Deloitte Hacked

The large accountancy firm Deloitte was hacked, losing client e-mails and files. The hackers had access inside the company's networks for months. Deloitte is doing its best to downplay the severity of this hack, but Brian Krebs reports that the hack "involves the compromise of all administrator accounts at the company as well as Deloitte's entire internal email system."

So far, the hackers haven't published all the data they stole.

Posted on September 29, 2017 at 6:13 AM • 43 Comments

Comments

Clive RobinsonSeptember 29, 2017 7:31 AM

@ Bruce,

So far, the hackers haven't published all the data they stole.

This could be "advertising" to "prime the pump" to draw up likely customers.

The thing is large legal / banking / accountancy firms have a history of thin ice operating to get plumb business. You only have to look at the likes of HSBC and the organisation that the Panama Papers came from to see potentially what such information could be worth, just from the blackmail potential.

It also could be the prelude to an active Parallel Construction. Because of the way the Panama Papers came out, there were realy no "Fruit of the poisoned vine" issues to investigators, because they did not obtain the onformation without a warrant. They were given the information thus it became probable cause to obtain warrents etc to investigate the information received.

I expect to see more of these sorts of behaviour as time goes on and people wise up to such techniques.

Tim BradshawSeptember 29, 2017 7:33 AM

One of the things Deloitte do is security audits of large organisations: banks & so on. As part of that they get copies of lots of sensitive files from their clients, both configuration files which might reveal vulnerabilities and, probably, files with copies of hashed passwords.

All those files, for all their clients might now be in the hands of bad people.

If I was a security audit client of Deloitte, or a former client I would be very busy changing passwords and generally panicking right now.

I'd also be looking at how to arrange external audits in future so that, provably, no data ever leaves my systems.

Peter KnoppersSeptember 29, 2017 7:39 AM

Anyone remember the DigiNotar case?
Deloitte is also very much in the "trust me" business. I wouldn't be surprised if they vanish (or change their name) within one year.

Clive RobinsonSeptember 29, 2017 7:48 AM

@ ALL,

Deloitte has something like a 37billion turnover, and they give large business "Cyber Security" advice and support.

Yet they used Microsoft's Cloud Storage to house highly sensitive e-mails and other documents, in plaintext...

Aside from the question of is Microsoft in bed with various US IC and LE entities. Does it realy sound a wise idea?

I've warned for years that Storage as a Service was a bad idea for many reasons and that at the very least encryption and traffic analysis foiling techniques be used with it.

Thus the question of "If supposed Cyber Security Experts can not keep Cloud Data secure, do you think you or anybody can without the above measures?".

manuelSeptember 29, 2017 7:56 AM

This incident as many others has a very simple explanation.
IT security is currently overloaded with unprofessional resources and clown managers with large mouth and pockets to collect bonuses. Budgetary control and charlatans have polluted at the point that even script kiddies are serious threat. Let's not always talk about Nation-State Cyber-Threats, cause this is becoming a repetitive excuse to cover the failure of manager and resource.

Snarki, child of LokiSeptember 29, 2017 8:27 AM

Isn't it great when Deloitte shows up to instruct pointy-haired managers how to implement password policies?

"Change them every three months! But make them COMPLICATED! And don't write them down! LONG passwords! No, not THAT long. Use symbols! No, not THOSE symbols!"

Buzzword 2.0 compliant, they leverage the synergy.

TatütataSeptember 29, 2017 9:35 AM

Honestly, I grinned when I read that news item, and that doesn't happen often these days. For once, it isn't private flesh-and-bones citizens who are the butt of the joke.

I'm looking forward to reading the juicy stuff, even though KPMG would have been IMO a more interesting target among the big four. A big, fat, sleazy, corporate law firm would also make my day.

But if the stuff was stolen for ransom, the question is the classic one: how do you make sure the blackmailer doesn't keep a copy and come back for more dough? And the blackmailer might also try to go directly after the firm's customers. A strategy would be a partial public release, in order to up the ante.

warrenSeptember 29, 2017 9:40 AM

The bigger the target, the more likely it is to be targeted.

