Deloitte Hit By Cyber-attack Revealing Clients' Secret Emails (theguardian.com)

← Back to Stories (view on slashdot.org)

Deloitte Hit By Cyber-attack Revealing Clients' Secret Emails (theguardian.com)

Posted by msmash on Monday September 25, 2017 @08:45AM from the security-woes dept.

Accounting firm Deloitte confirmed on Monday it had suffered a cyberattack. From a report: One of the world's "big four" accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal (the company has since confirmed the breach). Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments

32 of 49 comments (clear)

Min score:

Reason:

Sort:

So, does this mean they will release... by Anonymous Coward · 2017-09-25 08:48 · Score: 1

Financial data, of course, is what we think of as some of the most private of data.
And it's also some of the data that we would most benefit from knowing.
Cybersecurity advice? by Anonymous Coward · 2017-09-25 08:55 · Score: 3, Funny

Deloitte provides auditing, tax consultancy and high-end cybersecurity advice

Not anymore, I imagine.
1. Re:Cybersecurity advice? by olsmeister · 2017-09-25 08:57 · Score: 4, Funny
  
  They can tell you exactly what not to do.
2. Re:Cybersecurity advice? by HornWumpus · 2017-09-25 09:15 · Score: 1
  
  They will still gladly tell you that whatever you are doing is good. For $400/hour.
  That's basically their (big accounting consultancies) role, provide cover, tell you what you want to hear.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
3. Re:Cybersecurity advice? by OneHundredAndTen · 2017-09-25 09:19 · Score: 1
  
  Like Arthur Andersen before them, Deloitte, Price Waterhouse, etc. sell a lot of hot air at very high prices. But, their people dress impeccably.
4. Re:Cybersecurity advice? by Anonymous Coward · 2017-09-25 09:20 · Score: 1
  
  They can tell you exactly what not to do.
  Our current Best Practices include:
  (1) Do not have been our client since at least the fall of 2016.
5. Re:Cybersecurity advice? by 0100010001010011 · 2017-09-25 10:45 · Score: 1
  
  Consulting: If you're not a part of the solution, there's good money to be made in prolonging the problem.
6. Re:Cybersecurity advice? by bleh-of-the-huns · 2017-09-25 11:16 · Score: 2
  
  Thats not completely true. I most definitely am not full of hot air.. then again they never would have hired me.. I came over with a buyout by Deloitte of my company. There are a ton of very technical very competent people in their respective fields. Sadly, there are not enough of us.
  
  --
  I came, I conquered, I coredumped
7. Re:Cybersecurity advice? by bravecanadian · 2017-09-25 12:27 · Score: 1
  
  They will still gladly tell you that whatever you are doing is good. For $400/hour.
  That's basically their (big accounting consultancies) role, provide cover, tell you what you want to hear.
  Yup. auditors are a textbook case of a conflict of interest.
8. Re:Cybersecurity advice? by Wootery · 2017-09-26 01:04 · Score: 1
  
  I was going to call you on your grammar, but I think it's technically correct.
All Internal Email. All Admin Accounts by Anonymous Coward · 2017-09-25 09:00 · Score: 1

https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/
Source: Deloitte Breach Affected All Company Email, Admin Accounts
Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.
Cyberpocalypse? by mschwanke97402 · 2017-09-25 09:00 · Score: 4, Insightful

I think we are rapidly approaching the day when the fun and games of the free, open Internet, with every last gadget, device, appliance, phone, tablet, laptop, pc and server all being on that very same Internet.
Why there would need to be direct access from the public Internet to some of the data we've seen compromised recently is beyond me. Cheap bastards in the C-Suites? I get that if I want to see my account in an online banking web site that the web server I access is going to be connected to the public Internet but why wouldn't the back-end, such as the customer database be on a separate network with tightly controlled access from the public facing web servers to the back-end databases. It shouldn't be possible to connect from the public Internet via some exploit in the public-facing web server and then just dump the contents of all the back-end database servers.
Am I just being naive here? Are going to end up requiring all connected devices have licenses/permits?
1. Re:Cyberpocalypse? by PolygamousRanchKid+ · 2017-09-25 09:11 · Score: 5, Informative
  
  USA, around 1984: Where's the beef . . . ?"
  Today: Where's the hack . . . ?"
  TFA seems to imply that someone misused an email administrator id and password. Not really a "hack", in any sense of the word.
  Whenever you have any information stored anywhere . . . the loosest link in the security chain will be human. Read up about Markus Wolf, the former East German Secret Police spy chief, also known as, "the man without a face."
  Wolf managed to use "Romeos" to enchant bored secretaries of top West German politicians. This disclosure by Deloitte is nothing more than an admission of "pillow talk" . . . someone entrusted with an account and password misused it or passed it on to someone not authorized.
  There's nothing really "tech" about this story . . . just plain simple industrial espionage, as usual.
  Just bribe the sysadmins . . . it's a lot easier than trying to do any hacking.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
2. Re:Cyberpocalypse? by ceoyoyo · 2017-09-25 09:44 · Score: 1
  
