Friday, 23 October 2015

TalkTalk data breach

TalkTalk is a large UK based telecommunications company. It has approximately 4 Million subscribers of Internet access, pay TV/IPTV and mobile phone services across the country.

TalkTalk (I will abbreviate to TT for the purposes of this post) has been subject to public scrutiny through the media after being subject to a number of hacking and fraud related incidents in recent years.

On Wednesday 21st October the TT home page and sales website(s) ( and were reportedly DDoS'd resulting in the TT websites going down.

It would appear that this was either a diversionary tactic or possibly a method to leverage access to TT's SQL server(s). This is my own summation given the facts - details of this kind have not been confirmed, by nature of this being an on going investigation.

TT's own homepage reported on Thursday 22nd October that an investigation into the DDoS'ing and simultaneous database raid had been opened by the (London) Metropolitan Police Cyber Crime Unit (MPCCU). It would appear that the MPPCU is leading the investigation, possibly in-stead of the National Crime Agency National Cyber Crime Unit (NCCU).


As is often the case with data breaches, sample data is often posted to Pastebin by the attackers as evidence of the raid. A search conducted today on Pastebin (and since reported in the media) revealed a paste titled "TalkTalk Database list" submitted on Thursday 22nd October by a "guest" on the service.

The paste lists 64 "available" databases, which from this limited information I am presuming are for customer related services and back-end records and products and services. These details have not been confirmed as genuine - as this could only be confirmed by TT themselves.

On the same day, another paste was submitted titled "Message from TalkTalk Hackers", also submitted through a "guest" account (again not confirmed as genuine).

The paste appears to take responsibility for the attack. Written in broken English it begins with "Statement To: Th3 W3b Of H4r4m ~" - Haram being an Arabic term for any act that is forbidden by god. That sentence could therefore mean that the Internet itself (or parts of it) are forbidden by god. This could indicate that TT was (in part) targeted due to being an ISP?

The paste also goes on to state that the individuals taking responsibility for this attack are from "The Soviet Russia". It would appear that the justification of this attack is of political/religious ideologies.

Instinctively it is difficult to link the nature of this raid with a statement such as this. However the timing fits.

Sample Data Analysis

The statement continues with a three samples of the stolen data (which I have not included). the first sample claims to be from a "password change log". 28 rows of data are shown under the following column titles: message, log_timestamp, email_address.

The message column shows only "Update Submitted" which would be consistent with a password change log. The log_timestamp column however shows rows of 10 digits which immediately wouldn't (atleast to me) indicate a time stamp, however this may simply be due to implementation of the database.
[EDIT] I have since been informed that a 10 digit time stamp such as this would likely be in epoch time. As a result the time stamps in this sample are all from 1500hrs (+/- 2mins) July 2011. Credit and thanks to basically_asleep.

The last column lists email addresses (all, this could be evidence of TT data due to tiscali (previously an ISP) merging with TT in 2009.

The secound sample claims to be "Order Identifier Data" this includes the following columns idType, idValue, onlineOrderId, onlineOrderIdentifierID, createdOn, lastUpdated, SGOMappingType. The sample data includes email address from various email providers, a time stamp and what appear to be various ID numbers. Curiously all of the time stamps are from 6th July 2012 between midnight and 01:49 am.

The third sample is titled "Order Data: (Bank Info Removed For Pastebin)". The columns are SIMO_ORDER_ID, SIMO_HISTORY_ID, STATUS, REQUEST, RESPONSE, CREATED_ON.

This sample is more concerning, it appears to contain 2 entries consisting of multiple key value pairs. These entries appear to be for only two separate customers with sequential order IDs. This information contains the customers first and last name, date of birth, telephone number, email address, bank sort code, bank name and account number marked  "REMOVED", home address and post code.


On Friday 23rd October it was reported by the media that the TT CEO had received an email containing a ransom from a group purporting to be the attackers. No further details of this ransom have been made public at this stage.

If indeed the ransom is genuine, a ransom would not seem consistent with the Pastebin statement. My rationale behind this is that the attackers would most likely make their demands at the point of publicly taking responsibility rather than to do it almost a day after the attack and privately to the CEO.

It also happens that the CEO of TT had been addressing the media through-out the day and was highly visible to the public. It could be that the ransom email was an attempt from an un-associated group to extort money from TT while the identity of the attacker remained unconfirmed.

Of course, in the absence of any concrete details, this is pure speculation over the nature of the ransom.

None the less, this is a significant data breach, potentially impacting millions of customers and severely damaging TT reputation. However with the ever growing rate of computer enabled extortion, and the alleged amount of cover-ups by companies who are victims of extortion, TT have taken the correct course of action by going public straight away. This at least gives their customers the opportunity to attempt to protect themselves against some of the threats they are likely to be exposed to due to this data breach.

