Thoughts on the TalkTalk breach

Hacking Handbook

With the recent TalkTalk security breach impacting potentially 4 million UK customers my phone was ringing off the hook from late on Thursday 22nd October. Regularly when a big cyber security story hits the front pages I get asked by the media for expert opinion given my role at Queen’s University Belfast’s Centre for Secure Information Technologies (CSIT) – the UK’s Innovation & Knowledge Centre (IKC) and lead academic research centre for cyber security.

As with all stories of this nature I pull together some media briefing in advance of going into the studio. Here is some of that which consumers and businesses might find useful:

Top five customer tips following the TalkTalk security breach are as follows:

  1. Whilst you may not be able to change your TalkTalk Account password just yet, there will be many customers who will have used the same password across multiple online services. You should change those right now. Note – this won’t protect bank account/credit card details already stolen.
  2. TalkTalk have said that “there is a chance” that customer Credit Card and Bank Account details have been compromised. All TalkTalk customers present – and past – should keep a close eye on those accounts for the coming weeks and months and report any suspicious activity to their bank or card issuer immediately – no matter how small. If the details get resold, as they are likely to, the criminals may carry out small transactions first to ensure the account details are legitimate before initiating larger money transfers or purchases.
  3. Enable multi-factor authentication, or 2-Step verification, on online services were available. Online services such as Google Mail offer this. For example, when logging in a code will be sent to your phone via text, voice call, or our mobile app as an additional login step. Or, if you have a Security Key, you can insert it into your computer’s USB port to complete authentication.
  4. Never disclose your username, password, bank account, or credit card details to anyone who phones or emails you unsolicited. Ever.
  5. Be particularly careful clicking on links in e-mails or opening e-mail attachments received from people you don’t know. Even when the emails look legitimate, ensure the senders email address and web links are to genuine sites. Fraudsters can easily register domain names that look very similar to legitimate ones. For example looks like – swapping the l for an i

Top five business tips for companies who trade on-line:

  1. Always ensure that customer records including passwords, credit card details and bank account numbers are stored securely using modern hashing algorithms, ideally with salting, and are encrypted. This way if the databases are stolen – the data is practically worthless.
  2. Enable multi-factor authentication on systems
  3. Companies who are only now considering cyber security should sign up for the Cyber Essentials scheme. Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.
  4. Work closely with other organisations to share threat and attack intelligence and identify common patterns. Sign up to the Cyber-security Information Sharing Partnership (CiSP), part of CERT-UK, a joint industry government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and therefore reduce the impact on UK business.
  5. If you haven’t got cyber security capability in-house then seek help. If you outsource your IT or web development make sure your suppliers are taking it seriously – get a third party company to audit them if necessary. Ultimately if your systems get hacked your customers will blame you.

Want to find out how you can secure systems and develop the next generation of cyber security technologies?

Hacking Handbook
Hacking Handbook

The featured image I have used for this post purposely features The Web Application Hackers Handbook for a reason. If the reports about this hack are correct, and I don’t wish to speculate until further hard facts come out, then a textbook SQL injection attack may have been used to gain access to customer data. Basic security housekeeping should have prevented this.

If you are interested in securing systems or researching new advanced cyber security technologies as a career we are actively recruiting new Cyber Security PhD students for the CSIT Centre for Doctoral Training (CDT) as well as full-time and part-time masters students for the industry informed CSIT MSc in Cyber Security at Queen’s University Belfast.

I have provided expert commentary on local and national media including:

There is still a long tail of media requests coming in as the story matures and more facts come out. If you need to get in touch with me my contact details are on the Centre for Secure Information Technologies website here.

Thoughts on Mobile Word Congress 2012; Why you should be there #mwc12

The CSIT booth at MWC 12

I returned from Barcelona on Friday after a week of lead generation, market positioning research and generally being a booth bloke at Mobile World Congress for my employer The Centre for Secure Information Technology (CSIT), an innovation and knowledge centre specialising in cyber security research based at Queen’s University of Belfast.  I have spent the weekend mulling over the experience and trying to distill a few thoughts regarding the Congress which I share here.

