Monday, October 26, 2015

TalkTalk Hack: Leaves 400K Customers as Latest Victims in Identity Theft

“Names, records, bank details, and dates of birth: the full extent of the breach,” say Paul Sandle and Erich Auchard of Reuters, “has yet to be discovered, but the potential is huge, affecting up to 4M customers.”

The breach happened on Wednesday, October 21st, and resulted from a cyber attack characterized by the BBC as a Distributed Denial of Service DDoS.

TalkTalk immediately pulled down all its websites and began a full on investigation that included London’s Metro Police Cyber Crime unit.

Email servers returned to operation that afternoon, once the provider was confident their email had not been compromised.

In an October 23rd BBC News interview, TalkTalk chief executive, Dido Harding, announced the breach.

Customers learned of the breach through BBC news, a blast email, and regular mail. To compensate victims, TalkTalk is providing 1-year of free credit monitoring.

Harding, who is also a TalkTalk customer, is encouraging customers do the following:

-- to change passwords
-- to take advantage of the credit-monitoring service
-- to report any suspicious activity
-- not to disclose passwords or personal details

“Customers have expressed their frustration,” reports Rory Cellan-Jones, of the BBC, “with what is the third cyber-attack to affect TalkTalk over the past 12 months.”

Sadly, “the database in question appears related to customers who have recently undergone credit checks for new service with the company.”

It sounds painfully similar to the T-Mobile Experian Breach that took place earlier this month. Saturday, Reuters reported criminals unable to steal money.

Cybercrime Syndicates
Krebs on Security learned from an anonymous source “the hacker group responsible for the breach is demanding £80,000 ransom—payable in Bitcoin. The group provided customer database tables as evidence.”


Image Courtesy KrebsonSecurity
A number of collectives are claiming responsibility for the breach, but neither law enforcement nor TalkTalk have released names of potential suspects.

You can get a good look at how developed syndicates have become by checking out this link Krebs posted to the AlphaBay dark market thread on Reddit.
The group outlines incentive levels for vendors.

They propose exit strategies for selling hacked data, including how to follow chain of custody for encryption keys.
Our Current Advanced Threat Landscape

Firewalls and password encryption can only take you so far.

Paolo Passeri of Hackmageddon, provides a timeline for the Malware Evolution.  This slide appears in a recent presentation, Multi-Layered Approach Against Advanced Threats.

Evo of Malware Hackmageddon.png

Image courtesy CISCO and Hackmageddon
Notice the emergence of Spyware and Rootkits in 2005. This is how criminals do recon.

Spyware: software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.

Rootkit: a set of software tools that enable an unauthorized user to gain control of a computer without being detected.

Notice API Crime as a Service. CaaS equals syndication.

Shifts in the Security Paradigm

The attack surface paradigm has shifted from defense penetration to user manipulation models. We still do penetration testing, but it’s a bigger perimeter.

An access point for cloud-based email may be an Internet café. An access point for CRM may be the WIFI in a hotel.

These days the threat starts from the inside—hence, social engineering and insider threats. Hackers identify so many different vulnerabilities, the strategies to infiltrate are almost endless.
Attack Strategy

Kill Chain.png

Image courtesy CISCO and Hackmageddon
Recon: Spyware and Rootkits [over months]
Launch: DD0S used as a smoke screen
Exploit: Compromises weak area
Install: Can be as simple as spear phishing
Breach: Take what they want
Persistence: Months or years*
Verizon Data Breach Report.png

Image courtesy Verizon, CISCO and Hackmageddon.
The average timeframe of Discovered Breaches in Passeri’s model is 256 days, and comes from a Ponemon Institute | Verizon Data Breach report dated 2015.

Most breaches are never discovered.

The reality today is that the threat is already inside your network. You’ve got to take steps to make sure you know exactly when, where and how as soon as possible.
TalkTalk Breach – Day 5

The exact vulnerability the hackers exploited has not yet been publically announced. Our hearts go out to the victims and to TalkTalk.

But one TalkTalk customer believes the criminals hacked the broadband provider months ago.

Prior to the Hack announcement, the customer received a fraudulent call from someone claiming to be with TalkTalk. The scammer had all of the customer details including account and phone number.
The customer convinced the fraudster to call him back and made a quick call to TalkTalk. The broadband provider did not act to investigate the lead.

Breaches are never fun. Cleanup is tedious and painful. This being the third breach in 12-months, TalkTalk is definitely up for some security strategy updates.

Judging from the customer outrage and the scathing interviews that Dido Harding is getting, BAE’s findings can’t come too soon.

To learn more about breach detection and penetration testing, reach out one of our staff.

No comments: