Cayman Islands investment fund left entire filestore viewable by world+dog in unsecured Azure blob A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob. Details of the fund's register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an …
Like with electricity: pick a provider that does not leave you in the dark.
(sorry)
The challenge is that nowadays electricity providers are pretty much all very similar. There are way fewer that should be roundin' up cattle (or behave like they would) when compared with IT service providers. The standards for the first are well established. Clearly IT service providers should be certified to a similar level of standards, but many are not and many companies select their IT provider solely on the price. For electricity this works (mostly), nobody is going to install a substandard power line to your house, as there are enforcable rules about that.
"When a firm is dependent on IT it's an IT business"Change IT to electricity - does that still work?
No, because they don't have to reconfigure the fuse box whenever someone plugs a new table lamp in, nor do they have to worry about Russian hackers gaining control of the kettle if they accidentally leave an MCB socket empty.
The difference being that if you're going to put in a ring main, you have to get an electrician in to do it, which helps prevent you from electrocuting yourself.
If you put all your data into "the cloud", all you need is a means of payment, you don't need to get an IT professional to do it (and many businesses see IT people as an unnecessary expense). This then results in the metaphorical equivalent of standing in a bucket of water while licking a frayed HV cable.
The situations with electricans isn't that different to IT providers. There are qualified and unqualified people around willing to do a job. You can do it yourself - all the necessary parts & tools available at B&Q etc . I believe the legal requirement (in UK) is to have the finished work certified by a registered electrician & I dare say there are also people ready to save you the trouble there and give you a nice piece of paper. The building trade was famed for "cowboys" well before IT got going after all.
"When a firm is dependent on IT it's an IT business"Change IT to electricity - does that still work? ..... Anonymous Coward
Whenever electricity is bog standard available practically everywhere with a population hardware and IT is a complex software product for wannabe ruling elite types, it doesn't work at all well.
You've got to get a qualified person in to install it, following sensible rules such as not using bell-wire, joining with sticky-tape or using a nail as a fuse.
Then maintenance - yearly inspection.
Then you have to plan for "electricity going wrong".
Legal physical stuff like ensuring you have sprinklers/extinguishers in the office. Then legal personal stuff, like ensuring you've got people trained to turn off power first when somebody's electrocuted, how to treat them, how to evacuate the office etc.
I guess my point is that companies using electricity have stricter rules to follow when procuring it and nice recurring line-items on budgets.
Maybe better term would be "An IT (or electricity) dependent business"
In this case, it sounds like they procured their external IT services from the equivalent of a "Bloke in the pub that did it on the cheap" - and then they just crossed their fingers that nothing would burst into flames.
your home electrical installation was last inspected when?
Apropos earlier posts:
And as I understand it, all Part P certification (which was never really made available to skilled "hobbyists") is void at the time you need to sell you property - it gets (re)inspected at the time of listing.
If you are confident in your own work (and you are allowed to change switches and sockets)...
The down vote button is on the right
Not generally true. But it's partly true for banks. They seem to regard a physical branch as an inconvenience and the local manager is now really a counter operative supervisor. The Branch seems to do little other than accept lodgements. All the activity including electronic lodgements can be done online. The computer automatically disables your Credit Card on some bizarre definition of fraud, not humans.
They mostly ONLY do IT and do it badly.
Real IT business provide IT to other businesses. So this is false "dependent on IT it's an IT business".
Investment management was a thing in the era of ink and quill pens. If computer hardware and software vanished tomorrow, it would still be a business. They've tried to use IT and someone has effed up on their behalf, that doesn't make them an IT business.
The idea that a business is an IT business because it uses IT heavily is promoted to puff up normal run of the mill companies as future Amazons, because being a property firm, taxi firm or pharmaceutical company (*) isn't sexy enough.
* you know who they are
Let's take pharmaceuticals - my daughter works in clinical trials.
You might think that the end product is a medicine. So it is, but before that hits the prescription pads e-prescriptions there's another product - a huge stack of documentation to be submitted for approval. That documentation isn't collated by sorting through bits of paper, it's put together on computers including laptops of people like my daughter.
Those laptops are going to contain personal information about the trial patients - subject to GDPR - and including medical history. I'm not familiar with the regulations regarding that but I assume that it is subject to regulation over and above GDPR. The results of the trial will affect the share price so it's going to be subject to financial regulation as well. Beside all that the fact that it's also company commercial in confidence information is almost a minor consideration. As the trials workers are apt to be based where the patients are and not necessarily in head office there's also a need for secure communications with HO.
Any pharmaceutical business that doesn't think it isn't also an IT business to handle all that with an appropriate degree of securely needs to think again.
usually participant/registry numbers that can only be unblinded by legitimate access to clinical systems.
Same issues for medical trainees - logbooks with identifiers only "breakable" with legitimate access to (local) healthcare system - and usually no need to do so!
