Deloitte Hack Underscores Risk of Credential Leaks



The exact circumstances of the hack of Big 4 accounting firm Deloitte aren’t known, but evidence suggests the company was among many that fail to prevent leaks of sensitive data to cloud-based platforms like GitHub.

Deloitte became the latest big name firm to be linked to a major breach. The Guardian reported on Monday that the company had been hacked and emails containing sensitive customer information were leaked.

Subsequent independent investigations and reports have revealed a much more troubling picture of security at Deloitte, which may be the latest firm to find itself bitten by lax security policies and an ever-growing ecosystem of cloud-based systems.

Deloitte provides a wide range of services, such as auditing, tax consultancy, and cyber security services like penetration testing, and therefore, is a rich target for hackers. Its clients are the world’s leading firms in industries like banking and financial services, government, healthcare and technology.

Researchers looking into the company’s online footprint found reason for alarm. Thousands of Deloitte systems were exposed to the public Internet and discoverable using search engines like Shodan. An even bigger concern: credentials for VPN access to Deloitte systems had been inadvertently leaked to platforms like the GitHub source code repository and even the Google+ social networking platform, where one Deloitte employee accidentally shared credentials to one of the company’s F5 Big-IP load balancers.

In addition, an unnamed source within the company told security blogger Brian Krebs that the breach is far larger than just an email compromise and that hackers may have had free reign of Deloitte’s network for months—if not longer—and may have stolen large amounts of customer data. Deloitte, he said, knew about a compromise and even required all employees to change their passwords in October 2016, which suggests the timeline for this incident may be measured in years, rather than months.

This incident is just the latest to highlight the security risks that come with the growing corporate use of code-sharing sites like GitHub and cloud-based storage and hosting sites like DropBox, Amazon Web Services, and Microsoft Azure.

It has been recognized for years that credentials including so-called “secret keys” for applications on Amazon Web Services and other platforms leak onto GitHub when developers fail to scrub such information from submitted code and other supporting files. This may have been what happened at Deloitte.

Another major problem, according to security researcher Dan Tentler, comes via RDP - or remote desktop protocol, which allows workers to gain access to their work computer from a remote location. RDP-enabled systems should always be deployed behind a corporate firewall, and access to and from the system should be closely restricted and monitored. Allowing employees to enable RDP willy-nilly and not auditing your company’s RDP “exposure” is a huge risk - especially since RDP systems act as their own Certificate Authority (CA) when securing communications to and from the system. The fully qualified domain name of the system becomes the “name” of the CA. That makes it easy to link such systems to a corporation if they are exposed on the public Internet, Tentler said. They’re likely to show up in even cursory, open source research that sophisticated attackers do before launching an operation.

Other discoveries regarding the Deloitte hack include a publicly exposed Microsoft Exchange email server with services like Netbios and RDP out in the open, missing security patches, and a lack of multi-factor administrator authentication.

The prospect of one of the globe’s top cyber security services companies falling down in such a public way is bound to rattle both Deloitte’s Board of Directors and its high profile, security-conscious customer base. Revelations of the hack came as the long-serving CEO of Equifax Richard Smith “retired” amid a widening scandal over the company’s failure to detect and properly handle a breach that exposed data on 143 million individuals.

The implications (and irony) are clear: a company that advises and audits the security of others’ networks has failed to detect gaping security holes and lax practices in its own back yard. While that’s not uncommon, the red flags piling up around Deloitte’s security practices are a bad omen for other, less capable firms.

If companies fail to secure their own operations, it may fall to regulators to provoke change. The parade of hacks has the attention of the U.S. Securities and Exchange Commission (SEC). SEC Chairman Jay Clayton said on Tuesday that better disclosure is needed from companies whose computer systems have been hacked.

"Companies should be providing better disclosure about their risk profile. Companies should be providing sooner disclosure about intrusions that may affect shareholder investment decisions," Clayton said during testimony before the Senate Committee on Banking, Housing and Urban Affairs.

It is worth noting that the SEC itself is recovering from a 2016 breach of its EDGAR filing system that may have leaked sensitive data related to publicly traded firms…

Paul Roberts is the Editor in Chief of The Security Ledger.

Copyright: moovstock / 123RF Stock Photo

Paul Roberts

WHITEPAPERS

The Incident Responder's Field Guide

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.