I have deliberately not provided links to the Pastebin pages that I have discussed in this post. Great care has been taken to discuss the example data in general terms and to not reveal any personal details that may have been released by the individuals claiming responsibility for this hack.
The example data I have analysed is openly available to the public through

Sunday, 18 October 2015

The trouble with crypto: Qubits

Up until the mid 1990s computer security was thought of in terms of isolationism.
For a large portion of that time computers and hardware in general were prohibitively expensive. Computing remained the purview of large corporations, academia and governments.

Towards the beginning of the 1980s this began to change. Isolation remained through restricted networks by nature of their cost and lack of infrastructure.
Come the turn of the century and computer security through isolation (in this form) was gone.

In hindsight, its almost comical to consider that relying on isolationism: the fact that computers were expensive and networks were inaccessible, was a good strategy for security.

Fortunately, far more sophisticated security concepts have been implemented to keep our information safe. That being said, it is undeniable that computer security is almost entirely dependant on crypto.

Cryptography in turn is also dependant on a strategy not too distant from the days of isolationism. This is because it relies on the fact that data is encrypted with a sufficiently complex cipher that is incredibly resource intensive to crack. That is to say, to crack it in a period of time that is useful, requires a level of computing power that is not available.

Massive Numbers

AES-256 is a widely used crypto specification. AES-256 features a key of up to 256 bits, of course, this means there are 2^256 possible combinations of bits in a 256 bit key.
To put that into perspective; if you were to count all the atoms in the universe, you would be well on your way when you reached 2^256.

To crack this 256 bit key, we would need a massive amount of computing power. A high end GPU can do approximately 2 billion calculations a second. If we had 1 billion of these GPUs working in parallel they could churn through 2e+18 keys per second.

At this rate it would take those 1 billion GPUs 14 billion years (the age of the universe) multiplied by 6.7e+40 to reach approximately half of the total bit combinations.
It is fair to say, that is not a useful time period.
Credit to INCOMPLETE_USERNAM for the math.

Quantum Bits

Bits and qubits have everything in common and nothing in common, a relationship itself which is in a quantum state.
A bit is a unit of information capable of indicating values based on receiving current or not receiving current; 1 or 0 respectively. Of course the mechanics of this are more complex.
A qubit (one quantum bit) is also a unit of information capable of indicating values. However, the process of this being achieved is entirely different to a bit. It goes without saying that the mechanics of this process are incredibly complex.
Courtesy of D-Wave Systems Inc.

Qubits on their own however are not generally more powerful than bits. When they are paired or “coupled” to each other then the true value of qubits is realised.

It would appear that it is possible to establish equivalencies between bits and coupled qubits.
Associate Professor Andrea Morello of the University of New South Wales (UNSW) Faculty of Engineering explains here, that the equivalent number of “classical bits” to qubits can be calculated with the following:

2^n where n = the number of qubits.

For example, using this equation 300 qubits are equivalent to 2.037036e+90 classical bits.

For perspective the highest transistor count in a commercially available CPU today is approximately 5.5e+9 (5.5 billion) transistors (18-core Xeon Haswell-EP made by Intel).
2.037036e+90 transistors would be needed to represent 300 qubits of information.

This month (6th October) engineers at the University of New South Wales in Sydney reported that they had demonstrated a 2 qubit logic gate in silicon for the first time. This has made calculations between two qubits possible. Crucially using a well established material already used in the computer industry – silicon.

In September, Google and NASA announced that they were upgrading their D-Wave quantum computer from 512 qubits to more than 1000 qubits, however it would appear that the true power of the qubits in the D-Wave have not been realised. In fact, its title of quantum computer has been questioned by some as it currently does not offer an advantage over a classical computer.
It would appear that quantum computing which offers the bit equivalency shown above, is not here yet.

Quantum Computing vs Crypto

Public information about quantum computers indicates they are still a number of years away before the technology could be used to crack (previously) highly secured cryptography.

None the less, ETSI (European Telecommunications Standards Institute) has formed The ETSI Quantum-Safe Cryptography Industry Specification Group. The group has identified quantum computing as posing a significant threat to crypto now and in the future.

The group state on their website “Without quantum-safe cryptography and security, all information that is transmitted on public channels now – or in the future – is vulnerable to eavesdropping. Even encrypted data that is safe against current adversaries can be stored for later decryption once a practical quantum computer becomes available.”

It is clear that quantum computers offer a giant leap forward in computing and as a result will provide a tremendous amount of computing power, an amount of computing power which might render some of our existing crypto useless, and at least significantly reduce the amount of time it would take to crack some of the strongest crypto standards that are used today. That said, AES-256 is considered a “quantum-safe” or “post-quantum” standard, provided it is used with sufficiently large key sizes (256 bit).

At this point in time, quantum computers are the purview of large corporations, academia and governments. Considering their huge computational power, quantum computers
are perfectly suited to tackling massive calculations at exponentially faster speeds; which makes them exceptionally good at (among other things) brute forcing crypto, and as a result, probably of great interest to government agencies.