Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Deloitte clients emails hacked
Old 09-25-2017, 08:13 AM   #1
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 20,742
Deloitte clients emails hacked

Probably doesn't affect any here, but I'm still amazed that the hackers gained access through a system admin account.


https://www.theguardian.com/business...e_iOSApp_Other

Quote:
So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

Quote:
In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.

The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.
__________________

__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 09-25-2017, 09:18 AM   #2
Full time employment: Posting here.
Aerides's Avatar
 
Join Date: Nov 2015
Posts: 611
Until I RE'd, I worked in IT management. We had regular internal "phishing" attempts done to spread awareness and educate employees on what to look for. Folks who fell for it were reported and retrained.

One of my IT director colleagues was facing performance warnings as he failed 3 attempts in a year. He probably had admin rights for a dozen systems.

As long as there are human entry points there will be errors made which leave open portals for entry.
__________________

__________________
Aerides is offline   Reply With Quote
Old 09-25-2017, 11:37 AM   #3
Recycles dryer sheets
 
Join Date: May 2005
Location: Bend
Posts: 228
After they declined to hire me 40 years ago i have been boycotting them. I did the same to arthur anderson and look what happened to them!

Latest boycott target is amazon so start shorting the stock in about 30 years i guess
__________________
Scrapr is offline   Reply With Quote
Old 09-26-2017, 12:00 AM   #4
gone traveling
 
Join Date: Mar 2017
Location: New York City
Posts: 2,838
Quote:
Originally Posted by Scrapr View Post
After they declined to hire me 40 years ago i have been boycotting them. I did the same to arthur anderson and look what happened to them!

Latest boycott target is amazon so start shorting the stock in about 30 years i guess
Hahahaha
__________________
Blue Collar Guy is offline   Reply With Quote
Old 09-27-2017, 11:00 AM   #5
Thinks s/he gets paid by the post
 
Join Date: May 2014
Location: Utrecht
Posts: 2,162
The fun part: Deloitte offers IT audits, including IT security audits.
__________________
Totoro is offline   Reply With Quote
Old 09-27-2017, 11:06 AM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,373
Quote:
Originally Posted by Totoro View Post
The fun part: Deloitte offers IT audits, including IT security audits.
The cobblers kids always need shoes.

I've worked with them on audits of Megacorp. They have decent methodology and decent consultants.

Obviously they never audited themselves*. Changing admin passwords is security 101 in both implementation and audit.

*possibly a new server was acquired and missed in an audit.
__________________
MRG is online now   Reply With Quote
Old 09-27-2017, 11:27 AM   #7
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 20,742
Quote:
Originally Posted by Totoro View Post
The fun part: Deloitte offers IT audits, including IT security audits.
When I was working for Megacorp in IT, Deloitte was the firm auditing our systems each year for Sarbanes Oxley compliance. They spent a lot of time on the security of user accounts and were really tough on the security of the administration accounts. I guess they don't practice what they preach.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 09-27-2017, 11:40 AM   #8
Thinks s/he gets paid by the post
 
Join Date: Feb 2014
Posts: 1,014
Why is no one using encryption? Once it is set up it is basically automatic. Then the hackers only know who is talking to who but not what is being said.
__________________
jim584672 is online now   Reply With Quote
Old 09-27-2017, 02:11 PM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,373
Quote:
Originally Posted by jim584672 View Post
Why is no one using encryption? Once it is set up it is basically automatic. Then the hackers only know who is talking to who but not what is being said.
Many reasons.

If you encrypt data you can have serious issues. Support becomes much more difficult.

If are using relational databases it severely limits what you can do effectively!

Relational databases are great and someone can write SQL statements that efficiently process data. Tuning queries is both art and science. You're(kinda) attempting to get the most accesses to the data through an index to reduce I/O load.

When you encrypt data the only thing database can do, while still using an index, is equality searches. No inequality, range, or advanced selection/manipulation functions are able to use an index.

That may not sound like much, but it can be. Roll out a few tables with say 100 million rows apiece, encrypt the key fields, write a query with a few joins between those tables, and wait. Everyone else will wait too. It's not pretty.

With the technology today the use of encrypted relational databases aremostly limited to a select few fields where a DBA knows there's no valid reason to do anything except direct hits.

I left the industry 4 years ago. Seems like the DB guy's wanted hardware encryption and it wasn't quite prime time on the technology stacks we worked with.
__________________
MRG is online now   Reply With Quote
Old 09-27-2017, 02:18 PM   #10
Thinks s/he gets paid by the post
 
Join Date: Feb 2014
Posts: 1,014
I don't see how relational databases are even involved. I can run a email client with a encryption add-on that produces a message like:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG 2dmHUREawVzz
+q M8RkPBZIBge0SVY= =WznL

-----END PGP MESSAGE-----

It is still just a regular email.
__________________
jim584672 is online now   Reply With Quote
Old 09-27-2017, 02:49 PM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,373
Quote:
Originally Posted by jim584672 View Post
I don't see how relational databases are even involved. I can run a email client with a encryption add-on that produces a message like:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG 2dmHUREawVzz
+q M8RkPBZIBge0SVY= =WznL

-----END PGP MESSAGE-----

It is still just a regular email.
I think it's a different part of the same issue. Management of encryption keys and useability of the data.
__________________
MRG is online now   Reply With Quote
Old 09-27-2017, 02:56 PM   #12
Thinks s/he gets paid by the post
 
Join Date: Feb 2014
Posts: 1,014
Considering the importance of data integrity these issues are not a big deal in the scheme of things. Keyservers are already available publicly.

Unencrypted email is easily spoofed and hacked. No firm like Deloitte should be using unencrypted email.
__________________
jim584672 is online now   Reply With Quote
Old 09-27-2017, 03:37 PM   #13
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 20,742
Quote:
Originally Posted by jim584672 View Post

Unencrypted email is easily spoofed and hacked. No firm like Deloitte should be using unencrypted email.
+1

My old company used encrypted email as standard practice. And we were just a large chemical company, not someone like Deloitte.

In our company the Merger and Acquistions team used encrypted databases that no one in IT could read. (The skeleton database is created and a senior member of the M&A team creates a key, encrypts the database and sends the key to other team members working on that project).
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 09-27-2017, 05:37 PM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,373
Quote:
Originally Posted by jim584672 View Post
Considering the importance of data integrity these issues are not a big deal in the scheme of things. Keyservers are already available publicly.

Unencrypted email is easily spoofed and hacked. No firm like Deloitte should be using unencrypted email.
We're on the same team. I don't want my data leaked.

It's about how you go about it. Multiple ways to do it. Hopefully we all benefit.
Having my data self destruct upon theft would be great!

I've seen security conscious organizations keep their names out of the New York Times for data breaches. I hope that trend continues as security becomes ingrained in our knowledge.
__________________

__________________
MRG is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Darn Clients jfn111 Other topics 3 12-21-2014 08:01 AM
Dirk Cotton -"Statisticians Make the Worst Clients" haha FIRE and Money 30 10-10-2013 09:10 PM
40 and striving for FIRE @45 (if the employer and the clients dun drive me crazy) Noonan Hi, I am... 5 06-11-2013 08:18 PM
Advisors Expect Most Clients To Postpone Retirements mickeyd FIRE and Money 20 02-22-2013 10:28 AM
Hartford Aims To Reduce Risk By Offering To Buy Out Variable Annuity Clients mickeyd FIRE and Money 19 11-15-2012 08:02 PM

 

 
All times are GMT -6. The time now is 04:53 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.