The posts on here by edwincluck and others are the only ones that seem to put the whole matter in context. Yes, it does seem a media led campaign to discredit TalkTalk.
(not a TalkTalk customer by the way, I am with Sky thanks to the O2 takeover).

Yesterday I listened to the Money Box Live coverage of this on BBC R4. I might have expected Money Box to give a reasonable coverage to the real risks, but no it was the same media spin. What was not said at all was that the current bout of vishing phone calls are directly related to the first hack late last year - a quick search of these forums and the TalkTalk ones show that these have been going on for a long long time and have nothing whatsoever to do with last week's breach. It does seem that account numbers were leaked at that time - whether they were this time nobody knows. But vishing can be taken care of in several ways:
1. Do TalkTalk regularly phone their customers unless responding to a specific support request from the customer. I assume not, if they call out of the blue it is most likely bogus.
2. Make sure you enable Caller Display and get to recognise obviously faked Caller ID.
3. Also get to know your own phone. Most modern phones will display a little symbol saying that there is an active line and only drop down to the default display (in my case the phone's name I have put in) when the line is clear. It should not be hard to see that the line has not cleared before you dial another number...
4. Never give your bank details or any other personal details to these people.

None of this was mentioned anywhere during the program, shame on you BBC.

Not to understate the seriousness of the breaches but media misinformation hardly helps.

Balanced reporting would actually require the reporter to understand the underlying issues as opposed to supposed experts. The press smell blood in the water and like the modern day press they go in for the kill.

Do I think this is a conspiracy? Nope. Cyber crime and warfare are on the rise simply because the tools are readily available and make it easy for a complete novice to initiate a DDOS attack on any target they like.

Is the inaccurate media coverage stirring up a frenzy about TalkTalk? Yep.

As for speculative trading, no law against it as long as you are not manipulating the price of the stoc. If trading firm A wanted to short a position in company B, employed a hacker to initiate a DDOS attack and a data breach to then trade off the back of the ensuing stock market price drop I think they would be going to prison for quite some time. However it is a fantastic way to wage cyber warfare on telecoms or any other industry that could be of strategic importance...

If I were looking at conspiracy theories I am surprised China has not been mentioned

China has been mentioned in the press. But then a reasonable question was poised: "Why would you do that while your President is getting a very warm reception in the country?"

In reply to a post by dsergeant:

Yes, it does seem a media led campaign to discredit TalkTalk. (not a TalkTalk customer by the way, I am with Sky thanks to the O2 takeover).

We've been contented TalkTalk customers since it acquired Opal Telecom. For the money, they've been excellent.

In reply to a post by Skilty:

As for speculative trading, no law against it as long as you are not manipulating the price of the stoc.

Huh?! That's exactly what short-selling is about. It relies on rumour-mongering in the press to manipulate the stock price.

Short-selling is a vile sector of speculative finance that destroys entire nations. Short-sellers devour mid-caps like TalkTalk as hor d'oeuvres! That's why authorities in Japan, Malaysia, China, USA, and Germany have all moved towards banning or heavily curtailing the practice.

Like much else in speculative finance, short-selling is a relatively new phenomenon; exploding in popularity in the 1970s onwards. People assume it has been around for yonks. It hasn't.

The infamous 1992 Black Wednesday assault on the British Pound by plundering short-seller George Soros, caused the dramatic collapse of our currency. The Man who Broke the Bank of England - perhaps the most notorious short-seller to ever strike our shores.

But until 1973, under the old Bretton Woods system, Soros - and his accomplices - wouldn't have been able to short the pound or any other currency. Before then, exchange rates were fixed, protecting currencies from speculation. Now there are entire trading exchanges, like the ICE, dedicated to (derivatives-based) speculation on currencies, commodities, stocks, and even carbon emissions.

A world removed from the original purpose of the exchanges - the trading of physical goods and commodities between buyers and sellers in the so-called "real economy".

In reply to a post by Skilty:

If trading firm A wanted to short a position in company B, employed a hacker to initiate a DDOS attack and a data breach to then trade off the back of the ensuing stock market price drop I think they would be going to prison for quite some time.

