back to article Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file

A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking. The site, found at the insecure non-HTTPS URL http://deloittehackeriq.com/, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and …

  1. Anonymous Coward
    Anonymous Coward

    Perfect

    Deloitte is awful, in my opinion.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perfect

      But execs love them..

    2. Mage Silver badge

      Re: Deloitte is awful

      but bigly good compared to Crapita.

      Actually many big name Auditors accountants have been found to be less than brilliant. PWC? HP buy of something?

      1. SecOps

        Re: Deloitte is awful

        Truth is consulting firms are only as good as the staff assigned to your effort. Could be brilliant, could be piss poor. With the larger firms there are tons of bodies, and odds are few of the people involved in the proposal will do actual work.

        Dice roll.

        1. Anonymous Coward
          Anonymous Coward

          Re: Deloitte is awful

          I would add that where there are competent staff they quickly attract the incompetents from other projects eager to escape their failures.

          I have worked at places (crapita forexample ) where 3 competent were carrying 50+ deadweights who not only insisted upon adding their unnecessary costs to projects but also created at least 80% of the issues the 3 useful people had to deal with outside the projects.

        2. RM Myers Silver badge
          Unhappy

          "...odds are few of the people involved in the proposal will do actual work."

          Agreed, except I would replace "few" with "none", based on my experience. Obviously, YMMV.

    3. This post has been deleted by its author

      1. Doctor Syntax Silver badge

        Re: Perfect

        "Never understood their worth or attractiveness to corporate managers, other than they see them in their own image."

        That's all that's required.

  2. Blofeld's Cat Silver badge
    Facepalm

    Hmm ...

    I love the smell of hubris in the morning ...

  3. xyz

    Ffs

    I was going to post a comment but just don't have the words. I mean REALLY!

    1. Anonymous Coward
      Anonymous Coward

      Re: Ffs

      /hands over dictionary and thesaurus.

      What? No, on a USB stick, of course. Duh.

      :)

    2. DJV Silver badge

      Re: Ffs

      "I was going to post a comment but just don't have the words. I mean REALLY!"

      I'm glad you were totally able to restrain yourself from posting your comment.

  4. fajensen Silver badge

    There is a good side to this: Now we know who will be given a contract for the customs IT-system needed for Brexit!

  5. This post has been deleted by a moderator

  6. trevorde Silver badge

    Insanely high IQ

    “Nobody gets hacked. To get hacked, you need somebody with 197 IQ and he needs about 15% of your password”

    https://www.verdict.co.uk/trump-nobody-gets-hacked/

    1. MiguelC Silver badge
      Meh

      Re: Insanely high IQ

      But do you know how high your IQ needs to be if they give you 100% of the password? About Baldrick high? And is that still above the developers IQ?

    2. arachnoid2

      Re: Insanely high IQ

      How do we know if someone with a high IQ hasn't hacked the relevant site and inflated their IQ?

    3. fajensen Silver badge
      Windows

      Re: Insanely high IQ

      Given any population and crucially, no matter how one selects the population, it has been found that 20% of that population are morons!

      Thus, out of the "population of people with 197 IQ", *One in Five* will be a moron (corresponding well to my too long and rich experience working with "academia" and "management").

      http://harmful.cat-v.org/people/basic-laws-of-human-stupidity/

  7. chivo243 Silver badge
    FAIL

    Do as we say...

    yes, the age old saying - not as we do!

  8. You aint sin me, roit Silver badge
    Holmes

    Tempting fate...

    1337 hax0rz won't waste their time answering multiple choice questions when they can hack the site... just for the lulz.

  9. Blackjack Silver badge

    insecure non-HTTPS URL

    Honesty the guy who coded the site should get fired, just by the "insecure non-HTTPS URL" alone.

    Unless it was actually a hidden test and they are offering a job to the person who first figured iy5 out.

    1. I am the liquor Silver badge

      Re: insecure non-HTTPS URL

      That was my first thought - mistake, or actually part of the test? If you managed to download the config file, did you get a mysterious invitation to lunch in Cheltenham the next day?

