Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


Value security? Avoid TalkTalk.

Paul MoorePaul Moore

Update 18/10/2014:

TalkTalk have now upgraded their SSL configuration; providing a much healthier "A-" on Qualys. More importantly, it's now PCI compliant.

--

Cheap viagra, cialis & diet pills

I could benefit from a diet pill or two, but I'm pretty sure my Dad isn't the source of this unbeatable offer.

His TalkTalk email's been hacked!

Trouble is, he runs 1Password, so his passwords all look like this:
ls!4ahivKH=:wOMSkY>tM6_L/?n#3}?mWHTIqP5Fe10HSl

I'm damn sure our resident hacker didn't guess the password and the PC is free of any obvious security issues.

So, how did the attacker get in?

TalkTalk Registration

We're off to a great start!

No HTTPS = no encryption... so we can not only alter the page (to request the full card number) but also read the information whilst in transit.

TalkTalk Sales & MyAccount

Credit where it's due, they've tried to make some aspects of the site secure. Just a shame they've done an awful job of it.

What's PCI compliant?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
Source: https://www.pcicomplianceguide.org/pci-faqs-2/#2

In other words, TalkTalk shouldn't be processing card payments online!

Pitiful SSL/TLS

  1. SHA1 signatures on the leaf, chain & root.
  2. Support for 40/56bit ciphers!
  3. No NPN
  4. No HSTS
  5. No Forward Secrecy

TalkTalk Webmail

He's recently returned from a holiday abroad, during which he checked his email. Could this be the cause?

No encryption on login...

No encryption after you've logged in...

... and if you try and force it, you find they don't support encryption at all.

So you've no choice but to leak your username & password in plain text.

I don't use webmail, am I safe?

Nope.

TalkTalk don't support encryption on incoming mail... so if you check your email from a mobile/PC client, you're still leaking your details.

Bingo! A quick scan of the email log reveals the first login came from a foreign IP, owned by the resort in which they stayed.

TalkTalk Password Security (or lack thereof)

Some phrases are like a red rag to a bull. TalkTalk's frequent use of "password reminder" is one such phrase, as it's usually a good indication they store passwords insecurely.

Cue Twitter.

OK, so there's a password for the account... that's fairly commonplace and is only used to verify you during a call. I was convinced TalkTalk had access to email passwords too, so I pushed for further info.

No hashing, no encryption... it's available to staff in plain text! So much for "fort knox" levels of security!

As regular readers will know, I responsibly disclose issues like this. The process is usually time-consuming and occassionally quite expensive, but once you reach the right person, it usually pays off.

TalkTalk on the other hand, were an exception. Not only was it incredibly difficult to reach the right person, but when I eventually received a call from the CEOs office, the response was aggressive, defensive and dismissive.

I began outlining some of the above to Mrs Joanne Wilkinson, Manager at the CEOs Office. To my surprise, it quickly became clear she didn't want to hear it. Instead, she rebutted with the following comedic quotes...

"We're squeaky-clean on security"

"we're audited every week by the ICO"

"it may not be up to your standards, but it's up to ours"

"I'll pass your comments on but there'll be no outcome or action taken as a result"

I'm very rarely speechless... but honestly, I wasn't expecting that! It's one thing saying it during a call, but would she put it in writing?

You bet.

I use TalkTalk for my primary email address.

Move elsewhere. Seriously...

Chances are, you've given that email address to countless sites; banks, shopping, paypal, facebook, twitter etc. Forget long & strong passwords for a moment... the safety of those accounts depends almost-entirely on the safety of your email account. Remember where those password reset requests end up...

If you use your TalkTalk password anywhere else, change it immediately.

Summary

This "squeaky-clean, weekly-audited" Telco is about as bad as it gets. Shocking security, shambolic customer service and as they've made abundantly clear, not interested in constructive criticism.

Talk(Talk) is cheap, security is expensive... and never the twain shall meet.

Paul Moore
Author

Paul Moore

Comments