Talkmobile and security

I’m currently engaged in a bit of a strange dispute with talkmobile. They’re over-charging me, but for some reason I can’t log in to my account. No problem – they have on-line chat with customer services – how hard can it be to sort out?

Well, it’s proving impossible. They can’t even look at my broken account because I don’t know my date-of-birth. I don’t know my date-of-birth because, for obvious reasons, I don’t give the correct one out willy nilly to any company that asks for it – only government agencies and my bank. It’s easy enough to find someone’s DOB and it should never be used as a password.

So, there are a number of other dates I use for non-critical purposes. We’ve been through these; it wasn’t one of them.

Stop press – one of the more obscure ones worked. and I’m back in, thanks to the persistence of their help team.

But this is hardly the point; no one should use a piece of information that’s a matter of public record (i.e. on a birth certificate) as proof if identity. Birthdays are commonly found on social networking sites, your employers’ records and quite likely around the office. It’s mad to use it as a password.

So how did this come about? Well, until it’s purchase by Vodafone in 2015, TalkMobile was a virtual network run by Carphone Warehouse; the same group that that owned TalkTalk (see security blogs passim). TalkTalk was split off in 2010, but their culture of security has been questioned in the past; unfairly in my view as they’re no worse than most. What was lacking from inception was any common sense approach to security issues.

Unfortunately, you can no longer visit one of the remaining Carphone Warehouse shops to get these things sorted, which means if you’re locked out of your account there appears to be no way back in. I did threaten to cancel their direct debit rights with my bank; I bet they’d recognise me then!

To add insult to injury, TalkMobile’s representative tried to blame this policy on “The Data Protection Act”. It makes a change from blaming it on migrants, I suppose.

TalkTalk Ransom Demand

So, the head of TalkTalk (Dido Harding) has received a ransom demand following the latest hack? From a bunch of Islamist gangsters? I don’t think so. Okay, she probably received an email extortion attempt. Several in fact. It’d be form for Islamist gangsters to have a go, amongst the usual suspects. But the idea that whoever is behind the attacks also sent the ransom demand does not sound like the normal MO. It smells wrong to me. Extortion attempts of this kind generally follow a demonstration that the criminals can disrupt a web site, not after a long-term outage.

I get the vibes that TalkTalk doesn’t know what happened, and take everything they say with a pinch of salt. The only certainty is that their web site was toppled. Data theft, or script kiddies? I suspect the latter, actually. They floated the possibility of widespread data theft, which is very responsible of them until it’s figured out what exactly happened. This is a possibility in any attack.

Meanwhile, people are now questioning whether the stolen data (if there was any) was encrypted, and if not, why not. On a live system, data can’t be encrypted. Think about it! This is allegedly a hack of a live system, so the criminals would have access to the same data that he live system would.

This whole story has been hyped up way beyond the facts. No one (including TalkTalk) wants to suggest it may be overblown for fear of being branded irresponsible by a technically illiterate news media and opportunistic politicians. But it smells all wrong to me. How much more embarrassing if it was was actually script kiddies getting lucky, rather than the APT being hinted at.

No talk from TalkTalk

Charles Dunston’s budget ISP TalkTalk has been hacked again. Yawn. This time it’s big news on TV; the headline story in fact. Their website has been KOed for a couple of days, but it’s back online with a front page showing a different news agenda. They get their feed from AOL (also part of the Carphone Warehouse family), who probably just missed the kerfuffle; there’s no celebrity connection after all. Not yet, anyway.

If you’re a TalkTalk retail customer (or possibly a business customer – who knows how their systems interrelate and what data’s been pilfered), and you’ve used the same password with TalkTalk as any other sites, change your password on those sites NOW. The popular media is full of speculation as to what’s been compromised but they’re not mentioning passwords, presumably because TalkTalk will have told them that any passwords would have been encrypted. But if the criminals have got hold of the hashes, which is likely, it’s only a matter of time before they crack them.

How worried should customers of other ISPs be? Pretty worried, as on the serious side of the business they’re known as Opal Telecom, a significant LLU operator providing the link between the last time and the data centre for a large number of Broadband providers.

I can, of course, only speculate as to why this keeps happening to them. One reason might be related to several conversations I’ve had with people from ISPs TalkTalk has taken over along the way. Apparently they really don’t like hard stuff like UNIX/Linux, and within months of a takeover they force a switch to Microsoft before making all the UNIX people redundant. Any fool can use Microsoft – low levels of technical understanding are required, meaning cheap engineers and lower costs. But do their Microsofties actually know what they’re doing? I dare say that some of them do, and some of them don’t. But the bar for a point-and-click Microsoft house going to be lower.

In defence of TalkTalk

The ICO has just had a go at TalkTalk for snooping on their customers. Hmm. I wouldn’t be a TalkTalk customer if they paid me so I’m not bothered on that score. But I’m also not worried because I can’t see they’ve actually done anything wrong in this instance.

What they’re accused of is harvesting the URLs of web sites visited by their punters. Reality check: networks log traffic anyway. It’s necessary for maintenance and optimisation. All managed networks do it, all the time. The system the ICO is making a fuss about simply collects the URLs and then sends a malware scanner to the site to check for dodgy stuff so it can blacklist the URL in future.

You can’t scan the whole web for malware; it’d take too long by a spectacular margin. Scanning the relatively small subset of URLs your customers are actually accessing is as good a way of directing your effort as any.

So why’s the ICO making the headlines? Just to show they’re on the ball, I suppose. And TalkTalk makes an easy target. This is probably the first time ever I’ve defended them on any issue.