back to article Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'

Monday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident. Now evidence suggests it's no surprise the biz was infiltrated: it appears to be all over the shop, security wise. On Tuesday, what seemed to be a collection of Deloitte's corporate VPN passwords, user names, …

  1. Anonymous Coward
    Pint

    Irony?

    I think this definitely qualifies as irony. Congrats to Dan (@viss) Tentler.

    1. macjules

      Re: Irony?

      I am still laughing *. We highlighted this a few years ago after we tested a lot of networks when we set up their client SSO system. We emailed, wrote and spoke to their ITD to say that just about every portal was hopelessly insecure, that in many cases we could see PT cookies in use, that forms did not have any SSL and so on. Nice to see that instead of listening they actually went one step further and stored all the information on an open GitHub repo.

      * - laughing because otherwise I would be crying.

      1. pavel.petrman

        Re: Irony?

        What are PT Cookies?

        1. macjules

          Re: Irony?

          Plain Text, text is stored in clear format, such as user email addresses, Deloitte staff security ID numbers or as in the famous Tesco online case a few years ago, your credit card details.

  2. ChrB
    Paris Hilton

    Deloitte & Touche

    Touché, I'd rather say!

    Paris, 'cause she has no clue either

    1. Tom Paine

      Re: Deloitte & Touche

      Come back Peat Marwick McLintock, all is forgiven. (Oh those giants of the 70s, subsumed into the belly of the beast(s)

  3. This post has been deleted by its author

  4. JimC

    Gosh, that's an awful lot of honeypots...

    I mean, they must be honeypots mustn't they? Mustn't they? Surely?

    1. Anonymous Coward
      Joke

      Re: Gosh, that's an awful lot of honeypots...

      Sure, the top security consulting company must have one of the largest honeynet ever seen...

    2. xio

      Re: Gosh, that's an awful lot of honeypots...

      Don't call me Shirley

  5. Sebastian P.

    As it is often the case nowadays, consulting companies are not always practicing what they're preaching. Which doesn't mean that what they're preaching is wrong, it only means that practicing it is more complex, difficult and costly in real life than what the consultants are telling you.

    Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees.

    1. Doctor Syntax Silver badge

      "consulting companies are not always practicing what they're preaching."

      OTOH in such a field the you should expect to be judged by the way you run your own business. If that isn't very good why should you expect anyone else to buy your services. In fact, you're no better than all those would-be SEO specialists who write from gmail addresses and don't seem to have a domain name that should logically appear on first page in Google if one were to search for "first page in Google".

      1. Tom Paine

        And the consequence was...

        Want a bet on Deloitte's cyber business being more or less the same size as it is today in five years' time? There may be a couple of variously-sized cheeses rolling down the street outside their HQ in the weeks ahead as scapegoats are found, they'll announce a big reorg, Powerpoint will fly like leaflets off a printing press in a Laurel & Hardy film, and it'll be buzzword-compliant business as usual before you know it.

        1. Anonymous Coward
          Anonymous Coward

          Re: And the consequence was...

          Sadly it's properly true. Idiot managers and directors from other companies will believe their "We've learned lessons" bullshit and still use them. Despite IT departments pointing out it's a stupid idea.

    2. Steve Gill

      And they probably get the services at cost

      1. Stoneshop

        And they probably get the services at cost

        a) they don't

        b) all the warm bods (at whatever level of competence) are contracted out to customers, so there aren't any to keep the inhouse shit compliant.

    3. John Brown (no body) Silver badge

      "Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees."

      What;s even more sad, is these are the very companies doing the assessments for standards which in some cases are a legal requirement if you want to stay in business. You HAVE to pay them or their ilk for the service. Who does their assessments and who signed off on it?

    4. Wedgie

      In Big4 it is an "us & them" culture between back office services and advisory teams. Rarely will the two ever meet and when they do there will be great resistance from the back office teams. This is the sort of shit storm that results.

  6. Prosthetic Conscience
    Facepalm

    Some questions

    Do they have some ISO audits/certifications?

    Is the weak security inherited from acquired businesses?

    How, in today's internet where there's constant background noise of malicious scanning for vulnerabilities by bots and haxxors, do these things come to light now? Or they choose not to screw with big corporations unless they can get juicy private data?

    1. Halfmad

      Re: Some questions

      I would love to know if they've got ISO 27001/2, Cyber Essentials Plus, PCCDSI etc.

      Even more, I'd love to know which auditor signed those off.

