VIDEO: TalkTalk hack. 15-year-old boy arrested


Police officers in Northern Ireland, working with detectives from the Metropolitan Police Cyber Crime Unit, have arrested a 15-year-old boy in connection with the latest internet attack on British telecom provider TalkTalk.

According to a press release issued by the police, the boy was arrested in County Antrim on suspicion of committing offences under the Computer Misuse Act and his home searched.

He has been taken into custody for interviewing.

As you may recall, it is believed that TalkTalk suffered a denial-of-service and SQL injection attack on October 22nd, and as the beleaguered firm attempted to reassure its four million customers that it could be trusted many commentators pointed out that it was the third time that it had suffered a damaging data loss in less than a year.

Obviously there is no way for me to know if the teenager was responsible for the hack, or has inside information on the attack, but I suspect many will view his age as somehow an indicator that TalkTalk's hack was even more shameful than previously considered.

Whether that's fair or not, I'm not sure.

But I do know that both DDoS and SQL injection attacks are relatively unsophisticated, and don't require years of experience to pull off. In order to be at risk from SQL injection attacks, for instance, all you need is a website that has been built in an amateurish fashion that has not correctly sanitised user input.

Anyone building a business website who has not learnt about how to protect against SQL injection attacks probably needs to go back to the classroom themselves.

You can see what I have to say about the arrest, and advice for other companies running online businesses, in my latest YouTube video.

If you would like me to make more videos, please consider subscribing to my YouTube channel.

Update:

The Northern Ireland police have now released the 15-year-old male on bail.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

12 Responses

  1. joe Connell

    October 27, 2015 at 7:56 am #

    I realise the impossibility of anyone publishing a list of similar companies who hold client data in an unencrypted format, but is it known that there are others who operate thus at a national level?

  2. AnonTA

    October 27, 2015 at 10:25 am #

    It's not impossible that he had no connection at all with either the data theft or DDoS attack, but simply phoned in a ransom demand as a prank or opportunist attempt to cash in. We just don't know yet.

    • Graham Cluley in reply to AnonTA.

      October 27, 2015 at 10:29 am #

      Yes, that's definitely a possibility – and, of course, it's possible that he's not connected at all! We should be careful not to jump to conclusions and allow the professionals to continue their investigation.

  3. TonyP

    October 27, 2015 at 11:18 am #

    So, how do I protect my web site against SQL injection? Answers in singl syllables please

    • Graham Cluley in reply to TonyP.

      October 27, 2015 at 1:42 pm #

      Good video here by Tom Scott: https://www.youtube.com/watch?v=_jKylhJtPmI

      Alternatively, a cheat sheet for preventing SQL injection here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

      I'm afraid you may need to upgrade your acceptable syllable threshold a little.

      Note that it is not the case that all websites are vulnerable to SQL injection attacks. Rather depends on what you're doing with your website.

    • Andy Lee Robinson in reply to TonyP.

      October 27, 2015 at 2:17 pm #

      On the server test that integers are supposed to be integers and in range, and strings are valid strings and acceptable length.
      Use prepared statements. Anything that queries or writes to the database must be escape quotes, ie, for mysql use mysql_real_escape_string() on every variable just before querying.
      This also goes for complex queries that are assembled beforehand – once assembled, variable placeholders can be replaced with their protected versions provided by mysql_real_escape_string().
      If applied globally, this should make sql injections impossible.

    • furriephillips in reply to TonyP.

      October 27, 2015 at 5:11 pm #

      Hi TonyP,

      Google Is Your Friend (for questions like this)…

      I googled on your behalf and would recommend this: http://www.w3schools.com/sql/sql_injection.asp as an excellent starting point, as it explains it in a really friendly way.

      This also looks like a good read http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

      Cheers,

      ChrisP

  4. Rob Thornton

    October 27, 2015 at 11:18 am #

    Obviously it is easy for the press to speculate on this, But on that subject it is amazing how "script Kiddies" can pick up on a lot of the current attacks and are primed to use a set of simple tools that will take out a lot of ill prepared websites in fairly sophisticated ways when just exploring the "dark web". My main fear is that it would be very easy to have a son (or daughter) tricked into this. Because the tools they download are themselves traps and have backdoors that could easily be hijacked to make the attack look like it came from their home IP address, with some unsuspecting parent caught up in the mess with their ID firmly connected to the ISP. I always warn parents that they should be inquisitive and be fully aware what their connection is being used for. Unfortunately TV/Film continue to glamorise hacking when people miss the obvious. We hear about most of them because eventually they get caught and the consequences… undefinable.

  5. Tony Levene

    October 27, 2015 at 12:24 pm #

    TalkTalk will never get my vote as a consumer-friendly organisation. And I am not surprised to see it in the frame now.
    But some of the hysteria! We have even had media stories of people who handed money over to cold callers days before the data breach!
    I was phoned yesterday by a muppet claiming that my computer was running badly (the usual stuff).
    It was obvious that he had only guessed that I was with TalkTalk as he then asked the name of my provider. And my phone number, even though he had called me.
    I engaged with "Alan Thomas" who then told me his real name. He was somewhat annoyed when I said he was calling from India (due to the usual signs such as phony names, noise and accent). He proudly told me he was phoning from Pakistan!

    PS. Graham, why do you have US spelling here?

  6. furriephillips

    October 27, 2015 at 12:24 pm #

    I'd like to give your video a thumbs-up (especially for featuring my favourite SQL injection cartoon), but am I going crazy, or is the YouTube "Thumbs-up" button unavailable in your embedded video or impossible to get at, without viewing it on YouTube? I feel old, when it's not exactly made easy!

    • Graham Cluley in reply to furriephillips.

      October 27, 2015 at 1:32 pm #

      Glad you enjoyed the video.

      And no, you're not old. Or at least, I'm old as well… because I can't work out how I'm supposed to "Thumbs Up" the video without visiting the YouTube site too.

      Is it possible this is just how YouTube is these days? I visited a couple of other sites with YouTube videos and they seemed to be behaving the same way…

Leave a Reply