTalk has stated that no information was stolen that would allow hackers to access customer bank accounts, but many customers have reported theft from their accounts subsequent to the TalkTalk debacle, apparently after giving relevant details to callers supposedly from TalkTalk. Anyone who has any sensitive or personal data connected to any network, and I feel confident saying that’s at least 99.9% of us, needs to educate themselves on IT security. Understanding the risks is still the strongest defence.
By Jennifer Klostermann