
Breach at IT Outsourcing Giant Wipro - longwave
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/
======
Aeolun
This surprises me... not one bit.

I have yet to find the first multibillion outsourcing company that was any
good.

All the great people are immediately hired by the company they’re actually
working for, so they’re always left with the mediocre and terrible.

~~~
1024core
I have some friends who were in an Indian outsourcing company which shall
remain nameless. One of them described how they had an "A Team" which was made
up of smart, sharp individuals. When they wanted a contract, they'd send this
A-team to really impress the clients. Once they had the contract in hand, this
A-team would be tasked to get the next contract, and replaced with run-of-the-
mill average (or even below average) talent to save on the cost. Rinse, lather
repeat.

~~~
cosmie
I don't think that's an Indian outsourcing issue, so much as an artifact of
the dynamics of the consulting environment.

Your above average talent gets trusted with high stakes, client-visible
scenarios like new business development, RFP pitches, and high-visibility fire
fighting. The roles tend to be a combination of subject matter expertise,
solutions architect, client management, and sales.

Once you have a contract in hand, theoretically the engagement is structured
at that point. It no longer needs the independent competence of members of
your A Team, but rather competent project/program management,
client/engagement management, and execution resources.

That's the stage where a lot of problems get introduced, and it's not always a
result of cost cutting or profitability measures. A lot of it comes down to
operational competency (both for the agency and the client), as well as the
structure of the contract itself.

The biggest thing I've learned in my time consulting is what to do (and not
do) when structuring a contract for a consulting/outsourcing engagement.
Everything else cascades from there.

~~~
puranjay
I think the problem stems more from the nature of technology itself.

I run a marketing consultancy. I can't really offload my work to cheaper
talent because my deliverables can be easily evaluated. Good writing and good
design, after all, are universally accessible.

But unless you're a programmer, you can't really make out good code from bad
code.

~~~
CaptainZapp
It's not only that. The main problem is that it's virtually impossible to come
up with specifications, which are precise enough that they can be implemented
1:1.

Outsourcing companies will aim for the lowest common denominator, which the
contract allows and with which they can get away with.

Case in point? I can exactly tell you what the specs for the first time
reporting system I worked with at MajorCorp said, without ever having seen
those specs:

 _Must be able to enter hours_

That's exactly what we could do. Enter hours. Not minutes, not ten minute
intervals, not quarter - or half hours, no; hours.

When I get such a spec I hit back with questions. Send that to an outsourcer
and they won't see any need to provide a yota more than what the spec says.

In other words: You entering a world of pain, which looks good on spreadsheet
but really only that.

------
suff
In my best Wipro-excuse voice: "... see, thing is:..." ... they have a process
for everything. It's just a very convoluted, silo'd, circuitous process that
takes several days to get anything done, with several steps including: throw a
support ticket over the wall, and let a subprocess pick it up. On and on we
go, until we have a lax process that is impossible to fix, on to which, all we
can do is pump more, cheap, low skilled talent. But hey, it's creating a
middle class somewhere.

------
IOT_Apprentice
Whelp, life comes at you fast:
[https://www.bankinfosecurity.asia/interviews/wipros-new-
ciso...](https://www.bankinfosecurity.asia/interviews/wipros-new-ciso-on-
frictionless-security-i-4239)

~~~
geodel
Dude has 11 industry-recognized certifications in the domains of IT,
information security, security framework and secure enterprise architecture.

So I guess Wipro will have everything under control.

~~~
hn_throwaway_99
My lord the "frictionless" buzzword BS in that made me feel like I was
actually losing brain cells:

> He offers insights on:

> How privileged access management will fit into a frictionless security
> approach; > The role of artificial intelligence, machine learning and
> blockchain in enabling frictionless security and faster threat detection;

I seriously considered registering justaddblockchain.com after reading that to
document all the places where people feel they look smarter by just adding
"blockchain!" to random technical discussions.

------
joe_the_user
"India’s third-largest IT outsourcing company — was dealing with a multi-month
intrusion from an assumed _state-sponsored attacker_. "Both sources, who spoke
on condition of anonymity, said Wipro’s systems were seen being used as
jumping-off points for digital fishing expeditions targeting at least a dozen
Wipro customer systems."