  7. Excused Boots Bronze badge
    Happy

    Oh go on please tell that all those redacted password lines actually read 'Password1'

    Which would just about be the icing on the cake of 'How not to do IT Security'

    1. diodesign (Written by Reg staff) Silver badge

      Re: Excused Boots

      You're not far off :(

      C.

    2. Anonymous Coward
      Anonymous Coward

      Redacted Passwords

      We use password2 for the added level of security. But then, we are extraordinarily cunning.

      1. Anonymous Coward
        Facepalm

        Re: Redacted Passwords

        Surely that's

        Password2

        to satisfy Deloitte's recommended best-practice password strength rules.

        1. JR
          Devil

          Re: Redacted Passwords

          They must use the BOFH password strategy...

          From https://www.theregister.co.uk/2017/02/03/bofh_2017_episode_1/

          "A good thing too, because I have three passwords I use for everything – Low, Medium and High Security."

          "And I'm assuming that this is low security?"

          "No, work is low security, this is medium and all the personal stuff I care about is high."

          "Work is LOW?!" he gasps.

          "Of course it is. It used to be Medium High, but then I realised that there was no point so I just went to low. One capital, some lowercase, 2 numbers."

          "Like Banana47."

          "Yeah, that was our admin password for about two years."

          ...

        2. Anonymous Coward
          Anonymous Coward

          Re: Redacted Passwords

          Try a password of 6 stars.... That's very cunning.

      2. Anonymous Coward
        Joke

        Re: Redacted Passwords

        > We use password2 for the added level of security. But then, we are extraordinarily cunning.

        If they were extraordinarily cunning then they would use the word 'Redacted' for the password to throw everyone off the scent. It's what I do...

  8. Amos1

    The only thing that audits protect you from are auditors and regulators

    Those that can, do. Those that can't, audit.

    1. Rob D.

      Re: The only thing that audits protect you from are auditors and regulators

      Done two types of implementation (not security) audits in the past. Ones for companies who were largely in a mess and were surprised when their issues (rather than the implementer issues) were highlighted as the most important. And ones from companies who didn't really have a problem but really encouraged identifying anything that was found and went on to fix it.

      So there are good reasons to audit as well as bad ones. Ironically given how they make their money, Deloitte's problems look like they needed an audit but never got one.

  9. Anonymous Coward
    Anonymous Coward

    Basically if Gartner gives it an award, you can bet that it's cr*p. Gartner gives awards to the highest bidder, not the best. (Posting anonymously because I'm in the industry and have no desire to be on those fascist wangers' sh** list).

    1. Nick Ryan Silver badge

      Not just "awards", anything Gartner related is purely paid for and has no value except among the clueless. Or possibly to laugh at a year or so later. Usually it's easy to work out who paid for any given gartner report.

      Unfortunately many of the clueless are in positions of influence and believe that the paid-for-reports that Gartner produce for their customers have any value.

    2. Anonymous Coward
      Anonymous Coward

      Observation: the highest bidder is almost always going to be cr*p. Otherwise they wouldn't need to use high bids. It also occurs to me that there may be interesting questions for gartner itself apropos the UK and US anti-bribery statutes, depending on the jurisdictions in which the bribesbids are banked... (I mean first banked, prior to being laundered)

    3. sloofit

      just look at the number of times IBM gets top listing - and having just worked on a WebSphere project, WTF!?!

  10. Anonymous Coward
    Anonymous Coward

    'World’s best IT security consultancy for the fifth year'

    Titles / Awards??? Amazing what brown envelopes full of new bills can buy.

  11. Anonymous Coward
    Anonymous Coward

    Sky rockets in flight

    ...afternoon Deloitte!

    Either way, they have been fu...

  12. Anonymous Coward
    Anonymous Coward

    I'll bring this up at the next external review by these suckers

    Aren't you the guys from that company with piss-weak security?

    1. phuzz Silver badge
      Thumb Up

      Re: I'll bring this up at the next external review by these suckers

      Don't forget the follow up "So this policy you're insisting on, how come your company doesn't follow it?".

      Bonus points for refusing to allow their auditors to connect their laptops to your network because "they don't adhere to our security or patching policies".

  13. FuzzyWuzzys
    Facepalm

    GitHub is great...

    It's a like a hackers wet dream, the right searches will yield lots of useful system passwords, even more so as we all move to cloud services. It's great fun seeing how many developers out there have a total lack of common sense when it comes to security, not all them just the really stupid ones!

  14. chivo243 Silver badge
    Facepalm

    Thanks for the contract

    Here's your worthless certificate of security... cost of paper greater than yada yada :-/

  15. Anonymous Coward
    Unhappy

    “You’d think Deloitte claims to have all this super elder-god style security talent. If that was the case they might consider using that talent on its own infrastructure.”

