Connect with us

Tech

TalkTalk hacker Daniel Kelley gives up his black hat for good

Published

on

TalkTalk hacker Daniel Kelley gives up his black hat for good

Donning a navy T-shirt and smiling at the camera, Daniel Kelley looks every bit a typical young person. But he’s actually one of Britain’s most prolific cyber criminals, having served four years behind bars for his involvement in the infamous TalkTalk cyber attack

The cyber breach cost the telecoms giant around £77m and compromised the personal information of more than 150,000 customers. Everything from bank account details to email addresses was stolen as a result of the incident.

In addition to the TalkTalk hit, Kelley racked up a slew of other serious cyber offences that landed him in jail – he also hacked the Llanelli-based college he attended in 2015, Coleg Sir Gar, along with many other organisations. 

Kelley has a black hat resume that many budding cyber criminals can only dream of, but the truth is that he never intended to pursue a career as a hacker, let alone play a role in a famous attack. In fact, he fell into it. “I didn’t choose to get into computer hacking or cyber security – it just happened when I was a teenager, around 13 years old,” he says.

“It was more like an undesired transition. I used to play an online game when I was younger, and ended up cheating on it, and the forums I found the cheats on also gave me exposure to more criminal stuff. It wasn’t like a logical leap internally, it was more like a thing that I ended up falling into. I didn’t wake up and make a rational decision.”

Learning the tricks of the trade

Like many other black hats, Kelley didn’t study cyber security in college or at university – he acquired all his technical knowledge and skills online. “The majority of the information I needed to learn, concepts and methodology, came from online forums. I eventually joined groups on these online forums and began associating myself with various IRC and Jabber chat rooms (XMPP),” he says.

“I didn’t choose to get into computer hacking or cyber security – it just happened when I was a teenager. I didn’t wake up and make a rational decision”

Daniel Kelley, ex-black hat hacker

Kelley got his first real taste of hacking as a young teenager, when he used his newfound cyber know-how to unearth a web application vulnerability on a Microsoft subdomain. “It was in 2011, I was 13 years old, and the vulnerability allowed me to essentially inject code into a webpage,” he recalls. “I reported it to Microsoft’s bug bounty programme and, in turn, they listed my credentials on their hall of fame. My credentials remain on their website to this day.”

Kelley didn’t purposely set out to use his skills as a hacker to conduct serious acts of cyber crime. But, as can often be the case, he got so absorbed in his craft that he didn’t stay on the straight and narrow path for very long. 

“I started out with good intentions, but as time went on, the responses I received from using the responsible disclosure model became increasingly negative. I’d find web application vulnerabilities in large websites and try to notify the appropriate security team, but I’d get no response,” he says.

“I ultimately accumulated all of these vulnerabilities, gained access to these forums where people weren’t really the most ethical, and things began to spiral out of control. So it wasn’t a conscious decision, but something I fell into with relevant exposure.”

Reflecting on his experiences as a black hat, Kelley finds it hard to list all the nefarious actions he’s taken. He says his criminal career “spanned several years”, during which he “racked up charges ranging from unauthorised access to blackmail”. 

He continues: “It’s difficult to summarise my experience because I’ve probably been involved in every aspect of criminality that comes with the nature of my offending. I suppose the method of exfiltrating data and then demanding ransom payments was what eventually got me caught and what I regret the most.”

The golden ticket 

Many people would think hacking into a major corporation such as TalkTalk is a difficult undertaking. However, Kelley explains that such companies often have the worst cyber security and can be easier – and somewhat less rewarding – to hack. Meanwhile, companies that invest heavily in cyber security are much harder to breach, and the process involves “chaining multiple vulnerabilities together”.

“I suppose exfiltrating data and demanding ransom payments was what eventually got me caught and what I regret the most”
Daniel Kelley, ex-black hat hacker

He says it took the perpetrators of the TalkTalk breach just a few hours, rather than days, to discover and exploit a security vulnerability that enabled them to hack into the firm’s website. This, he says, was straightforward.

He tells Computer Weekly: “It was a simple web application vulnerability that allowed you to pull data from databases through a web page. You didn’t need any special skills to exploit it – it would have taken less than an hour to teach anyone with a computer how to do it.”

