Deloitte clients emails hacked

[Alan]

Probably doesn't affect any here, but I'm still amazed that the hackers gained access through a system admin account.


https://www.theguardian.com/busines...-clients-secret-emails?CMP=Share_iOSApp_Other

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.

The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.

 

[Aerides]

Until I RE'd, I worked in IT management. We had regular internal "phishing" attempts done to spread awareness and educate employees on what to look for. Folks who fell for it were reported and retrained.

One of my IT director colleagues was facing performance warnings as he failed 3 attempts in a year. He probably had admin rights for a dozen systems.

As long as there are human entry points there will be errors made which leave open portals for entry.

 

[Scrapr]

After they declined to hire me 40 years ago i have been boycotting them. I did the same to arthur anderson and look what happened to them!

Latest boycott target is amazon so start shorting the stock in about 30 years i guess

 

[Blue Collar Guy]

After they declined to hire me 40 years ago i have been boycotting them. I did the same to arthur anderson and look what happened to them!

Latest boycott target is amazon so start shorting the stock in about 30 years i guess

Hahahaha

 

[Totoro]

The fun part: Deloitte offers IT audits, including IT security audits.

 

[MRG]

The fun part: Deloitte offers IT audits, including IT security audits.

The cobblers kids always need shoes.

I've worked with them on audits of Megacorp. They have decent methodology and decent consultants.

Obviously they never audited themselves*. Changing admin passwords is security 101 in both implementation and audit.

*possibly a new server was acquired and missed in an audit.

 

[Alan]

The fun part: Deloitte offers IT audits, including IT security audits.

When I was working for Megacorp in IT, Deloitte was the firm auditing our systems each year for Sarbanes Oxley compliance. They spent a lot of time on the security of user accounts and were really tough on the security of the administration accounts. I guess they don't practice what they preach.

 

[jim584672]

Why is no one using encryption? Once it is set up it is basically automatic. Then the hackers only know who is talking to who but not what is being said.

 

[MRG]

Why is no one using encryption? Once it is set up it is basically automatic. Then the hackers only know who is talking to who but not what is being said.

Many reasons.

If you encrypt data you can have serious issues. Support becomes much more difficult.

If are using relational databases it severely limits what you can do effectively!

Relational databases are great and someone can write SQL statements that efficiently process data. Tuning queries is both art and science. You're(kinda) attempting to get the most accesses to the data through an index to reduce I/O load.

When you encrypt data the only thing database can do, while still using an index, is equality searches. No inequality, range, or advanced selection/manipulation functions are able to use an index.

That may not sound like much, but it can be. Roll out a few tables with say 100 million rows apiece, encrypt the key fields, write a query with a few joins between those tables, and wait. Everyone else will wait too. It's not pretty.

With the technology today the use of encrypted relational databases aremostly limited to a select few fields where a DBA knows there's no valid reason to do anything except direct hits.

I left the industry 4 years ago. Seems like the DB guy's wanted hardware encryption and it wasn't quite prime time on the technology stacks we worked with.

 

[jim584672]

I don't see how relational databases are even involved. I can run a email client with a encryption add-on that produces a message like:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG2dmHUREawVzz
+q M8RkPBZIBge0SVY= =WznL

-----END PGP MESSAGE-----

It is still just a regular email.

 

[MRG]

I don't see how relational databases are even involved. I can run a email client with a encryption add-on that produces a message like:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG2dmHUREawVzz
+q M8RkPBZIBge0SVY= =WznL

-----END PGP MESSAGE-----

It is still just a regular email.

I think it's a different part of the same issue. Management of encryption keys and useability of the data.

 

[jim584672]

Considering the importance of data integrity these issues are not a big deal in the scheme of things. Keyservers are already available publicly.

Unencrypted email is easily spoofed and hacked. No firm like Deloitte should be using unencrypted email.

 

[Alan]

Unencrypted email is easily spoofed and hacked. No firm like Deloitte should be using unencrypted email.

+1

My old company used encrypted email as standard practice. And we were just a large chemical company, not someone like Deloitte.

In our company the Merger and Acquistions team used encrypted databases that no one in IT could read. (The skeleton database is created and a senior member of the M&A team creates a key, encrypts the database and sends the key to other team members working on that project).

 

[MRG]

Considering the importance of data integrity these issues are not a big deal in the scheme of things. Keyservers are already available publicly.

Unencrypted email is easily spoofed and hacked. No firm like Deloitte should be using unencrypted email.

We're on the same team. I don't want my data leaked.

It's about how you go about it. Multiple ways to do it. Hopefully we all benefit.
Having my data self destruct upon theft would be great!

I've seen security conscious organizations keep their names out of the New York Times for data breaches. I hope that trend continues as security becomes ingrained in our knowledge.