  Yes. The bank's server has to be connected to their webpage in order for you to manipulate your account. Hopefully the security on that connection is pretty good, but it can't be perfect.
  Deloitte e-mails, same thing. E-mail isn't much use if it's not connected to the Internet.
3. Re:Cyberpocalypse? by HornWumpus · 2017-09-25 09:56 · Score: 1
  
  It is possible to restrict admin logins to local network. Which only means they have to own a workstation first. No magic bullets.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
4. Re:Cyberpocalypse? by dissy · 2017-09-25 10:48 · Score: 1
  
  It shouldn't be possible to connect from the public Internet via some exploit in the public-facing web server and then just dump the contents of all the back-end database servers.
  Am I just being naive here?
  Well that web server has to get the data its showing you from the back-end server, which means an exploited web server running a rouge process can get that same data.
  One may argue that us people don't need quite that much data to be on the web site to view in the first place, but I'm assuming at least someone argued that they do want to, and the companies thus did so.
  What you are referring to is "security in layers"
  Web server makes API requests to another server, that makes API requests to another server or database. The communications are completely restricted to nothing but that API, and the APIs are restricted to only be able to get at certain things.
  But sadly that requires actually making those layers, and ideally each layer managed by a separate person or team, meaning hiring enough people to fill all those separate spots.
  It also requires a management team that doesn't act like security in layers is "restricting them" or "an assault on their authority" and simply threatens everyone to allow everything so he or she won't be potentially inconvenienced in any way or perceive that someone is telling him no as an affront to his or her "I am a god!" mentality.
  It can be done right if someone at the top demands it is done right and tells everyone below to fuck off and deal with it or they''re fired, including all lines of management.
  It's just rare to find such companies structured that way with enough people that care about it to actually do the work needed.
5. Re:Cyberpocalypse? by ceoyoyo · 2017-09-25 11:09 · Score: 1
  
  Sure, you can make things harder, as I said. But if you can manipulate your account over the Internet, I can. If you're clever you can set it up so I can't drain everyone's account using one login from the Internet, without compromising an internal machine first. I suspect most banks are set up this way, since there haven't been any cases of mass account emptyings.
  In this case it sounds like an e-mail admin's password was compromised and email stolen. E-mail servers don't work so well when they're not connected to the Internet. But if you're sending secret stuff unencrypted in e-mail you're an idiot anyway.
6. Re:Cyberpocalypse? by bleh-of-the-huns · 2017-09-25 11:26 · Score: 1
  
  When your company is as large and widespread as many of the consulting companies, many who encourage work from home, it can be difficult to enforce restricting logins to a specific network. This is why 2FA is important.
  
  --
  I came, I conquered, I coredumped
7. Re:Cyberpocalypse? by mschwanke97402 · 2017-09-25 12:40 · Score: 1
  
  Yes. The bank's server has to be connected to their webpage in order for you to manipulate your account. Hopefully the security on that connection is pretty good, but it can't be perfect.
  Deloitte e-mails, same thing. E-mail isn't much use if it's not connected to the Internet.
  My question was if the bank's bank-end data servers could be on an internal only LAN with a very restrictive connection allowed from the public web servers, something that could only get a single record at a time and only with customer credentials then.
8. Re:Cyberpocalypse? by mschwanke97402 · 2017-09-25 12:44 · Score: 1
  
  Well that web server has to get the data its showing you from the back-end server, which means an exploited web server running a rouge process can get that same data.
  One may argue that us people don't need quite that much data to be on the web site to view in the first place, but I'm assuming at least someone argued that they do want to, and the companies thus did so.
  What you are referring to is "security in layers" Web server makes API requests to another server, that makes API requests to another server or database. The communications are completely restricted to nothing but that API, and the APIs are restricted to only be able to get at certain things.
  But sadly that requires actually making those layers, and ideally each layer managed by a separate person or team, meaning hiring enough people to fill all those separate spots. It also requires a management team that doesn't act like security in layers is "restricting them" or "an assault on their authority" and simply threatens everyone to allow everything so he or she won't be potentially inconvenienced in any way or perceive that someone is telling him no as an affront to his or her "I am a god!" mentality.
  It can be done right if someone at the top demands it is done right and tells everyone below to fuck off and deal with it or they''re fired, including all lines of management. It's just rare to find such companies structured that way with enough people that care about it to actually do the work needed.
  Thanks for the informative post. I honestly believe there are a ton of corporate data servers with direct to the Internet connections, well, a firewall maybe, but then probably a Cisco, so...
9. Re:Cyberpocalypse? by jezwel · 2017-09-25 16:00 · Score: 1
  