While the TalkTalk hack was surprisingly simple to pull off, Kelley wasn’t prepared for the publicity that would follow. “I recall sitting in front of my computer watching the national news when the CEO of TalkTalk announced that she had received a blackmail demand, and for some reason, despite the fact that the link was transparent, it just seemed opaque to me,” he recalls. “It was like I couldn’t register the realism and severity of what I had done. I just sort of continued going about my day.”

Law catches up 

Most people who break the law eventually get caught and must face the consequences of their actions, and it wasn’t long until Kelley attracted the interest of the police, first when he was arrested on suspicion of hacking his college, then again on suspicion of blackmailing two companies, including TalkTalk.

“I wasn’t expecting the first arrest, but it was over in less than five hours. The second arrest was much more serious, and it felt like something out of a film. There were several agencies waiting for me at my house,” he says.

“I was escorted to my local police station by two police cars while sitting in the back of an unmarked police van. Because of the high-profile nature of the case at the time, they evacuated the custody suite and processed me quickly.”

As someone on the autistic spectrum, Kelley believes he was misunderstood in prison. “For example, because I posed a security risk to a particular prison, they decided to cut off my phone calls. What they don’t realise is that on the outside, I wouldn’t go a day without talking to my family, so you’re now putting me in that environment and cutting off my family contact.”

Prisons are rife with people with a variety of mental health issues and, subsequently, prison staff often treat all inmates the same, Kelley explains. This can and does result in vulnerable people – whose disabilities may not be obvious – being neglected. 

“When you tell staff you’re on the spectrum, they simply take one look at you and don’t see anything wrong with you, so they simply assume that you’re attempting to take advantage of the system,” he says. “When I arrived in one prison, my record had all of these notes about my ASD [Autism Spectrum Disorder] diagnosis. I told the nurses, who said they understood, but the senior officer in reception simply came up to me and said, ‘Look, you’ve done Belmarsh, I don’t give a fuck about your history’. This is just an example.”

Although Kelley found many aspects of prison life difficult due to his disorder, not everything was bad. In fact, he describes the “strict routine” of prison as a good thing and says he enjoyed doing the same things daily. 

Tech in prison 

It’s easy to assume that a hacker sent to prison wouldn’t be exposed to computers, but on the inside, Kelley found he wasn’t away from a PC for very long – entering the system, he had to complete numeracy and literacy tests on a computer. 

“I was called up to the classroom and seated in front of a computer, where I recall sitting for 10 minutes, contemplating whether it was a good idea to use the computer in front of me. I had an SCPO [serious crime prevention order] that required me to register all of the devices I used, but it did not go into effect until I was released from prison.”

Even though Kelley didn’t use the prison computers to conduct any serious hacking offences, he did cause some cyber mischief. “It was clear that the teacher had no idea who I was or what I’d done,” he says.

“They had an application on all of the computers that consisted of a 20-question exam [and] when you’re finished, you simply press save, and it saves the web page containing the results as an HTML file. So, in Notepad, I opened the HTML file and changed both exam results to level four. The teacher came over and just stared at me, amazed. A month later, I found out that the highest mark you could get for these two exams was a level three, which gave me a good laugh.”

Kelley didn’t just use his technical skills to tweak test results in prison. He also spotted an opportunity to modify his television and get more channels. “After a few months of being bored of watching the same things over and over, I looked at the television one evening and realised that the aerial was just some copper. As a result, I had this brilliant idea of making my own aerial. I was working in recycling at the time and came across a spare radio in the trash,” he says. 

“I took all of the copper out of it and brought it back to my cell, where I built a large aerial that I forced into the back of the television. I pointed it out of the window and I took the make and model of the television, looked up the unlock code, and retuned my television. My jaw dropped when it began to pick up over 200 Freeview channels, which improved my time.”

A reformed hacker  

One could argue that these acts pale in comparison to the TalkTalk hack – and are pretty ironic. The reality is that Kelley didn’t run the risk of committing serious computing offences behind bars, like breaching prison networks, and genuinely seems to have learnt his lesson. 

Since leaving prison, Kelley describes himself as a reformed hacker and doesn’t plan on returning to the world of cyber crime. He says his “perspective on life has shifted dramatically” and he does not “see the point in committing crimes”.