    Not really.

    Having worked with people from a a number of consultancies over the years, their talent/attitude ratio is rapidly heading towards zero. It's been astonishing, and rather sad, to see the levels of arrogance and basic incompetence on show and to think how much morale and cash has been squandered by these parasites. And they're all as bad as each other; the elder gods retired long ago, if indeed they ever existed.

    Someone becomes a consultant (in the CSC, rather than the medical sense) for three and three reasons only:

    1. They like the sound of their own voice much more than anyone else's.

    2. They think they can earn more money and finally get that Beemer (never BMW, always 'Beemer').

    3. They don't want to use their brains or do any work any more. But they like seeing other people do so.

    My list deliberately does not include talent or a deep knowledge of a subject or a desire to help others do things better. A mistake people sometimes make is to confuse consultants with mentors. They are at opposite ends of the spectrum.

    I'd like to think someone at Deloitte is panicking around now. But I expect no-one there reads sites like this. Cyber-security is merely a phrase on a PowerPoint.

    1. Anonymous Coward
      Anonymous Coward

      Fair warning - former employee....

      You don't work for Deloitte, you sell for Deloitte. If you perform the service, then you aren't adding value to the firm. All they care about is selling work and billing. Why bother thinking about who will actually DO the JOB when YOUR NAME allows everyone to assume the work is good. All you need to do to succeed at one of the big 4 be able to sound intelligent and close the deal.

      To be fair, there are great people at Deloitte. The problem is the partnership model, the application of accounting ideologies to IT and the resulting lack of understanding of the importance of controls when price is a factor. Did they really understand the risk they were taking? Bet they do now!

      "An ounce of image is worth a pound of performance." - Peters

    2. John Brown (no body) Silver badge

      "2. They think they can earn more money and finally get that Beemer (never BMW, always 'Beemer')."

      Back in the dark ages when I were a nipper, it was a "BuMWipe" because they were mainly drives by arses.

  16. Potemkine! Silver badge

    It's because of the ties

    People wearing ties are losers ^^

    It's interesting knowing the mistakes made by big companies: it's very enlightening.

  17. B*stardTintedGlasses

    I wonder how many of the other consultancy companies are now going into turbo-panic?

    (A state seen only in PHB's with their necks on the line and sales people who forgot to book something and are about to lose a deal).

    "QUICK, CHECK EVERYTHING!"

    A lot of poor IT staff just lost their weekend and evenings for a while.

    1. hplasm
      Holmes

      "A lot of poor IT staff just lost their weekend and evenings for a while."

      Because of their poor grasp of IT. Particularly securing it.

      Shame.

      1. Anonymous Coward
        Anonymous Coward

        Re: "A lot of poor IT staff just lost their weekend and evenings for a while."

        or because of arsehole higher management not letting them do the job they're paid to do. I've seen that before.

  18. Anonymous Coward
    Anonymous Coward

    The sad thing is

    They did a cyber security review for me recently and commented I had no two factor auth on my admin account (small business and until now no one wanted to spend money). Within hours I'd got TFA up and running so surely they should be able to mange it. I've resisted so far from dropping them an email to see if they need a hand lol

  19. Anonymous Coward
    Anonymous Coward

    Deloitte Cyber Security Wisdom - only $1700/day

    Interestingly I found their US (fed) consultancy rate card. It looks like the sort of thing that should be an internal use only document, but hey, they don't seem to know the difference!

    Appears they charge out their contract CISOs or senior systems security bods around $1,700 / day (£1,270). Maybe they should have held some of these guys back to get their own house in order...

    https://www2.deloitte.com/content/dam/Deloitte/us/Documents/public-sector/us-fed-contractor-site-hourly-rates-10172014.pdf

  20. Flywheel
    FAIL

    Telnet

    I see they have 3 telnet connections open - one is a Cisco router. Oh dear.

    1. Anonymous Coward
      Anonymous Coward

      Re: Telnet

      I think it's great that Deloitte is truly embracing the agile world and enabling their core infrastructure to be administered from anywhere, pretty much by anyone.

  21. Anonymous Coward
    Thumb Up

    This makes for some amusing reading...

    https://www2.deloitte.com/uk/en/pages/risk/solutions/corporate-security.html

    1. Jamie Jones Silver badge
  22. Anonymous Coward
    Anonymous Coward

    Builders' Houses

    Builders houses are always a fucking shambles.

    AC because the cowboy builders here would probably fire my arse.