That Deloitte - who, among other things, ostensibly offers "cyber security" advice - has been breached shouldn't be the surprise: they're a big target.

That they weren't following even the most basic of security practices is what is concerning.

I wouldn't be surprised to see hundreds of lawsuits leveled against them from current former clients very soon.

And I'd hope - but do not realistically expect - the other big consultancies to take Deloitte as a warning, and review their internal controls and practices ASAP.

glebSeptember 29, 2017 10:40 AM

@Clive Robinson
From the Guardian article : "The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

The account required only a single password and did not have “two-step“ verification, sources said."

That's incompetence from Deloitte's sysadmins, not from Microsoft. I don't think a company that cared so little about security would have done better without Microsoft's help.

Cloud companies are a single point of failure and certainly not to trust if your adversary is a state, but the security they provide against more conventional attackers is surely better than what most of their customers could have done alone.

TatütataSeptember 29, 2017 11:10 AM

From the Guardian article : "The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

Lemme guess the account ID... Edward.Snowden [at] Deloitte.com?

I'm still gushing with schadenfreude...

Who?September 29, 2017 11:14 AM

A company that is somewhat serious at security—and Deloitte is, amongst others, a cybersecurity company—should never, under no circumstance, store its customers data on a cloud service. As a Deloitte customer you may not want your private information (an incredibly valuable asset these days) to be on the cloud service of one of the PII-as-a-business-model corporations, either Google, Amazon, RedHat or Microsoft.

Jeff CarsonSeptember 29, 2017 11:46 AM

This is very disappointing Bruce, no one has claimed responsibility, but the nature of the attacks suggest the hackers were commercially motivated, and seeking confidential information to sell or use for insider trading. This fits the pattern of Russian criminal gangs who plot jobs in secret Internet forums, as well as hackers sponsored by the Chinese government—as Fortune reported last year, China was behind a series of infiltrations targeting white shoe law firms and their clients.

Clive RobinsonSeptember 29, 2017 11:53 AM

@ gleb,

That's incompetence from Deloitte's sysadmins, not from Microsoft.

Yes Deloitte, made a whole series of newbie or lower level security mistakes.

But importantly they appear not to have done "due dilligence" on Microsoft.

Deloitte had not just confidential even trade secrets in those emails it also had "legaly privileged" information in there as well.

Microsoft might have "fought the good fight over data on their Irish servers with a US court" but part of those proceadings made it absolutly clear that any data on Microsofts servers were "third party business records" and MS would hand those over on just a NSL.

The Storage as a Service game is over for anyone with legaly privileged information. There is no way under any circumstances they should have unprotected legaly privileged information out of their control.

It's time people wake up and smell a major law suit heading their way and potentially proffessional disbarment and bankruptcy because such action has almost certainly voided any liability ibsurance they might have. Thus ceasing to work as a professional would be the least of their worries even though they are a LLP...

I'm not surprised that their first action was to lawyer up to the hilt.

As for Microsoft, since that court case it's their legal duty to warn customers of the implication of the third party business records, NSLs and legaly privileged information. Thus I suspect that MS might also be lawyering up over this breach as well. Because one of Deloitte's defence tactics might be to pass the buck to Microsoft any which way they can and throw years of mud in the water. One argument being that Microsoft were neglegent in alowing such a vulnerable administration account as a standard part of their service. After all it would be easy to find many "best practice" audit requirments for two factor authentication PCI being one of the more obvious ones...

If you think about it the stakes are potentially higher for Microsoft and the rest of the XYZ as a Service industry than they are for Deloitte. Because that third party business records doctrine is not going away it's way to convenient for the DoJ / FBI to give up. Thus this may wake up a large number of people who have in effect "been sleep walking to disaster" over the cloud and legal privilege. And once one or two take things back in house it could easily reach a tipping point...

With over a trillion dollars to play for this potentially could get realy nasty real fast. Which would be great entertainment and a real business bost for the hardware side of the industry.