“The motivation I used to have for it has waned to the point where I no longer find it appealing,” he says. “I blackmailed people for money, albeit a small amount of money, and it has become clear to me that I could have earned more money through legal means in a shorter period of time than I did through criminal activity.”

“The motivation I used to have for [hacking] has waned to the point where I no longer find it appealing. I blackmailed people for money, albeit a small amount of money, and it has become clear to me that I could have earned more through legal means”
Daniel Kelly, ex-black hat hacker

Kelley is now putting his cyber security skills to good use and building a credible career in the industry, instead of hacking and blackmailing companies. When he was on bail, he teamed up with computer incident response teams, system administrators, website developers and government bodies to address more than 3,000 cyber security vulnerabilities, and even ranked 11th place on a major bug bounty service.

You could say that Kelley has hung up his black hat forever. “To put it bluntly, but cynically, I don’t think the burden of criminality is worth it to me. Sure, you can make a lot of money, but what good is money if you’re always paranoid and don’t know whether you’ll be arrested tomorrow? People rarely think about the consequences of a criminal lifestyle,” he says.

“If you want to make a lot of money and build a life with it, you must consider the possibility of losing it all in 20 or 30 years. If you stop committing crimes one day, that doesn’t mean all of your previous offences are no longer valid. It’s a more significant decision than most people realise.”

Given that Kelley now has a serious crime prevention order against his name, building a genuine career in the cyber security industry hasn’t been easy for him. “It’s not so much probation that’s the problem – the probation team in charge of me is fantastic to work with, and I’ll be off probation next year. The main problem is the SCPO,” he reveals.

“It has a number of limitations that prevent me from using basic technology, and it won’t expire until 2026. If an employer wants to hire me, they must accept the responsibility that comes with it. It’s not like I can just apply for a regular job and follow the established procedures.”

But regardless of these challenges, Kelley is enthusiastic about his future in the cyber security industry and remains laser-focused. “I’ve been looking for work and will continue to do so, but it’s all about making the best of the situation.”

The only thing he doesn’t regret about his black hat career is that it enabled him to acquire “real-world offensive computer hacking experience” that cannot be achieved “outside of a job”. He adds: “Of course, CTFs [capture the flag] and emulated environments exist, but they aren’t the same as illicit computer hacking.”

When asked to provide advice for young people looking to pursue a career in the cyber security industry and stay out of trouble, he says: “If you want a career in cyber security, find what it is you want to do and then start to look at the requirements for that specific role. There’s material available now that wasn’t available 10 years ago, and plenty of people in the industry that are willing to help.”


Learn more about Daniel Kelley’s story on his personal website and keep up with him via social media on Twitter or LinkedIn.

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Tech

FIFA 23 lets you turn off commentary pointing out how bad you are

Published

on

By

FIFA 23 lets you turn off commentary pointing out how bad you are
A player shouldering the ball



(Image credit: EA)

FIFA 23 might be the best game soccer game yet for terrible sports fans, as it lets you turn off commentary that criticizes your bad playing.

Now that the early access FIFA 23 release time has passed, EA Play and Xbox Game Pass Ultimate subscribers can hop into the game ahead of its full release. But as Eurogamer (opens in new tab) spotted, they’ll find a peculiar option waiting for them.

FIFA 23 includes a toggle to turn off ‘Critical Commentary’. The setting lets you silence all negative in-match comments made about your technique, so you can protect your precious ego even when you miss an open goal or commit an obvious foul. The more positive commentary won’t be affected. 

Spare your feelings

A player dribbling the ball in FIFA 23

(Image credit: EA)

The feature looks tailored toward children and new players, who don’t want to have their confidence wrecked within mere minutes of picking up the controller. But even experienced players who just so happen to be terrible at the game might benefit.

It’s not perfect, though. According to Eurogamer, the feature didn’t seem to work during a FIFA Ultimate Team Division Rivals match, with critical comments slipping through the filter. Still, who hasn’t benefited from a light grilling every now and then?

Polite commentary isn’t the only new addition in FIFA 23. It’s the first game in the series to include women’s club football teams, and fancy overhauled animations that take advantage of the PS5 and Xbox Series X|S’s new-gen hardware. EA will be hoping to end on a high, as FIFA 23 will be the last of its soccer games to release with the official FIFA licence.

