This article originally appeared on Alan Solomon’s personal blog.
TalkTalk has announced that they’ve been hacked. The details of four million customers are in play.
The big question that they’re being asked is, “Was the data encrypted?” The answer, currently, is “I don’t know”.
This is, of course, a silly question. And a silly answer.
Data encryption is, in this case irrelevant.
Standard practice, is to store sensitive data on an encrypted file system. That way, if the computer is physically stolen, the data is safe. This is great for the “laptop left in a train” scenario, but a database with the details of 4,000,000 customers won’t be a laptop. It’s also great in a “burglars ram-raid the datacenter” scenario, because although they’ve stolen the hardware, they can’t access the data.
But in a scenario of “authorised user accessing the data”, the encrypted data will be decrypted and supplied, because the authorised user gave the correct decryption key.
So, let’s imagine a big company, with the sensitive details of 4,000,000 customers stored on a server. That data is there because it gets used. For billing, for marketing, for tech support. But it’s encrypted, so only authorised users can access it.
Now let’s imagine a wily hacker, who uses an SQL injection vulnerability, or a PHP vulnerability, or a WordPress vulnerability, or any one of a zillion other vulnerabilities, to get root priviledge, and is now logged on as the root user.
He can now log on as any user on that computer, and because he’s an authorised user, he has all the access to the sensitive database that the kosher user has.
That’s why “Is it encrypted” is a silly question. Because it actually doesn’t matter in the hacking scenario we’re looking at here.
And that’s why “I don’t know” is a silly answer, because the correct answer is “Of course it is, do you think we’re idiots? But the fact that it’s encrypted, doesn’t stop the hacker from accessing (and copying) it, because, see above.”
Aren’t there any people who understand about computer security in the media? Or in Talktalk?