TalkTalk attack: UK digi minister recommends security badges for websites

> You cannot purchase anything without giving payment details

Yes and no. For example, I can buy something using Paypal and, although Paypal have my details, the retailer that I am buying from does not.

Perhaps the Government should be encouraging banks to provide this kind of service for retailers at a sufficiently low price that they will adopt it rather than roll their own?

> Well, I'm not sure it's tactful for a minister to say that it was actually his prime minister who was responsible for the said misinformation, which is probably why he did not elaborate further.

That would be the same Prime Minister who claimed he was going to safeguard tax credits and wouldn't permit any cuts during the election? That Prime Minister? I don't think he has many issues about bullshitting the public, somehow.

"Well, I'm not sure it's tactful for a minister to say that it was actually his prime minister who was responsible for the said misinformation, which is probably why he did not elaborate further."

There you are, you see. You've been misinformed. The Prime Minister never said such a thing. On the contrary he's been following the TalkTalk saga and is quite adamant that if his strong recommendation for encryption had been followed it wouldn't have happened. And anybody who said anything different has been spreading misinformation.

Now do you understand?

Re: "There has been some misinformation that the government are somehow against encryption"

They don't oppose encryption.

They oppose *good* encryption.

Re: Knowledge is a Crime, Encryption is Self-Abuse, Freedom is Slavery etc.

If it wasn't they'd have shouted down GCHQ, the police et al in public - given that's what civilian governments are supposed to do when military intelligence starts overstepping it's bounds against innocent civilians.

There's no technical solution that's effective so they [the current government] are by definition anti-encryption, anti-privacy, anti-freedom nut-jobs and it should be stated so at every opportunity.

"What's the point in taking customer data seriously if nobody else does?"

The point is that *you* do. That is where any revolution starts.

PS - I hope that wherever you work, it is somewhere I am a customer. I appreciate the passion.

TalkTalk is hilariously allowing customers to exit their contract without paying a penalty as 'a gesture of goodwill' - so long as the customer can prove their finances were compromised as a consequence of the hack. Clearly Dido (£4 million pay packet last year) is worried about a mass exit of people who don't think TalkTalk is capable of managing a whelk stall let alone personal information.

Rather than a grudging gesture of goodwill, TalkTalk should be begging customers not to sue them for the damage and distress caused by their incompetence and be engaging in a recreational firing o their senior staff who have allowed not one, not two, but three major data breaches in the last year without apparently learning anything.

In an ideal world, the whole wretched company would be destroyed because of this, but they'll get away with a fine (if it is anything less than the maximum £500k it will show how broken the DPA is), and the CEO will probably ooze on to another equally well remunerated job to fit in between being a Tory peer in the HoL.

"Visa and Mastercard need to pull their card servicing until talktalk sort their shop out"

You mean those same supporters of "verified by visa" where (in a web page that behaves like a xss vector) you have to enter characters 2,4 and 7 (or some other combination) of characters of your password.

Which means password not stored as hash.

Password either stored plaintext or encrypted with on demand decryption (hopefully the latter as better than plaintext, but depending what encryption is used, key management methods etc. could easily be relatively insecure)

Not convinced Visa et al are great models for web security

Mr or Ms Coward, I agree: it is a point of personal pride

I do a lot of things, as it is clear you do, to meet my own standards of quality. These are usually higher than what my dearly beloved company would ask, but they don't know what to ask for, would be content to take the lowest-possible threshold of acceptability, if proffered by a consultant, so I don't tell them what I am doing and am willing to spend the extra time creating security etc that would not shame me if I fell under a bus and a colleague such as you replaced me. If someone like you can look at what I' created and think "well done, good job", then I know I've achieved the standards I aim for.

Re: Badges?

Badges?

Do you want badges motherbitch?

I give you badges!

99 cents each.

I sell you some.

"A kitemark says that way back when it was awarded, no obvious security holes were found. It does not mean that the site is secure."

Could it be made meaningful?

1. Requires regular 3rd party checking to a given standard, preferably including pen testing. Regular as at mandated intervals, say 6 monthly.

2. Date of last test shown on site.

3. Covered by insurance. Preferably no limit to amount insured.

4. Expiry date of current insurance shown on site. If the amount of insurance is limited this should also be shown.

This would mean that there would be at least two parties, the testing company and the insurers and maybe also the testing company's insurers standing behind the site's certification.

It could work, it wouldn't be cheap but it would mean that you'd be able to identify a site that took security seriously.

Self-certification? ROFLMAO

Re: The only way to make slack-ass PLCs take their responsibilities seriously

Is to hit them where it hurts.

That's true, but the problem is that fines don't hit executives. They get treated as "other operating expense" and rarely affect the bonuses that the bosses get. Look at how banks have been hit with billions in penalties and compensation costs, yet they serially mis-sell, and have continued to pay obscene bonuses throughout the financial crises of recent years.

The way to hurt corporate bosses is banning the company from selling anything for a period. That affects growth targets, churn targets, profit targets, customer satisfaction targets, market share targets, operating cost targets. And that affects bonuses, without actually taking money off the company that has ultimately been paid by the customers affected. Such a ban becomes a public badge of shame, and corrodes employee morale. In this case a six week ban on Talk Talk recruiting new customers or selling new products to existing ones would seem about right. Unfortunately MPs and their lickspittle civil service advisers are too dim witted to realise this, and whenever sanctions are called for, they fall back on the hackneyed and proven-not-to-work "fines up to 10% of turnover" or similar. Except in data protection, where fines up to £0.5m are deemed adequate.

For Talk Talk, that's a fine less than 0.03% of turnover. Is anybody surprised they don't take infosec seriously?

Re: ICO is right

But given the nature of their customer data and the amount of customers they have, that data needs to be encrypted, it's not optional any more. It also needs to be accessible to the web front end only by stored procedures and the formatting (e.g. hiding digits with *s) needs to be done inside the stored procedure.

In that quote the ICO seem to be wiggling out of it instead of gearing up to give them a record fine and publicly humiliating them.

Re: ICO is right

Put data on small pieces of cardboard, place in filing cabinets and lock the door.

There, that'll work.

It almost sounds like someone could write a program that automatically scans websides for SQL Injection attacks, then use said SQL Injection attack to put a badge on the website...

Re: Read the PCI DSS and weep

"So the question for any such kitemark is how does it compare to PCI"

As per my other post. There needs to be 3rd party audit/testing and insurance cover.