I've already got the pop corn machine warming up...

Tim BradshawSeptember 29, 2017 11:56 AM

For once, it isn't private flesh-and-bones citizens who are the butt of the joke.

Well. If whatever data on their audit clients has leaked allows the bad people to, say, get into your bank, then you will, unfortunately, be the butt of the joke.

It's as easy to say 'Deloitte, haha' as it is to say 'big retail bank, haha', until you remember that you rely entirely on Big Retail Bank PLCs's systems for access to food.

Unfortunately we need to care about the (in)security of organisations we may not be very fond of.

keinerSeptember 29, 2017 1:11 PM

uuuuh, would like to take a glance on all those Kompromat folder prepared from this! Must be thousands of companies, world-wide, which now are in the hands of... uuhhmmm... make an educated guess...

And politicians in the hundreds... at least---

albertSeptember 29, 2017 1:35 PM

Deloitte, Touché!

I don't know what sort of business arrangements Deloitte has with MS. I wouldn't be surprised to find that they have nothing to do with 'security'. Are they just a middleman between their customers and MS Cloud services? Is it a case of 'no one ever got fired for using MS?

I do know that, in a logical universe, Deloitte customers would be deserting them like rats leaving a sinking ship, in a addition to suing them into oblivion. But look at Wells Fargo. They didn't go out of business, despite clearly illegal activities that even Trump supporters could understand*. For a culture that's so into retribution, nothing happens to these criminals. I guess they save the real punishment for the Unwashed Masses. It least we know who's running things....don't we?

I'm constantly reading about this and that hack, this and that leak, this and that felony. What happens when we run out of fingers to plug the dike? It's a big, important dike, and when it fails, there will be the Devil to pay...


------
* I sincerely hope that no one was offended by that phrase.
P.S. Yet another Comment section referencing Russia and China:)

. .. . .. --- ....

uh, MikeSeptember 29, 2017 1:40 PM

A few years back, I was at SANS, and the question arose, "What will we do to achieve acceptable security?"
The answer was, "We don't know, but we will, because we have to."
The change will come when we finally apply safety standards to software, like we do to hardware.
The pain will increase until it's less painful to change than not to.
Perhaps we're closing in on the tipping point.

neillSeptember 29, 2017 2:32 PM

noone wants to pay for super-high-security - and you'll never get that anyways!

just some made up numbers here but you get the idea:

$1M = 90% secure
$10M = 95%
$100M = 99.9%

but you'll never reach 100%, as with 'server/network uptime' etc,
three nines, four nines, ...

we learned to live with the occasional hacks, and have insurances that calculate that risk

so far our monetary system has not broken down despite all hacks, knock on wood (well if you count the 2008 meltdown as 'man made' by bankers and not hackers)

business will go on as usual, i do not expect big changes unfortunately :-((

AnuraSeptember 29, 2017 3:06 PM

@neill

Microsoft's lifetime revenue exceeded $1 trillion last year; so we've spent at least that, plus the overhead cost of dealing with the bugs and security holes.

That is, we could have had a 100% formally verified OS, with well-engineered software to go along with it, and probably for much less of a cost, if Microsoft's customers simply had the foresight to coordinate their resources to develop incrementally replace components of the Unix or GNU platforms. Unfortunately, our economy is simply not structured to reward productivity; just the opposite, in Microsoft's case.

This is a good thingSeptember 29, 2017 3:20 PM

This hacking of information from criminal corporations is a good thing. When you allegedly collude with criminals who use your services to allegedly hide money from being taxed, that makes you accessory to the crimes.

Hopefully 5 million emails were recovered and hopefully evidence of financial crimes will be made public as well as will be made to criminal investigative agencies around the world.

We need more of this.

neillSeptember 29, 2017 3:22 PM

@anura

i know they employ hundreds of thousands of people, that's good, but their lawyers worked out the EULAs basically to say "you have to pay us, no matter what happens when you use our products, and you cannot sue" - they get away with all the bugs they introduce ... "sorry for the inconvenience"

if they were held to the same standards e.g. like car companies you would see all windows versions 'recalled' because they are too buggy to use!