There’s no austerity or lack of confidence in mobile industry

The GSMAs event attendance figures speak for themselves.  67,000 visitors from 205 countries.  The number of attendees was up 11% on last year.  Business is not just as usual, it’s booming.  It is ten years since I was last at MWC with Jinny Software when it was in Cannes.  The growth in that decade has been phenomenal.

The level of investment in stands and presence by exhibitors both large and small exuded a level of confidence in the future of the economy currently not shared by many across this continent.  I have no doubt that the level of investment here will be followed by growth in consumer confidence and spending in the coming years.

Mobile security is gonna be massive next year

This is the first time we at CSIT have exhibited at the event though all three of our commercial team have represented previous employers at it.  While we had a number of pre-arranged meetings lined up beforehand this for us was about dipping the toe in the water of the mobile space and see what turned up.

With limited marketing activity prior to and during the event we were simply astounded by the numbers and calibre of companies and organisations who sought us out at the event based on our “Breakthrough technologies for mobile security” pitch to speak to us about our research into things like Physical Uncloneable Function, ITACA, Intrusion Prevention and SCA.  Our activity there was very targeted – sponsoring the Network Intelligence Alliance networking evening where we could engage with prospective partners and customers away from the hustle and bustle of the halls. This was a great opportunity to raise our profile in a niche area were we can add most value.

Mobile security will be a huge market.  If you are working in this area speak to us.

Its about so much more than mobile

If you are building solutions that communicate over IP protocols you are now a mobile company – you should be at next years Congress.  No excuses.  With the phenomenal growth in smartphones and the advent of FTE, Wimax and other wireless data standards if you are involved in any sort of solution that communicates data you need to be there if only to unearth opportunities which may not be entirely obvious if you only think of it as a mobile trade show.

In the last week we spoke to companies about opportunities in utilities, banking, transportation, satellite communications, fixed line operators, government and more.

It doesn’t cost the earth

We exhibited on the Northern Ireland pavilion with a number of other local companies.  The Invest Northern Ireland team did an excellent job in supporting us before and during the week.  It’s the perfect mechanism for getting a low(er) cost presence at the event.  Speak to them about going next year.  You can’t afford not to be there.

A little shot of PUF; Mobile World Congress 2012 #mwc12

Shot glass - Just like any other?

As I sit here on the Dublin to Barcelona flight I am thinking about the research we are demoing this week.  I’m a simple guy and I’m a sucker for a good story. In my recent round of induction chats one of my new colleagues at CSIT explained the genesis of the concept behind Physical Unclonable Function technology – one of the research areas we will be showcasing at Mobile World Congress.

It goes something like this. A bunch of researchers working on preventing smart cards being cloned are out at a bar one night. The mood is good and the craic is ninety.  They start drinking shots.  As the rounds go on the shot glasses are stacked up one on top of the other.

In theory the glasses are the same, designed and manufactured to be uniform in size and shape. In theory they should stack vertically in a straight line.  But they don’t. The glasses veer off at different angles like mini leaning towers of Pisa.

Even with the precision of a modern production line imperfections have crept into the manufacturing process. The glass has minor inconsistencies. The tooling on the machinery has varying tolerances. The result is that each glass has a unique fingerprint. Eureka!

Digital fingerprint

An so it is with smart cards and integrated circuits. They are developed with unbelievable precision at the nano-metre level. Even so, each chip is as unique as a fingerprint. The data they store may be cloned, but develop routines and algorithms around the variances of manufacture and its electronic signature which is as unique as a fingerprint and you are onto an unclonable technology that fits on a circuit the size of a piece of grit with a multitude of secure applications in RFID, NFC, contactless payments and mobile wallets.  That’s just a little of what we do at CSIT.

Is the story true? I don’t know, it may be a myth but it sure helped me grasp the concept of PUF. I’ll drink to that.

You can find out more about PUF in our capability brief here or chat to us at MWC in Hall 1 on the Northern Ireland Stand at location 1E38.