General Chat

It doesn't help with security that a lot of people quite simply ain't a clue. Lots of people either can't be bothered or not aware that where they've had to sign in/register to visit a site or access their email that they need to SIGN OUT when finished. Quite often they just click on the "X". When I was having probs with Virgin and had to use a PC at town library every time I went to log in to Face Book there was the email addy still showing of previous user - in other words they just "X"'d. Old Guy I know been using a Laptop for 3 years just hasn't a clue and aint interested. He uses same simple password for anything/everything and is an "X" er. Talking to a woman one day in queue at Build Soc and she didn't have any security because, as she put it "I only use it for emails so don't need anti virus" !!! People commonly use family members names for passwords. There's no such thing as 100% security but..............

how they did it

https://en.wikipedia.org/wiki/SQL_injection

usually downloading a databse of 4 million records might attract a bit of attention even at TallkTalk; therefore before making the sqli attck the hackers hit TalkTalk with a DDOS attack which put their web and email servers out of action. The tech staff were so busy dealing with that they didn't notice the data theft.

the tactic of hitting the enemy on the blind (bling heh heh) side is well documented right back to the Punic wars between Carthage and Rome and is of course much used by rugby and soccer footaball tea,s.

maybe the strongly held idea of the general public that the computer geek fraternity should get out and about a bit more is bang on the button.

I guess we will soon see on their web site a crowd funding address of where to send your banana donations.
:-D

My friend on TT has been hacked...she was taken in by a phone call that sounded so genuine.she is not usually so gullible.

She had £271 pounds taken by Western Union,which I believe is way of transferring money internationally .she contacted her bank and they have been good and she hasn't lost it,but she did say that when she was online on her computer,a line
came down and wiped her computer clean,so it was hacked and she lost her photos and other contact details.

I am with TT and so far all is OK,but I don't do on line banking,which I have always been wary of.....my friend isn't thinking of leaving as now this has happened it should be more secure...and it could happen to any other provider.
Her bank did say that the hacker starts off with an unusual amount or a small one so that you think with it being an odd number that it won't be hacked...,before really hitting it.

You do not know my relatives background, previous employment and training – I do ;-)

The trouble with IT support managers is that they tend to believe in the adult equivalent of fairy stories; these are the people primarily responsible for all the endless breakdown of security which is very close to making the internet unfit for purpose.

Most of them have crawled into their jobs starting from it support desks with jolly firms such as Dixons or Egg or a UKGov support contract. They have never written a line of serious code and could not understand it anyway. Even for systems support and config they are nowhere without point 'n click UI. The house motto is "if it aint broke dont fix it".

It is a mathematical paradox that a password of sufficient length is easier to crack - this is due to the nature of digital generation of not-truly-random numbers and deliberate errors in the RSA alogorithms used in commercial software. Or as the Americans would put it what goes round comes around.

The hoary old line that it would take a zillion years and a zillion it support managers to break a password with their pocket super computers is wrong. The computational power in the sort of rig typically setup for BitCoin mining can break the typical commercial password in minutes at worst and often far more quickly is such strings as "FidoBarks" are included. The sort of supercomputers installed at FoggyBottom and Shanghai suburbs can pull it off far more easily.

The single most useful thing that any person or organisation can do to improve on its software security is to stop using Microsoft products and Android OS.

Microsoft Windows is constructed from the ground up in such a way as to make it insecure. Most govt & commercial security is still relying on discredited GINA though to be fair to Microsoft SWIVEL is a lot better. It is just that IT support managers tend not to have budget/able to get their heads around it. Poorly understood half implemented IT security is an accident waiting to happen as at TalkTalk.

The single most useful thing that governments could do to improve internet security is to mandate ipv6 over the current ip4. Unfortunately this is unlikely to happen as it would make the mass surveillance popular with GCHQ far more difficult to carry out.

I noticed on Newsnight last night that UKGov have built a hackers centre in Manchester and have invited quite a few of the top UK hackers to play with the toys there rather than getting a report from, say, top it support managers. Somebody is "getting it" then.

I'm with Talk Talk. Have been since it was Tiscali.
I went to log into my account - which I rarely do - and realised the e-mail address and password used are only used, by me, for them!!
I haven't used that e-mail address for nigh on 10 years.
There were no suspicious e-mails either, just a lot from Find My Past and Harley Davidson - I've not been a member of FMP, nor contacted Harley Davidson for 10 years .
At least this means, if any wrong-doing is done using this e-mail, I'll know it's through Talk Talk and not me being 'lax'!

Not according to the relative - he is an international IT support manager and has worked for several high-profile firms. He'd disagree with you.

".....its long, complex, easy to remember and would take a supercomputer about 50,000 years (not an exaggeration) to crack."

" If I use the password 'Johnny' without quotation marks, a brute force program will get it in about 5 seconds. If I use 'Johnny123' it would take a few hours."
[ names have been changed]

passwords such as "LittleJosephis112%adorable " are dead ez to break.
passwords all random digits of 16 chars require a modicum of power and force - there are plenty of free apps wihich will generate them. Of course such passwords are impossible to memorise so people write them down on postits which are stuck under the desk, back of the screen and so on, save them in text files, browser saved passwords list ...

yeah, passwords are an utterly crap form of security and a big factor in computer insecurity but not the largest one.

Barclays have a handy little gadget which generates one time passwords. It is safe to use online. Otherwise if you must use online banking ideally use a dedicated computer or if that is not possible a dedicated login for banking, utilitities and such. Yes, this is a bit tedious but not as tedious as having yr account hacked.

Try and avoid using yr real debit card/credit card online. A good way around is to use a secure third party such as PayPal or Barclay's PingIt. Another method is to get a moneycard which have VISA type numbers and card code for transactions and top up the moneycard as needed. This is an especially good way to deal with dodgy shops and restaurents as well as online.

Quite why large orgs store data in what is essentially a flat file I can only guess. They avoid encryption because it takes significant computer power and it is far from unknown for the passwords to be lost or compromised.

Don't feel smug if you don't use TalkTalk. All of the others could be hit in much the same way at any time.

fwiw TalkTalk accounts are already receiving messages on their mobile phones purporting to be from their bank asking them to ring up and "secure their accounts". The numbers in the sms are not those of any bank but will connect them to one of the nasty we-will-take-all-yr money scams. Those most vuinerable are the least likely to check.

:-(

The easiest way to get a system password within a large organisation is (a) look under desk, back of screen etc or (b) just ask a human for it.

BT OpenReach who runs the UK's digital background are installing a lof of Huweii equipment which is made in the Chinese republic. TalkTalk home routers come from the same firm. Just a thought.

On the subject of passwords, a relative suggested using a phrase relating to a family member such as

LittleJosephis112%adorable
ImMoggsNumber1sServant

They are a mixture of upper and lower case letters, numbers and characters

It's all gonna come crashing down one day!

I had a problem with my Barclaycard yesterday a site would not accept it for "that currency" on a UK site paying in UK £.
I assumed the fault was with the site but to be safe I rang Barclaycard this morning.

"Sorry we are experiencing technical difficulties and will be unable to deal with your inquiry for at least two hours.................."

Oh dear! :-(

so what's the point of having say a 15 character password that is relatively easy to remember?

if it can be got hold of that easily?

I finally got my email from Talk Talk, delivered to my spam folder

It doesn't tell you anything which hasn't been on the news already

Wot a mess. This link might be of help to those who use TT

http://www.bbc.co.uk/news/technology-34615692