Promote proactive security

Deloitte 4+ months late on breach: New poster child for bad security practices?

Deloitte has had its email broken into, putting countless large companies at risk. What’s worse is this happened about a year ago, but the data breach wasn't noticed for at least four months, according to sources.

Not only that, but a pile of researchers have uncovered worrying security practices at the accounting, audit and consulting firm. These include open ports for fragile services, and clear-text passwords stored in plain sight.

Ironically, Deloitte Touche Tohmatsu Ltd. is the world’s No. 1 security consulting group (at least, for now). In this week’s Security Blogwatch, we find it hard to believe what we’re hearing.

State of Security Operations 2017

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  HT-ST:TNG

What’s the craic? Nick Hopkins claims this breathless exclusive—Deloitte hit by cyber-attack revealing clients’ secret emails:

Hackers may have accessed usernames, passwords and personal details of top accountancy firm’s blue-chip clients. [It was] a sophisticated hack.

Deloitte clients … had material in the company email system that was breached … includ[ing] household names as well as US government departments.

Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016. … Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted” … but declined to elaborate.

In 2012, Deloitte, which has offices all over the world, was ranked the [biggest] cybersecurity consultant [by revenue] in the world.

A “small number” of clients? Brian Krebs cycles in: [You’re fired -Ed.]

Deloitte has sought to downplay the incident … but according to a source … the breach … involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

Information shared by a person with direct knowledge of the incident said the company … does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.. … This source, speaking on condition of anonymity, said … that current estimates put the intrusion sometime in the fall of 2016, and added that investigators still are not certain that they have completely evicted the intruders.

The source [said] “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.” … This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom.

That’s not good. John Leyden jars us awake:

Oops, did someone forget to turn on 2FA?

Hackers gained access … through an administrative account that was not secured using two-factor authentication.

A no-nonsense Morgan Chalfant sticks to the facts—Deloitte hit by cyberattack:

Hackers potentially had access to 5 million emails stored in the … cloud, which is managed by Microsoft.

A Deloitte spokesman said that the company implemented a "comprehensive security protocol" and initiated "an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte." … "Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security."

How did the hacker get in? Kevin “@GossiTheDog” Beaumont has been busy on Shodan:

Deloittes’ US offices have everything [open] from Netbios to RDP to Exchange Admin (single factor) etc etc etc.

Their email system doesn’t even have the ECP locked down to int addresses nor OWA 2FA .

In fairness to Deloitte I know a couple of folk from their UK cyber office. They’re great, and InfoSec is hard. Send ‘em to US office?

When you have data breach handling companies who can't handle breaches and security auditors who can't handle security, it's time to talk.

I can't even tweet about it without people saying 'I bet we're all this bad'. Part of problem is orgs aren't openly talking about challenges.

It gets worse. Here’s Ankit “@ankit_anubhav” Anubhav:

#RipCommonSense … someone who cant remember Deloitte credentials has saved it in a public page on Github!

This is infosec suicide. If people do such acts themselves no AV or cybersecurity org can save them from breach.

Wait. Pause. Usernames and passwords posted publicly? You can not be serious. Paul “@PaulWebSec” Sec is deadly serious:

#Github search: ".deloitte.com" + "password"
607 code results.

Mikko “@mikko” Hypponen‏ did a similar thing:

Wow.

P@$$word
Password1105
Portal1!

"Key in User Name as “asundhar” & Password as “Quanchi@123” and wait for successful VPN connectivity".

And then there's this guy, using his public Google+ page to scribble down random notes...

When will it all end? Dan “@Viss” Tentler‏ has an answer, of sorts:

it never ends.
IT NEVER ENDS
it's like the deloitte perimeter is made of confetti.
all their data is just "on the floor"

this can't "just happen to anybody". this happens to SPECIFIC companies, who abjectly avoid basic maintenance and hygiene.

100% of this **** is low hanging fruit.

if your dentist had black, rotten teeth, would you trust your dentist to work on your teeth?

NovaeDeArx is more than a little concerned:

Deloitte is a massive consulting, auditing, analytics and (insert lots of other stuff here) company. This breach is scary as hell, as they’ve got a tremendous amount of access into client systems as part of their work.

If there’s any one company from which attackers could then pivot into a large number of Fortune 500 companies’ internal systems, it’s this one. And that’s more than a little concerning.

So heed the analysis of Carla “@CarlaSchroder” Schroder‏:

If a bunch of rich people get messed up, maybe something will happen to hold these titans of industry accountable.

Last word on the subject goes to Christine Hall:

Our insistence that the entirety of every entity in the world's business should be publicly accessible by way of the internet still strikes me as one of be biggest failures of human logic in the history of our species.

Meanwhile, The Daily Edge‏ quips thuswise, catching us up on a related story:

Equifax CEO Richard Smith has resigned, says he plans to live quietly under six different stolen identities.

The moral of the story? This is the latest high-profile leak, but it won't be the last. Don’t you be the next!

And Finally…

Honest Trailers - Star Trek: The Next Generation


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

State of Security Operations 2017

Image source: Lies Thru A Lens (cc:by)

Topics: Security