  23. chivo243 Silver badge
    Trollface

    "Gartner has yet to respond to a request for information on how its conclusion was reached."

    I won't be holding my breath...

  24. Anonymous Coward
    Anonymous Coward

    "Deloitte" isn't a single company so there's no such thing as "global standards" for them. Each region and sometimes country is separate. It's not even a real company as it is a partnership so the partners are paying for the work to secure their systems and they would rather have the cash themselves.

    But to be fair, this won't be because they've consciously decided to be insecure; they're just too busy raking in oodles of cash to think about it.

  25. adam payne

    "It appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes"

    Why on earth would you put login credentials on Google+ ?!?!

    1. umacf24

      Why on earth would you put login credentials on Google+ ?

      Because there's no chance anyone will ever see them there.

    2. KingStephen

      Cos you just read somewhere that it's bad to have them on post-its stuck on your laptop?

  26. sanmigueelbeer
    FAIL

    Deloitte mantra

    Do as I say, not do what I do.

  27. Pascal Monett Silver badge

    Had an interesting experience not so long ago

    It was during a handover on a client site, I was there to recover essential admin information from the previous company handling network administration.

    During talks with the soon-to-be-ex admin, we agreed that he would give me the list of passwords for administering the network - you know, as per normal.

    He handed me a USB stick. I plugged it in and had it scanned, as per normal. Then I asked him which file I was supposed to copy. Under his instructions, I copied an xlsx file that he stated had the relevant data.

    We parted ways not long after that and I went back to the office. While writing up my report, I looked at the file.

    Now, just to be clear, this was a file given to me by a senior admin from a major local consultancy firm that has scores of big companies on its customer list, not a beginner. It just so happened that, yes, the file was an xlsx file, and it just so happens that he had a filter on his formatted table.

    Guess what happened when I removed the filter ?

    Yes, all the passwords for all the clients he was responsible for.

    This is the level of intelligence we are dealing with these days. I blame Facebook.

    1. Hans 1
      Joke

      Re: Had an interesting experience not so long ago

      I am bloody sure those are NOT ALL Deloitte's customers but also TalkTalk's ... pretty sure that bloke used to work for TalkTalk, got hired by Deloitte, simply carried his excel file over to Deloitte and used it there.

      The probability of finding two d0uch3s of this kind in the same universe is 1 to a googolplex!

    2. Mike Moyle

      Re: Had an interesting experience not so long ago

      You probably should have gone AC on this post -- now they'll probably try to get you on a DMCA/Computer Misuse Act charge (depending on your location at the time) for breaking their "encryption" to get into a secured file!

  28. Anonymous South African Coward Bronze badge

    What did I just see?

    Eish!!

  29. BeakUpBottom

    Meaningless gongs

    I had a slightly better insight on this in another industry I spent a lot of time in, but I cynically formed the view they're all the same.

    Pretty much everyone has a glass cabinet in reception/the boardroom, the MDs office with 2 or 3 shiny baubles per year for "best in sector", "most magnificent new product", "innovation leader" or other such meaningless twoddle.

    Once a year, some "industry body" (actually several )sends everyone on the mailing list an invite to the annual award ceremony and tells them they've been nominated for a few of this year's prestigious medals. You've just got to turn up and pay for a table, pre-book meals and bottles of bubbly, buy an advert in the commemorative arse-wipe brochure etc. This will run you will into 4 figures, if not 5, all on expenses, natch.

    Everyone who turns up will get something, kind of in proportion to what they've forked out to get there. It's usually the marketing dept go and get these things, so they get a 3-day coke-fuelled orgy somewhere nice, with the industry award circle-jerk in the middle of it. They can then go home and boast about how amazing it is to win such a highly regarded thing, to a bewildered bunch of underpaid staff who still don't see what difference it makes to their torrid days of misery.

    Or maybe I'm wrong and some merit is involved, champagnes all round!

    1. Anonymous Coward
      Anonymous Coward

      Re: Meaningless gongs

      That's funny. I've seen a "Digital Department" go to one of these dos, get an award for "Innovation" yet having never released any apps that the award was for.

      Funny.

      To this date, they still haven't released any of note, 3 years later.

    2. Anonymous Coward
      Anonymous Coward

      Re: Meaningless gongs

      Well, given Southeastern just won a Customer Service Excellence award at some railway awards ceremony piss-up or other, your cynicism is entirely justified.

      This is the company who, when challenged over constant lying about their performance figures, on having a requested meeting with a passengers' representative group, got hauled over the coals by their MD for parodying him on Twitter. And refused to discuss resetting the relationship between the 2 parties until an apology for this was forthcoming.