Still a goog thingSeptember 29, 2017 3:29 PM

Tim B. says, "All those files, for all their clients might now be in the hands of bad people."

No, now the evidence is in the hands of the GOOD people. The emails, if the hackers actually acquired any of them, are a massive source of possible evidence of financial crimes which hopefully the hackers will sift through, present to law enforcement entities, and await statements of arrest.

After none of the rich parasite crooks don't get arrested for any evidence which might be in the emails, then the emails should be made public to force the arrest of any crooks evidenced in the emails.

These leaks, breeches, and hacks which liberate evidence is a good thing, society around the world is better for hackers who make such information available to law enforcement and, if need be, to the public.

Yes, the rich don't like it, but crooks hate cops for reasons.

My opinions only, as always, and only my opinions.

We need more of this. Much more.

Always a good thingSeptember 29, 2017 3:37 PM

Who? noted, "A company that is somewhat serious at security—and Deloitte is, amongst others, a cybersecurity company—should never, under no circumstance, store its customers data on a cloud service."

Exactly correct, and in fact NOBODY should be trusting their data to a cloud service. The information stored in a cloud no longer belongs to the owner of the data, not in actuality and often not legally.

Once you place data in a cloud, you lose control of it, you lose ownership. It becomes wide open to not just being retrieved by law enforcement entities but basically it's open to ANYONE to retrieve without warrant, subpoena, or any court order at all.

Cloud computing is dying off for a number of reasons, and security of one's data from non-government agents is merely a small percentage of why. The fact that the data you store in a cloud becomes retrievable by virtually any law enforcement or any governmental agency anywhere on the planet is the main reason why fewer and fewer people believe that cloud computing is viable.

AnuraSeptember 29, 2017 3:53 PM

@neill

i know they employ hundreds of thousands of people, that's good

Well, the problem here is that there are better things we could be doing. The larger your dev team is, the less picky you can be about who you hire, the more turnover you get, and the more you have to design your processes to take all of that into account. We do more work overall while getting lower quality products.

Think of the car market; the less reliable the cars are, the more car sales there will be. If you only look at things like profits and jobs employed by those companies and their suppliers, it might seem like it's better for the economy. But how in the world can having less reliable cars that consume more resources be a good thing? All consumers get a worse deal and that explicitly means we have a smaller economy. We are spending more of our resources in one area, thereby reducing spending (and production) in all other areas of the economy, while also increasing the cost of all products that are dependent on the cost of car ownership.

Clive RobinsonSeptember 29, 2017 4:03 PM

@ Tim Bradshaw,

Unfortunately we need to care about the (in)security of organisations we may not be very fond of.

Actually we may not. Think about the many countries (about half) that do not have banking for the population in general.

Even where there were banks for the masses war torn states show that commerce continues one way or another without banks or even bank/state issued currancy.

Yes life would be harder but the thing about humans is that usually there are enough that want not just to survive but thrive any which way they can. Thus "No bank, no problemo, phone cards accepted" or similar.

@ keiner,

uuuuh, would like to take a glance on all those Kompromat folder prepared from this!

You and me both. It's the sort of document hoard that Ed Snowden handed over that a couple of journalists are doing very nicely out of. It is an "Investagitive journalists" dream load...

@ Albert,

Are [deloitte] just a middleman between their customers and MS Cloud services? Is it a case of 'no one ever got fired for using MS?

Whilst the latter is almost certainly true, I suspect that Deloitte are in for a big slice of the action either in cash or kind.

I would not be supprised to find Deloitte was paying zilch for the MS cloud services they were using. MS would put it down on their tax returns not as "service in kind" but as R&D or "demonstrator" thus claim it against tax. It's the sort of "legal" tax saving / avoidence scheme Deloitte sells to many of it's customers.

@ uh, Mike,

The answer was, "We don't know, but we will, because we have to."