Well, I suppose it's the step you'd expect but a state-actor engaging in a
broad fishing trip still seems like a new thing. Can we expect whatever state
will be installing their official botnet in whatever country next?

------
panarky
Might be interesting to annotate the biggest data breaches with each victim's
outsourcing partner.

[https://en.wikipedia.org/wiki/List_of_data_breaches](https://en.wikipedia.org/wiki/List_of_data_breaches)

------
bk_avalara
Site down ATM, Google Cache doesn't have it, but good old Wayback machine has
it:
[https://web.archive.org/web/20190415214511/https://krebsonse...](https://web.archive.org/web/20190415214511/https://krebsonsecurity.com/2019/04/experts-
breach-at-it-outsourcing-giant-wipro/)

------
aluminussoma
"State-sponsored attacker": A euphemism to deflect blame for your own
inadequate security practices.

~~~
btown
The attacker is happily sponsored by the state of affairs at the company.

------
dsl
I know of at least one very large customer where management of the VPN
appliance and firewall controlling access of Wipro vendors was outsourced...
to Wipro.

~~~
duxup
I had a problem with traffic black holing all of a sudden everything going
nowhere with Wipro once.

What we found was that suddenly a some ports with traffic distended for the
internet bounced and the black holing started. A Wipro rep proudly announced
that they had caused the port bouncing. You see they found that someone
(Wipro... but they didn't know it was their own people at this point) had
cabled around the firewalls a year earlier because something wasn't working,
and never hooked them back up.

So now we were cabled to the firewalls properly... the firewalls that as far
as anyone could tell had nonsensical configs that all pointed to a null route.

So for at least a year, maybe more, there was no firewall. The end customer
was a large financial institution.

------
duxup
A few years ago I worked with Wipro as they would contact me (technical
support for some products) on behalf of their customers.

The incompetence was astounding, and I worked in support for a long time, and
Wipro was really astounding. Everything from security to just understanding
what we were telling them was mindbogglingly bad. It wasn't a language
barrier, they simply didn't have many / sometimes anyone who understood the
technology on the most basic level.

Wipro would open tickets dozens at a time claiming there was some sort of
technical issue, but they often couldn't explain what if anything they tried.
We would find the equipment at factory defaults, last boot time was when it
was in the factory.... but now it was a P1 ticket because "it didn't work and
it needs to be up and running by the end of the day". Then we'd ask what how
they wanted it configured and they ... wouldn't know. Then they'd escalate
through sales and the executives claiming we had been "working with them for
weeks and were not helping".

Then they would go silent and not respond for days or weeks only to reappear
later as angry as ever that we hadn't done anything when our last questions to
them might be as simple as "what isn't working?".

It was worse when they actually tried configuring things as they were masters
at nonsensical configurations, looping cables back into the same equipment
they came from and etc. You could look at their systems that were "working"
and it was errors everywhere and you couldn't trust anything you saw.

Even internally Wipro would tell us that they "can't tell" the "other team"
(another team inside Wipro working with the same customer) that they need to
change their configuration. They would just repeat that they can't tell them
that ... and we'd be stuck because it's obvious the "other team" is configured
wrong. I'd tell them to let me be the bad guy and tell them on a call, but
nope. So things would just not work.

It was a common occurrence as things got worse that we would eventually end up
on a conference call with Wipro and their end customer and their customer's
perception was entirely off. There was no way it was miscommunication, they
were straight lying to their customer all along. Often we'd have to break the
news to the customer that we haven't been working on the issue for weeks, we
just heard about it today, nobody can tell us how they want the product
configured on the most basic level...