Indeed, but that's quite a flight of fantasy. Do we know that happened; has anyone said it happened?

As mentioned earlier:

In reply to a post by edwincluck:

What's often true in these financial hoaxes - or 'psyops' as they call them - if indeed this is a hoax - is that the hoaxers aim, where possible, to stay within the spirit of the law. Just in case they are rumbled, and the whatnot 'hits the fan'. They don't actually need to hack TalkTalk system to create mass panic and hysteria. They just create that impression; by using complicit associates in the crooked media to "report" on a successful hack, when in fact there was none... And if ever finding themselves grilled over their activities - they can just point to the "stolen" data as being faked, or based on data already published online any way.

Which ties in with what dsergeant just said - that the ongoing vishing attacks are using personal data 'acquired' long before this alleged data breach. Examine the Unix timestamps in the "leaked data"; they date to 2011 not 2015.

Besides, we've been suffering these annoying "social engineering" calls, supposedly from "TalkTalk", for years now; attempting to trick us into installing malware. Most interesting is how the data originally fell into these scammers' hands.

Was the theft due to a disgruntled former employee - dating back to 2011 - when TalkTalk absorbed Tiscali and made mass redundancies? Or maybe an outsourced contractor - like the recent theft of records at HMCE / DWP?

Or maybe the alleged thieves were part of a rogue intelligence operation? Expert in security engineering Professor Ross Anderson has warned already of the security risks of installing 'back doors' at telcos; gathering vast amounts of our communications data - including our CRM records - before passing them on wholesale to spooks; who, for sure, ain't all honest.

A million and one possibilities. Always the simplest way to solve any financial crime - if indeed it is a crime - is to follow-the-money. Or as the Romans used to say: Cui Bono?

---

Edited by deleted (Fri 30-Oct-15 06:25:09)

If the press are whipping up a panic about TalkTalk and a financial institution shorts their position off the back of that media induced panic that is not manipulation.

Market manipulation is a deliberate attempt to interfere with the free and fair operation of the market and create artificial, false or misleading appearances with respect to the price of, or market for, a security, commodity or currency.

My example or flight of fantasy as you put it was merely an example of very clear market manipulation. Not a suggestion it may have happened or ever will.

As far as I am aware countries like the USA have banned naked short selling which is fair enough. Short selling goes back further than the '70s and actually contributed to the crash in 1929.

I would argue that the collapse of the pound on Black Wednesday was the fault of the government of the day taking us into ERM in the first place. Sophos merely capitalised on something that was inevitable.

At the end of the day it is for the FCA to create the regulatory framework by which institutions trade.

In reply to a post by edwincluck:

....like the recent theft of records at HMCE / DWP?

A minor point, HMCE - Her Majesty's Customs and Excise - hasn't existed since April 2005 when it merged with the Inland Revenue to become HMRC - Her Majesty's Revenue and Customs.

http://www.telegraph.co.uk/news/uknews/crime/1196575...

In reply to a post by edwincluck:

Huh?! That's exactly what short-selling is about. It relies on rumour-mongering in the press to manipulate the stock price.

No it's not. Short selling is just like selling long: you are betting on a company's stock price. Nothing illegal about that unless you have insider info. It's risky as you can lose a lot of money if the stock price goes up. No company likes short selling but the simple fact is that it happens all the time.

In reply to a post by Skilty:

Sophos merely capitalised on something that was inevitable.

Sophos? A contraction of Soros and Sophist? Very suitable!

Staying in La-La Land -- the jokers at CNN have just heaved out their latest heads-up -- a heavily-revised "victim count" in what was absurdly described earlier as "one of the biggest crimes ever" (!)..

Today, CNN quotes a much more relaxed TalkTalk as follows:

[O]n Friday the company said the damage was less than expected. It said the hackers accessed less than 21,000 bank account numbers, less than 15,000 customer birth dates and less than 1.2 million customer email addresses, names and phone numbers. The company also said hackers got hold of incomplete credit card details for [less than?] 28,000 customers."

Precisely how do we quantify all these "less thans"?! As I ever optimistically do my lottery ticket? -- less than seven numbers from winning the Jackpot?!