  My question was if the bank's bank-end data servers could be on an internal only LAN with a very restrictive connection allowed from the public web servers, something that could only get a single record at a time and only with customer credentials then.
  They're not hacking the banks multi-layered firewalls then searching around the LAN looking for the customer databases and hacking those systems, they target the systems that are known to be connected to the data that is desired, ie, those public facing web servers. Compromise those and use the credentials that the web-server uses to get access to the database.
Virtual Machines by ironicsky · 2017-09-25 09:15 · Score: 1

With all these types of attacks surfacing, I question why we let production machines access the internet at all. I'm talking no email client, no browsers, no FTP or SSH, nothing. All ports to the internet are closed for business.
Instead, all users would have a Citrix or RDP app installed which provides the same apps, Outlook, Chrome, and other internet utilities. The virtual machine those apps are running on a different VLAN (or a physically separated connection), which only has access to the corporate network through ports that support the remote VM session, as well as a single DMZ'd file server.
Any file downloaded through the remote session would be saved to the DMZ, which is processing all files automatically, scanning for malware, objectional content, executable code, steganographically hidden content, etc. Once the file is marked as safe a process running on the corporate network grabs the files and moves them into the corporate network for access.
Likewise, a user who needs to send a file out would save the file to a "pick up" location on their corporate network, and the process would work in reverse. It would be scanned for objectional content, then pushed to the DMZ file pick-up location that the user could then send out by email or other processes.
1. Re: Virtual Machines by Anonymous Coward · 2017-09-25 09:18 · Score: 1
  
  Wow! You've basically reinvented paper letters, envelopes, and the postal system. That's great and all, except your approach somehow manages to be slower and costlier.
2. Re:Virtual Machines by swb · 2017-09-25 09:59 · Score: 1
  
  The real apocalypse is when all of this becomes a practical necessity and we lose about 75% of the productivity gains from computer automation.
  I guess the new jobs will be in the form of a new steno pool. Millennials can re-enter the data on spreadsheets and documents in a clean-room environment. People will still "exchange" documents, they just won't realize they're being transcribed in between.
3. Re:Virtual Machines by CaptainDork · 2017-09-25 10:08 · Score: 1
  
  I've implemented your suggestions for remote access and the crack in that wall is the part about, "access."
  Another crack is the "remote," part.
  Those two factors sorta describe what's called a, "hack."
  
  --
  It little behooves the best of us to comment on the rest of us.
Wrong headline by Alain+Williams · 2017-09-25 09:16 · Score: 5, Insightful

The wording was about ''cyber-attack'' which sets the tone ''Oh, unfortunate Deloitte'' - where as it should have been something like ''Deloitte is the latest incompetent company to spew client information over the Internet''.
It is about time that these crappy companies were called out for what they are. Oh: put the CEO's head on the block for this: make him pay for what this costs customers out of his own pocket - if it is paid for by Deloitte (or their insurers) then nothing will ever change.
1. Re:Wrong headline by HornWumpus · 2017-09-25 09:24 · Score: 1
  
  You can be the real dirt wasn't in 'Toilet and Douches' email system in the first place. Their 'consultants' understand the importance of deniability/non-discoverability and maintain private emails.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
2. Re:Wrong headline by stabiesoft · 2017-09-25 09:53 · Score: 2
  
  They better hope so. If the hackers got the real dirt, I wonder if the hackers could get the IRS bounty for tax fraud?
First, they came for the billionaires... by PopeRatzo · 2017-09-25 09:38 · Score: 3, Insightful

I'm pretty sure the world would be a better place if the secret emails of Deloitte's "blue chip" clients were made public.

--
You are welcome on my lawn.
1. Re:First, they came for the billionaires... by PopeRatzo · 2017-09-25 13:25 · Score: 1
  
  Because the Panama Papers [icij.org] release did wonders for the world?
  Yes, the release of the Panama Papers is a step toward a better world.
  
  --
  You are welcome on my lawn.
Sophisticated hack that compromised plans .. by najajomo · 2017-09-25 10:23 · Score: 1

Sophisticated, you're kidding, they logged in using an administration account that didn't use two-factor authentication.
Deloitte Hacked?? by Clived · 2017-09-25 15:24 · Score: 1

Oh how have the mighty fallen. Aren't THEY supposed to be guiding their clients regarding preventing such issues ??

--
Clive DaSilva Email: clive.dasilva@gmail.com Ubuntu 18.10 Kernel 4.18