
Deloitte hit by cyber-attack revealing clients’ emails - longwave
https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
======
tyingq
There will be a pretty high amount of embarrassing material here if this gets
dumped.

Senior leaders at large companies tend to use firms like Deloitte for their
most controversial and sensitive potential projects, ideas, etc. And they
confide with them with a lot of candor.

I would not be surprised to see unabashed discussion of tax evasion, for
example. Or leaders within a single company using Deloitte to undermine their
peers. Or debates of the merits of layoffs designed to be age discriminatory.

Basically, there would a much higher percentage of "good stuff" in a dump of
these emails than say, in the Sony dump.

~~~
revjx
I work for one of those companies, and you're absolutely right. Our company
takes confidentiality very seriously indeed, it will be interesting to see the
consequences of this.

~~~
pc86
There will be none.

Deloitte is so entrenched politically (both figuratively within large
companies' C suite as well as literally with state and federal governments)
this will barely register for any of their RFP or RFQ responses. Nobody
signing the checks will care about this, if they even hear about it.

~~~
tyingq
I think it depends on what leaks. KPMG, for example, is losing lots of
business due to their issues in South Africa.

------
wiz21c
From Deloitte web site :

In the face of so many questions, one thing is clear: Current approaches to
managing cyber risk, many of which are focused on “securing the perimeter,”
aren’t enough.

(
[https://www2.deloitte.com/me/en/pages/risk/articles/changing...](https://www2.deloitte.com/me/en/pages/risk/articles/changing-
the-game-on-cyber-risk0.html) )

~~~
frik
From the Guardian article:

"The account required only a single password and did not have ”two-step“
verification, sources said."

"In 2012, Deloitte, which has offices all over the world, was ranked the best
cybersecurity consultant in the world."

~~~
bitexploder
Hopefully, most folks buying "cybersecurity" consulting know to use boutiques
for legitimate assessment work. Quality using a big 4 is extremely variable.
Many of my customers have told me this over the years. They do have good
people, but actually getting one of their few decent folks on your project is
hard.

Hits close to home though. Anyone can get owned. Even elite teams and
individuals have had their email compromised. (Matasano, Kaminsky).

Everyone make sure your users have and use good 2 factor authentication. Make
sure you don't keep much sensitive data on your email servers. Encrypt
sensitive documentation in email. Have sane retention policies (1-2 months max
on a cloud server). Lock down your admin accounts. Kick out all the old
accounts completely. Take the time to talk with each person at your company
about email security and suspicious emails. Especially administrative and HR
staff. Of the deep penetrations into orgs I know of a high percentage happen
thru email. Oh and do some internal phishing, FWIW. It's good to get
discussions rolling and get everyone's attention.

~~~
UK-AL
I think Big4 Cyber security tends to be more policy based. What ACLS should be
set. Who should get what access. etc

Boutiques to tend be more hardcore technical, breaking into applications.

~~~
bitexploder
A lot of their "cybersecurity" revenue does indeed stem from advisory and risk
assessment oriented work. They still have technical teams of varying quality
that perform "penetration testing", though. Often the follow up and
methodology for any risk assessment is to leave an executive with strategic
recommendations. Many of these recommendations are the actual technical work.
No way a Big 4 sends technical, even heavily technical, work to some other
firm. They just say, "yes, we do that".

It is the same with any assessment or consulting. We always try to leave
recommendations, strategic and tactical, which advise them on next steps.
Often, those next steps involve us helping them with more assessment work,
directed at the most security sensitive areas to maximize usage of often
limited security budgets. What will get them hacked next, basically.

Smaller firms with more technical staff definitely shy away from risk
assessment and compliance work because it is, honestly, repetitive and boring.
But, it also drives a tremendous amount of hard technical work into any firm
because if you can't sell someone a pen test or technical assessment after
doing advisory work you aren't very good at things.

Sorry if that sounds cynical or like "everyone needs more of our services and
pen testing", but that is the model. It is also why boutiques exist. We don't
just give brain dead "yep, you need pentesting, and it is going to be
expensive" recommendations. We tailor it and focus on what the customer
actually wants/needs. Whereas, a big4 tends to rotate consultants and lose
knowledge unless it is staff aug. The relationship and understanding engineer
teams really matters when you want to do the most interesting assessment work
AND provide value to the customer and not just "sell them pen tests" :)

------
drzaiusapelord
No s/mime, no pgp, so the hackers get everything nice and neat in plaintext.
Not sure why we think email encryption is optional nowadays, especially for
sensitive communications.

~~~
otakucode
I continue to be amazed that email continues to be used for anything important
at all. It's got fundamental flaws that require herculean effort to overcome.
It would seem ripe for replacement.

~~~
mercer
Could you elaborate on that? As in, the degree to which email is unsafe. I try
to be security-conscious, but I just now realized that I often opt for email-
type login even when presented with alternatives. Would using OAuth, Facebook
or Github for login be safer than email? Or are the vectors of attack
different, and is it difficult to compare the two? Or does it depend on
whether I'm using GMail or something else?

Based on what I know, my impression is that email is significantly worse, and
somehow I'd never considered that. But I'm not sure if I'm missing
something...

~~~
jmah
Parent is saying that the content of email is almost always transmitted in the
clear. While the connection from client to server is (hopefully) secure, the
server can see the plaintext of all messages passing through it — which it
helpfully uses to provide some server-side facilities like search and
filtering — but if someone hacks the server they get all the mail.

Contrast with more recent messaging protocols (e.g. iMessage, WhatsApp) where
the server doesn't have access to the message, they're decrypted on the client
(while potentially also authenticating the sender).

------
thisisit
As the companies grow they try to build a fence rather than educate people.
Many a times asking people to setup a complex password is problematic. While
you can enforce it on a company wide system, people will still revert back to
default/easy passwords on internal systems. There are frequently cases of
Active Directory passwords being very demanding but the internal DB passwords
being abc123.

------
Overtonwindow
I have always wondered why hackers don't target some of these major
corporations more often. Imagine the emails that could come from a hack of
Apple, Monsanto, or Wells Fargo.

------
akhilcacharya
Hmm, I wonder who it was

