TalkTalk breach: Hackers target TalkTalk with combined DDoS and SQL attacks
By Kevin Foster, Testing Services Manager at MTI Technology - 13 November 2015
TalkTalk is recovering following a website breach by attackers. The hacking of the company’s website resulted in the extraction of sensitive customer data, however TalkTalk believes its core systems remained protected.
What is the impact on customers?
TalkTalk revealed that the percentage of the data accessed is lower than anticipated:
- Fewer than 21,000 unique bank account numbers and sort codes
- Up to 28,000 obscured credit and debit card details
- Around 15,000 customer dates of birth
- Fewer than 1.2 million customer email addresses, names and phone numbers
There is, however, potential for follow-up phishing attacks on TalkTalk customers as a result of exposing the details of 1.2 million email addresses and partial personal information. These are likely to happen in the coming months as customers settle back into a normal routine.
It is therefore important for customers to stay vigilant. Do not provide any personal information over the phone without being certain of whom you are speaking and providing information to.
How did it happen?
According to reports, attackers flooded the website using a DDoS attack - a distributed denial of service. DDoS attacks often act as a diversion to mask the real nature of a breach. In this case, Internet traffic from the DDoS overwhelms the system, while an underlying SQL injection attack extracts customer data.
A hacker can use SQL injection methods to feed malformed commands to a database program, via a form, input box or value in a URL. When the commands are successful, it enables the cyber-criminal to extract data from within the database.
An attacker can send commands and get responses through an insecure application to the database, with an SQL injection attack. The requests are able to read or extract customer details. They can also be used to edit and in some cases, delete customer data. This method of attack can also be used by the attacker to gain command level access on the database server, paving the way for attacks on other internal computers.
How could TalkTalk and other organisations have protected themselves better?
Conducting regular penetration tests can help highlight any areas of weakness within systems. Regular testing is essential practice when major changes occur at the network, operating system (OS), server, and application level.
Many organisations are vulnerable to SQL injection attacks. Following the below guidelines will help better protect companies against an attack:
- Ensure Web Applications are coded in line with a Secure Software Development Lifecycle. Vulnerabilities described in the OWASP Top 10 and SANS/CWE Top 25, should also be addressed during the application development process.
- Ensure web applications and all externally visible hosts are tested by a qualified external penetration testing organisation on a regular basis. This should be undertaken at a network, server and application level and any issues should be addressed as soon as possible.
- Use Web Application Firewalls (WAFs), Intrusion Detection and Prevention (IDP/IPS) and Data Leakage Prevention (DLP) solutions at your perimeters, in conjunction with DDoS solutions, not as an alternative. When used together these can detect and block attacks as well as also preventing certain types of data leaving a business (e.g. credit card numbers, National Insurance No’s etc.)
- Use encryption keys to help protect sensitive information. Encrypting information stored in file shares or databases provides an extra layer of security.
- Keep all software patched up-to-date with the latest stable software. This will help address any known security vulnerabilities.