Still reckoning here that TalkTalk insiders are players too in this seedy stock-bashing scam. In league with the short-sellers; profiteering from 'doing a Ratner' of their own!

--
An aside - while not for a minute claiming expertise in web security --- it's hard to see how encrypting data in a back office SQL database would have helped in the alleged circumstances. Not saying one shouldn't encrypt; just that it wouldn't perhaps have helped -- if indeed there even was a hacker.

These systems always rely on a layered architecture. A back-office SQL database server - mySQL usually - part of what TalkTalk calls its "core system". In front of that sits Apache or IIS, plus a scripting interface for running executable Perl, PHP or Python code.

Responding to a browser request, Apache executes those scripts; to interrogate the SQL database and retrieve the relevant customer records. That scripting plugin generating on-the-fly HTML code. Dynamic info from the SQL query embedded into static HTML code, forming the web page. Finally, that HTML code returned in an Apache response for rendering by the browser.

The point here is that Apache has to deliver those customer records in a form which the human can actually read in his browser window. The customer records must, at that point, be decrypted and in plain-text.

The alleged attack on TalkTalk was purportedly achieved with an 'SQL injection' - a wildcard attack vector or similar. Or that's what TalkTalk initially supposed. A laborious method which doesn't normally expose the database table structures. Yet that's exactly what we can see in the purported "leak" of TalkTalk data on pastebin -- we see the underlying SQL database table structures.

In this case then, much more likely there was no hacker. Probably just a rogue insider who leaked that sample of database content, in particular the table structures; that "leak" forming the backbone of this psyop. Pointing towards an inside job; possibly dating back to 2011 when TalkTalk acquired Tiscali; parting company with 450 staffers; no doubt many of them disgruntled.

---
Of course this is entirely academic, as the count of alleged victims becomes vanishingly fewer. Could we soon learn that TalkTalk never was hacked at all?! Nothing but a seedy stock-bashing hoax run by the hedge funds; with the connivance of our supremely crooked "free press"?

Wouldn't that be a turn-up for the books, ladies and gentlemen?!

edit:

Meanwhile, back in the City - in that square mile of sleaze - we learn that TalkTalk shares have rocketed today -- "shares in the firm closing the week at 253.00, 12.29% above the 52 week low of 225.30 set on Oct 26, 2015" -- what an incredible roller-coaster ride! Remember no one ever made a dime from a stagnant stock!

---

Edited by deleted (Fri 30-Oct-15 20:39:05)

Apologies for the typo it was late and I was rather tired and working on a Sophos UTM at the time.

For some reason you seem to firmly believe that there has been market/stock manipulation here.

Still reckoning here that TalkTalk insiders are players too in this seedy stock-bashing scam. In league with the short-sellers; profiteering from 'doing a Ratner' of their own!

I could go on about n-tier architecture as I have worked on data warehouses and OLTP for over 25 years but I won't.

Suffice to say that there is major benefit in encrypting data in the database for this very reason it also restricts access to it internally as well. Regarding the encryption/decryption one would hope that the employed hardware architecture uses a HSM but I suspect it was more likely that the keys were stored securely on a server somewhere and read into memory.

You missed one small point, most websites including TalkTalk (once logged in) use HTTPS. By using HTTPS rather than HTTP anything transmitted in the message from the server to the client is encrypted. This prevents a man-in-the-middle attack.

If it were simple a SELECT on the information_scheme tables would suffice with sufficient rights or SHOW CREATE TABLE <table> or a mysqldump.

If it were Oracle then I would simply query ALL_TABLES, ALL_TAB_COLUMNS and so on. If I gained DBA access then it would be the DBA_% tables.

The assumption being that somewhere the connectivity details to the database itself are stored and that once penetrated I can find it and access the database if the password was not encrypted. Equally it would not take much for a developer to give elevated rights during development or a bug and forget to remove them.

Which is why where I work we operate on principle of least privilege at all times to the point we monitor all internal servers for breaches of that principle. The simple reason being it minimises the attack surface.

I don't go in for the mass hysteria generated by the media, just the facts which are currently being drowned out by inaccurate reporting via printed and online media.