Friday 23 October 2015

TalkTalk data breach

TalkTalk is a large UK based telecommunications company. It has approximately 4 Million subscribers of Internet access, pay TV/IPTV and mobile phone services across the country.

TalkTalk (I will abbreviate to TT for the purposes of this post) has been subject to public scrutiny through the media after being subject to a number of hacking and fraud related incidents in recent years.

On Wednesday 21st October the TT home page and sales website(s) (sales.talktalk.co.uk and talktalk.co.uk) were reportedly DDoS'd resulting in the TT websites going down.

It would appear that this was either a diversionary tactic or possibly a method to leverage access to TT's SQL server(s). This is my own summation given the facts - details of this kind have not been confirmed, by nature of this being an on going investigation.

TT's own homepage reported on Thursday 22nd October that an investigation into the DDoS'ing and simultaneous database raid had been opened by the (London) Metropolitan Police Cyber Crime Unit (MPCCU). It would appear that the MPPCU is leading the investigation, possibly in-stead of the National Crime Agency National Cyber Crime Unit (NCCU).


Pastebin


As is often the case with data breaches, sample data is often posted to Pastebin by the attackers as evidence of the raid. A search conducted today on Pastebin (and since reported in the media) revealed a paste titled "TalkTalk Database list" submitted on Thursday 22nd October by a "guest" on the service.

The paste lists 64 "available" databases, which from this limited information I am presuming are for customer related services and back-end records and products and services. These details have not been confirmed as genuine - as this could only be confirmed by TT themselves.

On the same day, another paste was submitted titled "Message from TalkTalk Hackers", also submitted through a "guest" account (again not confirmed as genuine).

The paste appears to take responsibility for the attack. Written in broken English it begins with "Statement To: Th3 W3b Of H4r4m ~" - Haram being an Arabic term for any act that is forbidden by god. That sentence could therefore mean that the Internet itself (or parts of it) are forbidden by god. This could indicate that TT was (in part) targeted due to being an ISP?













The paste also goes on to state that the individuals taking responsibility for this attack are from "The Soviet Russia". It would appear that the justification of this attack is of political/religious ideologies.

Instinctively it is difficult to link the nature of this raid with a statement such as this. However the timing fits.


Sample Data Analysis


The statement continues with a three samples of the stolen data (which I have not included). the first sample claims to be from a "password change log". 28 rows of data are shown under the following column titles: message, log_timestamp, email_address.

The message column shows only "Update Submitted" which would be consistent with a password change log. The log_timestamp column however shows rows of 10 digits which immediately wouldn't (atleast to me) indicate a time stamp, however this may simply be due to implementation of the database.
[EDIT] I have since been informed that a 10 digit time stamp such as this would likely be in epoch time. As a result the time stamps in this sample are all from 1500hrs (+/- 2mins) July 2011. Credit and thanks to basically_asleep.


The last column lists email addresses (all @tiscali.co.uk), this could be evidence of TT data due to tiscali (previously an ISP) merging with TT in 2009.

The secound sample claims to be "Order Identifier Data" this includes the following columns idType, idValue, onlineOrderId, onlineOrderIdentifierID, createdOn, lastUpdated, SGOMappingType. The sample data includes email address from various email providers, a time stamp and what appear to be various ID numbers. Curiously all of the time stamps are from 6th July 2012 between midnight and 01:49 am.

The third sample is titled "Order Data: (Bank Info Removed For Pastebin)". The columns are SIMO_ORDER_ID, SIMO_HISTORY_ID, STATUS, REQUEST, RESPONSE, CREATED_ON.

This sample is more concerning, it appears to contain 2 entries consisting of multiple key value pairs. These entries appear to be for only two separate customers with sequential order IDs. This information contains the customers first and last name, date of birth, telephone number, email address, bank sort code, bank name and account number marked  "REMOVED", home address and post code.


Ransom


On Friday 23rd October it was reported by the media that the TT CEO had received an email containing a ransom from a group purporting to be the attackers. No further details of this ransom have been made public at this stage.

If indeed the ransom is genuine, a ransom would not seem consistent with the Pastebin statement. My rationale behind this is that the attackers would most likely make their demands at the point of publicly taking responsibility rather than to do it almost a day after the attack and privately to the CEO.

It also happens that the CEO of TT had been addressing the media through-out the day and was highly visible to the public. It could be that the ransom email was an attempt from an un-associated group to extort money from TT while the identity of the attacker remained unconfirmed.

Of course, in the absence of any concrete details, this is pure speculation over the nature of the ransom.

None the less, this is a significant data breach, potentially impacting millions of customers and severely damaging TT reputation. However with the ever growing rate of computer enabled extortion, and the alleged amount of cover-ups by companies who are victims of extortion, TT have taken the correct course of action by going public straight away. This at least gives their customers the opportunity to attempt to protect themselves against some of the threats they are likely to be exposed to due to this data breach.

I have deliberately not provided links to the Pastebin pages that I have discussed in this post. Great care has been taken to discuss the example data in general terms and to not reveal any personal details that may have been released by the individuals claiming responsibility for this hack.
The example data I have analysed is openly available to the public through pastebin.com.