If disabling critical commentary doesn’t improve your soccer skills, maybe building a squad of Marvel superheroes will. Although you might not do much better with Ted Lasso wandering the pitch.

FIFA 23 is set to fully release this Friday, September 30.

Callum is TechRadar Gaming’s News Writer. You’ll find him whipping up stories about all the latest happenings in the gaming world, as well as penning the odd feature and review. Before coming to TechRadar, he wrote freelance for various sites, including Clash, The Telegraph, and Gamesindustry.biz, and worked as a Staff Writer at Wargamer. Strategy games and RPGs are his bread and butter, but he’ll eat anything that spins a captivating narrative. He also loves tabletop games, and will happily chew your ear off about TTRPGs and board games. 

Read More

Continue Reading

Tech

Google Pixel 7 price leak suggests Google is totally out of touch

Published

on

By

Google Pixel 7 price leak suggests Google is totally out of touch
The backs of the Pixel 7 and the Pixel 7 Pro



(Image credit: Google)

We’re starting to hear more and more Google Pixel 7 leaks, with the launch of the phone just a week away, but tech fans might be getting a lot of déjà vu, with the leaks all listing near-identical specs to what we heard about the Pixel 6 a year ago.

It sounds like the new phones – a successor to the Pixel 6 Pro is also expected – could be very similar to their 2021 predecessors. And a new price leak has suggested that the phones’ costs could be the same too, as a Twitter user spotted the Pixel 7 briefly listed on Amazon (before being promptly taken down, of course).

Google pixel 7 on Amazon US. $599.99.It is still showing up in search cache but the listing gives an error if you click on it. We have the B0 number to keep track of though!#teampixel pic.twitter.com/w5Z09D28YESeptember 27, 2022

See more

According to these listings, the Pixel 7 will cost $599 while the Pixel 7 Pro will cost $899, both of which are identical to the Pixel 6 and Pixel 6 Pro starting prices. The leak doesn’t include any other region prices, but in the UK the current models cost £599 and £849, while in Australia they went for AU$999 and AU$1,299.

So it sounds like Google is planning on retaining the same prices for its new phones as it sold the old ones for, a move which doesn’t make much sense.


Analysis: same price, new world

Google’s choice to keep the same price points is a little curious when you consider that the specs leaks suggest these phones are virtually unchanged from their predecessors. You’re buying year-old tech for the same price as before.

Do bear in mind that the price of tech generally lowers over time, so you can readily pick up a cheaper Pixel 6 or 6 Pro right now, and after the launch of the new ones, the older models will very likely get even cheaper.

But there’s another key factor to consider in the price: $599 might be the same number in 2022 as it was in 2021, but with the changing global climate, like wars and flailing currencies and cost of living crises, it’s a very different amount of money.

Some people just won’t be willing to shell out the amount this year, that they may have been able to last year. But this speaks to a wider issue in consumer tech.

Google isn’t the only tech company to completely neglect the challenging global climate when pricing its gadgets: Samsung is still releasing super-pricey folding phones, and the iPhone 14 is, for some incomprehensible reason, even pricier than the iPhone 13 in some regions. 

Too few brands are actually catering to the tough economic times many are facing right now, with companies increasing the price of their premium offerings to counter rising costs, instead of just designing more affordable alternatives to flagships.

These high and rising prices suggest that companies are totally out of touch with their buyers, and don’t understand the economic hardship troubling many.

We’ll have to reach a breaking point sooner or later, either with brands finally clueing into the fact that they need to release cheaper phones, or with customers voting with their wallets by sticking to second-hand or refurbished devices. But until then, you can buy the best cheap phones to show that cost is important to you.

Tom’s role in the TechRadar team is to specialize in phones and tablets, but he also takes on other tech like electric scooters, smartwatches, fitness, mobile gaming and more. He is based in London, UK.

He graduated in American Literature and Creative Writing from the University of East Anglia. Prior to working in TechRadar freelanced in tech, gaming and entertainment, and also spent many years working as a mixologist. Outside of TechRadar he works in film as a screenwriter, director and producer.

Read More

Continue Reading

Tech

DisplayMate awards the “Best Smartphone Display” title to the iPhone 14 Pro Max

Published

on

By

DisplayMate awards the “Best Smartphone Display” title to the iPhone 14 Pro Max

, , , , , ,

search relation.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

 

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan