Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Deloitte Hit By Cyber-attack Revealing Clients' Secret Emails (theguardian.com) 49

Accounting firm Deloitte confirmed on Monday it had suffered a cyberattack. From a report: One of the world's "big four" accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal (the company has since confirmed the breach). Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments
This discussion has been archived. No new comments can be posted.

Deloitte Hit By Cyber-attack Revealing Clients' Secret Emails

Comments Filter:
  • by Anonymous Coward

    Financial data, of course, is what we think of as some of the most private of data.

    And it's also some of the data that we would most benefit from knowing.

  • by Anonymous Coward on Monday September 25, 2017 @03:55PM (#55262041)

    Deloitte provides auditing, tax consultancy and high-end cybersecurity advice

    Not anymore, I imagine.

  • by Anonymous Coward

    https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/ [krebsonsecurity.com]

    Source: Deloitte Breach Affected All Company Email, Admin Accounts

    Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach d

  • Cyberpocalypse? (Score:5, Insightful)

    by Marlin Schwanke ( 3574769 ) on Monday September 25, 2017 @04:00PM (#55262075)

    I think we are rapidly approaching the day when the fun and games of the free, open Internet, with every last gadget, device, appliance, phone, tablet, laptop, pc and server all being on that very same Internet.

    Why there would need to be direct access from the public Internet to some of the data we've seen compromised recently is beyond me. Cheap bastards in the C-Suites? I get that if I want to see my account in an online banking web site that the web server I access is going to be connected to the public Internet but why wouldn't the back-end, such as the customer database be on a separate network with tightly controlled access from the public facing web servers to the back-end databases. It shouldn't be possible to connect from the public Internet via some exploit in the public-facing web server and then just dump the contents of all the back-end database servers.

    Am I just being naive here? Are going to end up requiring all connected devices have licenses/permits?

    • Re:Cyberpocalypse? (Score:5, Informative)

      by PolygamousRanchKid ( 1290638 ) on Monday September 25, 2017 @04:11PM (#55262141)

      USA, around 1984: Where's the beef . . . ?"

      Today: Where's the hack . . . ?"

      TFA seems to imply that someone misused an email administrator id and password. Not really a "hack", in any sense of the word.

      Whenever you have any information stored anywhere . . . the loosest link in the security chain will be human. Read up about Markus Wolf, the former East German Secret Police spy chief, also known as, "the man without a face."

      Wolf managed to use "Romeos" to enchant bored secretaries of top West German politicians. This disclosure by Deloitte is nothing more than an admission of "pillow talk" . . . someone entrusted with an account and password misused it or passed it on to someone not authorized.

      There's nothing really "tech" about this story . . . just plain simple industrial espionage, as usual.

      Just bribe the sysadmins . . . it's a lot easier than trying to do any hacking.

    • by ceoyoyo ( 59147 )

      Yes. The bank's server has to be connected to their webpage in order for you to manipulate your account. Hopefully the security on that connection is pretty good, but it can't be perfect.

      Deloitte e-mails, same thing. E-mail isn't much use if it's not connected to the Internet.

      • It is possible to restrict admin logins to local network. Which only means they have to own a workstation first. No magic bullets.

        • by ceoyoyo ( 59147 )

          Sure, you can make things harder, as I said. But if you can manipulate your account over the Internet, I can. If you're clever you can set it up so I can't drain everyone's account using one login from the Internet, without compromising an internal machine first. I suspect most banks are set up this way, since there haven't been any cases of mass account emptyings.

          In this case it sounds like an e-mail admin's password was compromised and email stolen. E-mail servers don't work so well when they're not c

        • When your company is as large and widespread as many of the consulting companies, many who encourage work from home, it can be difficult to enforce restricting logins to a specific network. This is why 2FA is important.

      • Yes. The bank's server has to be connected to their webpage in order for you to manipulate your account. Hopefully the security on that connection is pretty good, but it can't be perfect.

        Deloitte e-mails, same thing. E-mail isn't much use if it's not connected to the Internet.

        My question was if the bank's bank-end data servers could be on an internal only LAN with a very restrictive connection allowed from the public web servers, something that could only get a single record at a time and only with customer credentials then.

        • by jezwel ( 2451108 )

          My question was if the bank's bank-end data servers could be on an internal only LAN with a very restrictive connection allowed from the public web servers, something that could only get a single record at a time and only with customer credentials then.

          They're not hacking the banks multi-layered firewalls then searching around the LAN looking for the customer databases and hacking those systems, they target the systems that are known to be connected to the data that is desired, ie, those public facing web servers. Compromise those and use the credentials that the web-server uses to get access to the database.

    • by dissy ( 172727 )

      It shouldn't be possible to connect from the public Internet via some exploit in the public-facing web server and then just dump the contents of all the back-end database servers.
      Am I just being naive here?

      Well that web server has to get the data its showing you from the back-end server, which means an exploited web server running a rouge process can get that same data.

      One may argue that us people don't need quite that much data to be on the web site to view in the first place, but I'm assuming at least someone argued that they do want to, and the companies thus did so.

      What you are referring to is "security in layers"
      Web server makes API requests to another server, that makes API requests to another server or

      • Well that web server has to get the data its showing you from the back-end server, which means an exploited web server running a rouge process can get that same data.

        One may argue that us people don't need quite that much data to be on the web site to view in the first place, but I'm assuming at least someone argued that they do want to, and the companies thus did so.

        What you are referring to is "security in layers" Web server makes API requests to another server, that makes API requests to another server or database. The communications are completely restricted to nothing but that API, and the APIs are restricted to only be able to get at certain things.

        But sadly that requires actually making those layers, and ideally each layer managed by a separate person or team, meaning hiring enough people to fill all those separate spots. It also requires a management team that doesn't act like security in layers is "restricting them" or "an assault on their authority" and simply threatens everyone to allow everything so he or she won't be potentially inconvenienced in any way or perceive that someone is telling him no as an affront to his or her "I am a god!" mentality.

        It can be done right if someone at the top demands it is done right and tells everyone below to fuck off and deal with it or they''re fired, including all lines of management. It's just rare to find such companies structured that way with enough people that care about it to actually do the work needed.

        Thanks for the informative post. I honestly believe there are a ton of corporate data servers with direct to the Internet connections, well, a firewall maybe, but then probably a Cisco, so...

  • With all these types of attacks surfacing, I question why we let production machines access the internet at all. I'm talking no email client, no browsers, no FTP or SSH, nothing. All ports to the internet are closed for business.

    Instead, all users would have a Citrix or RDP app installed which provides the same apps, Outlook, Chrome, and other internet utilities. The virtual machine those apps are running on a different VLAN (or a physically separated connection), which only has access to the corporate netw

    • by Anonymous Coward

      Wow! You've basically reinvented paper letters, envelopes, and the postal system. That's great and all, except your approach somehow manages to be slower and costlier.

    • by swb ( 14022 )

      The real apocalypse is when all of this becomes a practical necessity and we lose about 75% of the productivity gains from computer automation.

      I guess the new jobs will be in the form of a new steno pool. Millennials can re-enter the data on spreadsheets and documents in a clean-room environment. People will still "exchange" documents, they just won't realize they're being transcribed in between.

    • I've implemented your suggestions for remote access and the crack in that wall is the part about, "access."

      Another crack is the "remote," part.

      Those two factors sorta describe what's called a, "hack."

  • Wrong headline (Score:5, Insightful)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Monday September 25, 2017 @04:16PM (#55262177) Homepage

    The wording was about ''cyber-attack'' which sets the tone ''Oh, unfortunate Deloitte'' - where as it should have been something like ''Deloitte is the latest incompetent company to spew client information over the Internet''.

    It is about time that these crappy companies were called out for what they are. Oh: put the CEO's head on the block for this: make him pay for what this costs customers out of his own pocket - if it is paid for by Deloitte (or their insurers) then nothing will ever change.

    • You can be the real dirt wasn't in 'Toilet and Douches' email system in the first place. Their 'consultants' understand the importance of deniability/non-discoverability and maintain private emails.

      • They better hope so. If the hackers got the real dirt, I wonder if the hackers could get the IRS bounty for tax fraud?

  • by PopeRatzo ( 965947 ) on Monday September 25, 2017 @04:38PM (#55262293) Journal

    I'm pretty sure the world would be a better place if the secret emails of Deloitte's "blue chip" clients were made public.

  • Sophisticated, you're kidding, they logged in using an administration account [theguardian.com] that didn't use two-factor authentication.
  • Oh how have the mighty fallen. Aren't THEY supposed to be guiding their clients regarding preventing such issues ??

Unix is a Registered Bell of AT&T Trademark Laboratories. -- Donn Seeley

Working...