The UK Parliament’s Culture, Media and Sport Committee has launched an inquiry “into cyber security following the recent cyber-attack of TalkTalk’s website.”
Nothing wrong with that, of course.
And the committee is inviting those with opinions to send in their submissions by November 23.
Ok, that sounds fair enough.
But… do you see something amiss when you go to the form where you are supposed to submit your information?
Yes, that’s right. The webpage doesn’t use HTTPS.
In other words, anything you enter onto the page, and the files you attach, *could* be intercepted by someone snooping on your Wi-Fi connection. So there goes your name, address, email address, phone number, as well as any other information you attached in your submission…
This isn’t a way to do website security.
By the way, in case you weren’t aware, TalkTalk CEO Dido Harding is a Conservative Peer (going by the title of Baroness Harding of Winscombe).
She is married to Conservative MP John Penrose.
John Penrose was, until 2012, the Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport.
Small world isn’t it?
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Inquiry into TalkTalk hack has its own web security issue”
I can't help feeling a bit sorry for TalkTalk, because they're so completely out of their depth, and even more for Dido, who looks like a puppy that has just been swiped by a rolled-up newspaper and hasn't the faintest idea what she could possibly have done wrong and how to make the wielder of the newspaper happy.
I'd like to give her a biscuit.
Bloody hell, I wouldn't give her a biscuit! She looks like she needs a hug, a good night's sleep & maybe a new job.
That aside, TalkTalk needs a slap around the face with a wet fish. They've been operating like incompetent fools, with their heads in the sand. Their disregard for customer data and apparent lack of interest in and nouse about security, just makes me think they really don't deserve to be in business – certainly they don't deserve and never will get mine.
'In fact, a 15-year-old could probably tell you this isn't the way to do website security – but they're probably too busy looking for SQL injection exploits and launching denial-of-service attacks to bother with this.'
Thanks for that, Graham. As I saw the 15 year old could probably tell you …(read more than one word at a time but ended up around there), I hoped you would end up where you did in some way or another (I only thought of SQL injections though, not DoS attacks, so you went beyond my expectations there).