The only thing worse than that situation was to look up these customer's of
Wipro and see they scrapped their own IT departments in favor of outsourcing,
and I'm not sure they had more than a couple people who understood what was
really going on.

~~~
pts_
Well I look around in an Indian IT shop and it's all people brow beating each
other and chatting with each other. As if it's all an FD income to them and no
one wants to seriously work.

------
throw2016
How do we understand these kind of threads of HN?

In the last 6 months there have been security breaches at Facebook [1] Google
[2] Cisco [3] and look at those threads and some of these breaches are
extremely amateurish and the general consensus is these things happen and the
top voted responses mirror this attitude.

Yet on the same site on the threads about India, China and non US companies we
see some kind of dissonance where these are reframed as showhow affecting
these companies uniquely because of 'poor standards' and 'mediocre engineers'
and the top voted responses reflect this.

Far from informed discussion this not only demonizes entire groups but creates
and perpetuates prejudice that will no doubt impact everything from
recruitment to general behavior. And this continues on discussions beyond
security to things like corruption, surveillance and other issues.

[1]
[https://news.ycombinator.com/item?id=19565918](https://news.ycombinator.com/item?id=19565918)

[2]
[https://news.ycombinator.com/item?id=18170174](https://news.ycombinator.com/item?id=18170174)

[3]
[https://news.ycombinator.com/item?id=19507225](https://news.ycombinator.com/item?id=19507225)

~~~
matt_s
A breach that involves a technical vulnerability is one of those things that
happens, gets patched and everyone moves on.

One of the things when establishing a contract with a company like Wipro is
that they operate on your systems from locked down rooms where disks, thumb
drives, etc. are not allowed. A secure private link is setup to your corporate
environment to ensure that your customer's data is not available to the
outsourced firm to do with as they please.

A breach on Wipro which allowed an attacker to gain access to 11 customer
systems (i.e. maybe some Fortune 500 companies) to me means they should pretty
much go bankrupt because any sane customer will stop doing business with them
as soon as they can. It speaks of incompetence and complete disregard for
common safeguards. How can a breach into Wipro's corporate system in any way
lead an attacker to Wipro's customer's data? An obvious one could be their
employees sending customer credentials via the Wipro corporate email.

------
Neil44
With the increase in MSP style operations with an IT companys systems having
root access across all their client's systems IT companies are going to be
massive targets for bad actors. There's already been a few cases of all of a
compaies clients being ransomwared.

------
yalogin
What doesn’t surprise me is Wipro refusing to comment. This would have never
come out if they weren’t targeting from inside the house.

------
3xblah
[http://web.archive.org/web/20190415214511/https://krebsonsec...](http://web.archive.org/web/20190415214511/https://krebsonsecurity.com/2019/04/experts-
breach-at-it-outsourcing-giant-wipro/)

------
forks25
would we classify this as a friction-less security breach?

------
lifeisstillgood
Can any of the security folks on here tell me what good secure systems really
look like? If I wanted to build a company infrastructure from scratch what
would "default secure" look like? I am fairly sure I know what a good software
engineering process looks like, but if I guessed a secure infrastructure I
would be concerned I am missing basics. (Hence no examples to get us started)

~~~
baybal2
Foucs... You can't protect everything, but can ensure that handling of at
least some truly important data is as paranoid as it can be.

Protecting a company's FTP server that is open to thousands of employees is
not a doable task, for example

And the same is true of human knowledge, a company saying that all and
everything within its walls is super secret, can't truly hold anything secret.

At one of my first jobs in Canada, an owner of the company was very clear on
the point what is a commercial secret and what isn't. Whenever there was a
meeting genuinely demanding it, he clearly stated at the start "this is a
commercial secret covered by confidentiality agreement."

~~~
baybal2
Focus* typo...

------
bechampion
If you've ever had the pleasure to work with people from wipro,ipsoft,atos etc
to name a few this should not surprise you.

------
nodesocket
> "The company has robust internal processes and a system of advanced security
> technology in place to detect phishing attempts and protect itself from such
> attacks."

Somehow I don't think this is a phishing attack.

~~~
mc32
>”Wipro’s systems were seen being used as jumping-off points for digital
fishing expeditions targeting at least a dozen Wipro customer systems.“

Well, it looks like it was used as a launching point to phish their (Wipro’s)
clients. They probably had s pretty good catch. I imagine one of their clients
alerted them to the issues.