You left out the "weasle" word between "we" and "have" of "will" which makes it future to a point that it's kicked way way beyond the long grass to a time the speaker hopes will be beyond their retirment.

The thing is nobody realy wants to fix the problem because of all the "food chains" and "faux markets" that have sprung up around continued insecurity.

@ LPA-11K,

It's the rack and thumbscrews I want for those shysters, not something warm and friendly like a few smoking coals...

@ neill,

$100M = 99.9%
That should be more like 97.5% for $100M... trust me you are never going to get to 99% no matter how much you spend

Nick PSeptember 29, 2017 5:34 PM

@ neill

Burroughs was immune to most code injection in 1961. They made a fortune, became an also ran versus IBM, and still exist as Unisys making a fortune. SAFE and CHERI are modern takes on secure CPU's with CHERI running FreeBSD. Rockwell-Collins made one for embedded. Languages such as Rust and Ada/SPARK can affordably make software immune to most vulnerabilities. Rust even solves temporal and concurrency errors without a garbage collector but low-latency ones exist (eg Go, embedded). There's mathematically-verified crypto systems, compilers, microkernels, filesystems, and so on to use with some of it FOSS. There's also open-source and proprietary schemes for high-availability systems. There's commercial products built this way that solve a number of problems. They were usually done by small companies. There's also safety-critical markets such as DO-178B/C that developed a whole ecosystem of low-defect components. Methodologies such as Cleanroom or Praxis Correct by Construction can do a lot of it at little to moderate extra cost.

So, it's not as difficult as you suggest. On the low-end, bluejekyll developing his DNS in Rust is a one-man show whose software is already immune to a lot of attacks by default. On high-end, the government is always willing to throw money at academics to develop protocols or verified systems that can be open-sourced and productized. CompCert and seL4 are examples. There's also the effect where you can protect a lot of activity trusting just a few tiny components in the system. The only problem remaining aside from some distributed systems or protocols is hardware-level attacks which we can do physical isolation for if necessary. Especially since it's so cheap now. :)

neillSeptember 29, 2017 8:36 PM

@anura

what % M$ actually spends on their cybersec devision noone knows, or how many folks they employ, and i doubt they will ever disclose that

(maybe some info is in the shareholders info package)

guess there's some secret formula in place that includes factors like legislation, marketing, loss of trust & lawsuites, competition, greed etc

but what i know is that there are x million 'script kiddies' out there and someone will find a new bug before M$ does

@nick p

more obscure makes it harder for the hackers, but also more $ to find developers

problematic is e.g. the new tesla "nvidia drive px 2" contains several SoCs that are interconnected, all with their own bugs ... somehow you'll find a backdoor into a bus

from long ago i remember a NASA documentary stating rockwell writing code for the SSME controller (68k based!) at $10k per line (that was in 1970 USD i guess)

so it's always the cost vs security issue, and since the consumer most likely opts for the cheapest solutions you know who will win :-(

Winston BearSeptember 29, 2017 11:39 PM

A friend of mine at my former job openly referred to the firm, which was making recommendations in regard to how we should re-form our IT department, as "Toilet and Douche." At the time, I thought he was being rather harsh and cynical. I may have to revise "harsh and cynical" to "understatement."

Clive RobinsonSeptember 30, 2017 12:52 AM

@ neill, Nick P,

from long ago i remember a NASA documentary stating rockwell writing code for the SSME controller (68k based!) at $10k per line (that was in 1970 USD i guess)

The problem is that writing safety critical software is comparable
in price to developing safety critical hardware. I used to be involved with both so have some insider insight on the whys of the cost.

The first reason it's apparently so expensive is generaly not the cost of manufacture but the cost of proving the design and this has to be amortized with profit across every unit, which might be less than twenty units. Think for instance of satellites, generally they are not one off designs --though some parts of payload packages might be--, but the numbers are low and they are eye wateringly expensive with 20-30 year expected life times.

The odd thing is managers used to accept the hardware costs with barely a grumble. But software... That was and still is a whole different story.

