Inquiry into TalkTalk hack has its own web security issue

Graham Cluley

Inquiry into TalkTalk hack has its own web security issue

Oh dear.

The UK Parliament’s Culture, Media and Sport Committee has launched an inquiry “into cyber security following the recent cyber-attack of TalkTalk’s website.”

Parliament inquiry

Nothing wrong with that, of course.

And the committee is inviting those with opinions to send in their submissions by November 23.

Ok, that sounds fair enough.

But… do you see something amiss when you go to the form where you are supposed to submit your information?

Submission form

Yes, that’s right. The webpage doesn’t use HTTPS.

In other words, anything you enter onto the page, and the files you attach, *could* be intercepted by someone snooping on your Wi-Fi connection. So there goes your name, address, email address, phone number, as well as any other information you attached in your submission…

This isn’t a way to do website security.

By the way, in case you weren’t aware, TalkTalk CEO Dido Harding is a Conservative Peer (going by the title of Baroness Harding of Winscombe).

She is married to Conservative MP John Penrose.

John Penrose was, until 2012, the Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport.

Small world isn’t it?

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Inquiry into TalkTalk hack has its own web security issue”

  1. I can't help feeling a bit sorry for TalkTalk, because they're so completely out of their depth, and even more for Dido, who looks like a puppy that has just been swiped by a rolled-up newspaper and hasn't the faintest idea what she could possibly have done wrong and how to make the wielder of the newspaper happy.

    I'd like to give her a biscuit.

    1. Bloody hell, I wouldn't give her a biscuit! She looks like she needs a hug, a good night's sleep & maybe a new job.

      That aside, TalkTalk needs a slap around the face with a wet fish. They've been operating like incompetent fools, with their heads in the sand. Their disregard for customer data and apparent lack of interest in and nouse about security, just makes me think they really don't deserve to be in business – certainly they don't deserve and never will get mine.

  2. 'In fact, a 15-year-old could probably tell you this isn't the way to do website security – but they're probably too busy looking for SQL injection exploits and launching denial-of-service attacks to bother with this.'

    Thanks for that, Graham. As I saw the 15 year old could probably tell you …(read more than one word at a time but ended up around there), I hoped you would end up where you did in some way or another (I only thought of SQL injections though, not DoS attacks, so you went beyond my expectations there).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.