Related to my rant regarding the TalkTalk hack that I've just posted, is an associated rant about security advice from the media. It's spotty at best, and downright unhelpful or just plain wrong at worst.
I've been stuck indoors today waiting for someone to paint my front door, so amongst various household tasks that I've reluctantly undertaken, I've also had the BBC News 24 channel blaring out. And of course the TalkTalk hacking incident has been making a regular appearance. And on occasions the security advice has been less than stellar; in fact some of it stinks like a rhino's rancid rectum.
It Was A DDoS
(bang) as my head hits the table.
No, the TalkTalk hack had nothing at all to do with a distributed denial of service attack. There may have been a DDoS attack just before the hacking incident, but it was not related (even if it was done by the same people). A DDoS attack is the cyber equivalent of getting all your friends to shout at someone you don't like; it's noisy, stops you communicating, and is as annoying as hell.
But once it is over, things are back to normal (except for writing an incident report).
Breaking into a server and stealing the personal data of customers is not any kind of denial of service attack. It's an intrusion, and an exfiltration; there are two seperate events there. Labelling either as a "DDoS" just makes you look like an idiot.
Look At The Email Headers
(bang) as my head hits the table.
Email headers can be forged; those headers you see normally ("From", "Subject", "Date", etc.) are nothing more than comments. They are not to be trusted. Even if you reveal the hidden headers (and there's a lot you don't see), the story they show can be mostly forged. It takes a real expert to distinguish between a phishing email and a legitimate email from just the headers.
Even something geeky like PGP digital signatures can be forged if you are dealing with an organisation that has been compromised. And who uses PGP?
Don't trust emails with the name of a compromised organisation on.
Change Your Passwords As Frequently As Possible
(bang) as my head hits the table.
Changing you password frequently doesn't actually accomplish that much. It is better to keep the same password for a year, if it is long and strong, than it is to change your password every month if it is simple and weak.
Long and strong passwords are tedious to remember – especially for web sites you rarely use. So use a password manager like KeePass. If you want to use a different password manager, seek out a security geek and ask for their recommendations. And the geekier the application site looks, the better; the site should be droning on about 3DES, AES, and all sorts of inscrutable cryptogeek mathematics; you don't have to understand it all, but it's absence on a web site is a bad sign.
Use different passwords on different sites. This is also tedious, and can be relaxed for less important web sites – that is those web sites that don't store more personal information about you than your name. And tedious is a good thing when it saves you from the stress of finding out your bank accounts are empty.
Don't Blame The Victim
It's all very well being sympathetic to those victims who have found their bank accounts emptied, but they are not necessarily related to this latest incident.
And they're not entirely blameless.
If they hadn't shared information with hackers who already had some of their data, or they had not used the same password for their bank as TalkTalk, then they would not be victims.
And this is hardly new advice.
The media should be sending the message that these victims have been dumb; yes there may be extenuating circumstances, but they have still been dumb. And dumb TalkTalk customers will likely end up with their money and/or identity stolen.