      But on the other hand, Hanlon's razor.

  10. Pascal Monett Silver badge

    So, made in 2015, last changed in 2017

    Sounds like a management idea that management lost interest in but forgot to shutter the site.

    The irony is delicious.

  11. Anonymous Coward
    Anonymous Coward

    Everyone knows that book ciphers are crap....

    So deciphering this should be a piece of cake for ace Deloitte types:

    *

    051k1Eij0D9X0AAq0ney0M211Kx61P9a1Vv60aAj

    0SFi01jN1luR0wdX0wC50IbT11Ms0rEr0ALd1heT

    1Q9r0rTi1CT80o3w0DPI0fQL0g050JPU0IAS07tJ

    1JZz10Xm1J831YYy07FT1QJY0fKa1mfp0o0g1QsD

    0AnB0CNJ0AX91McP0dPG0mPj0pE41e0K0HrY0nd$

    0bOF1MwO0NfU0QsD0H$80ChS0L2f12Lx1VFb09Lb

    1e8L14e30Qj503Ok0kfo1U9X0q3z0iCS1mER1DDt

    0WAw1Z=b0B671Ghz17mX0nGb0ElO199618kj0$iN

    0h$y1J$O0Z0g0WEv1Ve=0nzx0V1=0cUc0A8j15ka

    1Ht71Cb6133g0L8l0=IW0kAz121305RG0oY00KKy

    1L2l0P3E112d1W$30ktN1f8l0ZEU0jPt1HGg17UV

    0mWi0JN816X50kvp1O1S1Kno11Uq0esA0EVz0oAQ

    0iZs0Xmj0r1y00Gy0D$a1CAt0DIm1jSa0QBb0Zy6

    1EoC1KNJ0klQ1ARc02gL0$bX0KIr0HjV1UXe1gVy

    1J$T0FVQ0$010xHM0hS$1aAb1lBM0e7D0NzT10jN

    0eN6

    *

    Hacking? Not a problem!

    1. arachnoid2

      Re: Everyone knows that book ciphers are crap....

      42,,,,,,seems logical

  12. Dante Alighieri
    Facepalm

    Reputation

    management...

    It woz the uver bloke...

    A big boy dun' it an' ran awaaaayyy

    Its reaaaaaally old and not one of owazhs

  13. CPU

    And yet 'Management' will throw truck loads of money at these people rather than listen to the in-house advice. Show me a Consultancy that doesn't employ people with zero experience (but with a degree) and then trot along and tell you that they are worth £750 a day as "Junior Consultants", oh, and could you show them what to do as the Principle Consultant is busy on another job. There was a time when Consultants actually knew their stuff.

  14. Glen Turner 666

    Tweet removed

    Twitter removed the tweet from Tillie Kottmann which uncovered this issue. Presumably because the tweet breached Twitter's controversial "Distribution of hacked materials policy".

  15. ThinkingMonkey

    Consultants.....

    I worked at a company where, quite unexpectedly and completely unannounced, the owner decided to contract an "ergonomics" consultancy firm to observe, then provide advice, for improving our physical movements to conduct our jobs more efficiently. WTF? We couldn't have been more shocked if he had introduced a voodoo priestess.

    So these numb-skulls who had no clue whatsoever about WHAT our jobs were much less whether we were physically moving about in the most efficient manner, milled around aimlessly for about a week, baffled the owner with bullshit, and claimed what I confidently assume was a princely sum for their expertise.

    Whatever advice it was that they provided him with, it never made it back to us and everyone just proceeded as before. I have to admit it did make me wonder if I indeed was moving about as efficiently as possible though. At lunch, for example, I held my sandwich on both sides, with both hands IOW, while about to take a bite. Is that the most efficient use of handage? Or would one hand have sufficed? But note that I said "wondered", not "lost sleep over" :)

  16. mr-slappy

    Disappointed

    I'm hugely disappointed that they didn't start their message with "the security of our clients is our top priority." Someone in Deloitte PR really took their eye off the ball there...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021