      It turned out, of course, not to be a lie but a fucked-up copy'n'paste from Excel, which anyone can do. What was appalling was the insistence the figures were right, and audited (!!!) despite the arithmetic being quite clearly wrong.

  30. Anonymous Coward
    Anonymous Coward

    I am posting the Deloitte DB admin and application access credentials...

    Right here on The Register; A/C obviously because hackers will go wild:

    scott/tiger

    1. macjules

      Re: I am posting the Deloitte DB admin and application access credentials...

      Nope, its

      Username: admin

      Password: password

  31. EnviableOne

    Dewey, Cheetham and Howe

    Classic case of Profit over security.

    They make no profit if their experts are working on their own network

  32. zork

    Big 4 Echo Chamber

    If you don't practice what you preach... you won't have a practice.

    and our CIO wanted to outsource the IT security, risk, compliance to these losers

    check out most of the practice leaders in the big 4. they all have worked in their own "echo chamber"

    no real life experience in an industry other than Big 4... out of touch, overpriced and pompous.

    Nothing like one of them telling you how to do IT security in your industry when they were just an accountant 5yrs ago... bitter no. laughing my ass off yes. let it burn.

  33. Aodhhan

    Emergency Breach Plan

    The way this is being handled, you can imagine what they believe is a 'good' emergency breach plan of action.

    1 - Have someone finally read the logs; notice you only keep them for 6 months; come up with the idea the breach has only going on for 6 months--according to the logs.

    2 - State you believe the threat is eradicated (A real InfoSec pro knows this is impossible)

    3 - Keep all external connections as wide open as possible and don't audit them for the time you've been keeping this secret.

    4 - Rely on our own idiots (who we contract out for security advice) to handle this problem

    5 - Think about sending some people to a forensic course, but don't actually do it.

    6 - Use a search engine to research, Network Breach Plan... look at the recommended checklist items and then do the opposite -- to be original and different from competitors

    7 - Remember to keep this a secret for months

    8 - Pull 80% of your resources to come up with an excuse because you know it will eventually leak out.

    This is too easy.

  34. steviebuk Silver badge

    That's odd...

    ..no mention of a massive Deloitte data breach?

    :)

    https://www2.deloitte.com/uk/en/footerlinks/pressreleasespage.html?icid=bottom_pressreleasespage&q=*&sp_x_18=content-type&sp_s=date-published%7Ctitle&sp_q_18=%22Press+releases%22#

  35. Anonymous Coward
    Anonymous Coward

    Although I find the Gartner bashing hilarious, they only ranked Deloitte as number one based on revenue. Doesn't necessarily mean they were ranked first in terms of capability. Makes for a nice line in an article though I guess...

    '[Gartner] ranked Deloitte #1 globally, based on revenue, in Security Consulting for the fifth consecutive year in its May 2017 report titled, Gartner: Market Share: Security Consulting Services, Worldwide, 2016.'

  36. J. Cook Silver badge

    Gartner reports...

    ... are worth less that the bog paper we have in the washrooms here. and less useful as they are all digital.

    'least, that's my opinion on that company. (How else would Symantec be ranked number for all these years for corporate Anti-virus?)

  37. Jamie Jones Silver badge
    Coat

    They should never have diversified

    It was all bound to go downhill when they stopped focussing on disposable razors...

  38. Mark Manderson

    these morons used to try and audit us on IT Security....thick as 2 short planks.

    hahahah who would have thought their nickname of "Dolittle" actually referred to their own IT security procedures.

    This has made my day!

  39. Howard Hanek
    Holmes

    Available Shortly

    .....at the Canton Fair in a few days. Wait till the last day of the fair when they'll be discounted down 75%.

  40. Anonymous Coward
    Anonymous Coward

    It's always amused me, in a "I'm fucking annoyed" sort of way, how these accountancy firms will merrily stomp across every other profession's territory, based mostly on their position as financial auditors.

    Now, how many engineering consultancies have you seen doing a firm's audits or accounts ??...... You just try, and see the response from the accountants.

  41. steviebuk Silver badge

    Someone...

    ...pointed out that the Gartner award was being mislead by the media in a way to add fuel to the fire of this Deloitte situation, as it was an award for revenue in Security Consulting, not actual Security Consulting. However, not according Deloitte themselves:

    "Deloitte ranked #1 by Gartner in Security Consulting for the 5th consecutive year"

    https://www2.deloitte.com/cy/en/pages/about-deloitte/articles/deloitte-ranked-1-gartner-in-security-consulting-for-5th-consecutive-year.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like