Trainee can't find individuals without traceable access to clinical records - nor can trainer (replace with researcher/regulator as necessary)
Well, from the actual trials side, far more than encrypted. Generally, a preloaded and locked down laptop supplied by the company, companies or trusts running the trials, loaded with the software required to record the trials, including any peripheral input devices and sensors. These machines are generally so locked down they can be considered black box clinical devices (boot directly into the trials software environment, no desktop, can't even play Solitaire on them, generally no access to the results or patient information). Occasionally they even have GPS tracking devices to record the movements of the laptop (test centre to office is fine - Tracey's apartment for the weekend, results invalidated).
At least that was the case in Australia a couple of years ago when I was peripherally involved (as an IT consultant - not a trial subject) with an institute doing clinical trials in Sydney.
Fully-encrypted laptops
You want encryption? Pal, even the keyboards are encrypted on these babies! You won't know what you're typing, that's how encrypted they are. We've encrypted the battery - the remaining charge value is indistinguishable from a random number. Press the power button? Equal chance of turning it off or on. Touch the trackpad and the pointer could go anywhere. Yep, fully encrypted.
They should. But theft and provision of power have been vulnerabilities for a good while longer than this information technology malarkey, so they're more prominent in most people's risk assessments. It's pretty straightforward to figure out what can happen if some miscreant heaves a brick through a ground-floor window or when there's a power cut, and what should be done to minimise that. Much less so when the issue is remote entry and data exfiltration through software vulnerabilities, misconfiguration and phishing. That attack surface is much more varied and opaque, and could well be growing by the day unlike any of the weak points that can be physically attacked.
"Investment management was a thing in the era of ink and quill pens."
Part of the attraction of Cayman Island corporations is that they should be difficult to examine. Being nothing more than a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.' None of this fancy Internet stuff. And there are those who would pay extra for the level of obfuscation provided by ink and quill pens.
there are those who would pay extra for the level of obfuscation provided by ink and quill pens
Yes. Isn't it odd that these people are simply looking to protect their privacy by using a legitimate business to keep their financial dealings confidential, while if an ordinary citizen is discovered using Tor, it's "Paedophiles, terrywrists and criminal gangs" all over the front pages
.... I Kid U Not
The unnamed fund's incident response consisted of disregarding the initial notification from The Register before asking a staffer with a compsci degree if he thought there was cause for concern. Luckily, that person realised what we were trying to tell them.
What would you tell them now El Reg with regard to utilisation and exploitation of compsci degree level concerns ......in ACTive Virtual Applications with Monied Investors ....... Cyber Business Angels ......... Absolute Daemons?
Would you tell not to worry, for there are no problems to boot and repeat/reboot and introduce ....... Present? That would be Helpful and Prescient and probably something Quite Entirely Different ..... Novel and Noble .... and NNobeling? :-) Now there's an Almighty Indulgence questioned for its True Worth and Perceived Value right there, slap bang in the middle of this descriptor paragraph.
Would you tell them [sic] not to worry, for there are no problems to boot and repeat/reboot and introduce ....... Present?
Or, if they be erring and errant humans with sensitive and secretive shenanigans to hide or pray stay undiscovered and still deeply covered, would it be right to tell them to be ready to be absolutely terrified because of the changed and changeable nature of developments in fields of compsci at Masters degree and DPhil level concerns/fervent interest, for there are myriad multiple problems to boot and repeat/reboot and reintroduce which cannot be negated or mitigated by targeted bodies/compromised entities/failed utilities, should certain facilities and information be exercised and released to create mayhem and havoc and conflicts in CHAOS .... Clouds Hosting Advanced Operating Systems ?
What would be the more truthful option, El Reg/El Regers, based upon the breadth of your own knowledge and on all of the relevant and relative subject matter that you may have read online either here or elsewhere and somewhere foreign and alien and remarkably different to many a being?
And would/could you honestly believe it to be definitely the latter rather than unlikely the former should it ever be boldly told to you to be so, or would you require a spectacular runaway train like, chain reaction daemonstration which current power and SCADA Administration Systems are disabled and unable to stop?
If needs must, you can certainly panic now if you like. It is certainly the right time to if ever one was needed with so much to be heeded already so widely universally seeded and free out there. :-) And I'm calling MRDA on that, lest nobody else does. :-)
I suspect some of their customers are likely to do more than write an unfavourable yelp review.
Be interesting to follow the Cayman island local news to see how many directors suddenly, accidentally cut their own heads off while shaving.
Yes, it actually takes some effort to leave an S3 bucket unsecured too.
If the bit about "their Hong Kong IT provider" is true, then it's time to find a new provider. It should be trivial to provide basic security for a cloud-based backup system, including encrypting the data at rest. This is inexcusable.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