I was working in high rel safety critical systems when they were still using Relay Ladder Logic. I had to design both ladder logic and 8bit CPU machine code control systems. Generaly the cost of design and functional testing was lower on the relay logic but actually verifying the hardware for Factory Acceptance Test (FAT) was very much more expensive. Put simply the level of FAT tests were very much more indepth including things like "wire pull tension tests", "bare wire / joint seperation distance testing", "Condensing / icing tests" and similar. Because the customers engineers "could see and touch the relay logic" first hand. ICs and PCBs were literally "Black Box" to them and they had no way to test them, they just looked at the varnish coating or poked at the encapsulation, and sat in on extended thermal range cycling tests. FAT tests were still stuck in mechanical testing and functional tests for switches etc. The actual unit function tests were also still based on "state machine" testing. The software involved was of equally low complexity as the ladder logic and was not correctly tested by the FAT system of tests.

That said I designed systems around 1802 8bit CPUs and later mil-spec grade 8086 CPUs as well as 68K family. Whilst you can still get 1802 parts, you can not for the others. Which is akward because many of those systems are still in active use some have uptimes now well in excess of 200,000 hours and still counting as I write. As far as I'm aware the only times any of the systems I designed back then have had down time is when there have been plant changes or the plant has been End of Life Decommissioned.

Also I designed electronic locks for hotels some of which the electronics are still in use but the "furniture" has been replaced a few times during refurbs. I was actually "tracked down" by one hotel chain about doing "Front Desk Unit" upgrades as late 80's PC boards and CGA graphics are getting hard to replace...

In the early 90's I was developing cordless phone systems for POTS. Some of them got "best" consumer test reports for design and usage. I know that some are still in daily use twenty years later without issue. Because I enroled friends into "customer testing" so they got the phone for free, and they are still using them without issue (apart from the odd broken telescopic antenna, which I still have spares for and a couple of cracked cases and replacing the "consumables" of rechargable AA batteries).

So it is possible to design "zero functional defect" software at a sensible price that will run for a quater of a century or longer. It's down to the skill and integrity of the design engineers more than it is "formal methods" and similar. But it's generally not what people want. And certainly not what manufactures and consumer groups want.

Though that might change, in amongst some "Right to Repair" legislative proposals is a requirment that manufacturers do not design in obsolecence not just in the hardware but software as well, including opening up walled gardens etc. Some complain it's "Dressed up as an 'environmental' issue" which it's not. It's actually a very real environmental issue as things like WEEE legislation is not working because it does not have the teeth. So they are putting teeth in the proposed legislation such as 4% of turn over level fines. For obvious reasons it's not just the manufacturers that are fighting against this.

Tim BradshawSeptember 30, 2017 12:50 PM

This is a combined reply to several comments. I should point out that, although I don't work in financial IT now, I did so until 2013 (and in particular I did so through the 2007-2008 crash), will probably do so again (it pays better than climate science) & still have very close contacts with people who currently do audit-related work

Someone who identifies themselves as 'Still a goog thing' wrote:

No, now the evidence is in the hands of the GOOD people. The emails, if the hackers actually acquired any of them, are a massive source of possible evidence of financial crimes which hopefully the hackers will sift through, present to law enforcement entities, and await statements of arrest.

I'm afraid you don't understand how audit works. If an auditor had evidence of financial crime which they did not reveal to the authorities then they are implicated in that crime. If they get caught then, well, there's a reason why there are now a big four audit firms when there used to be a big five. If an auditor has such information and is concealing it then they're doing so because they're getting backhanders from their client. Conspiracy theories are fun, of course, but usually not true.

The other possibility is that the client, who is involved in some kind of financial crime, is, due to incompetence, unintentionally leaking incriminating information to their auditors who, also being incompetent, don't realise what it is. This is more likely than the above scenario, but also not very likely.

What is almost certain is that the auditors have a lot of quite innocent but sensitive information about their clients -- lists of who is authorised to do what for instance which, in the wrong hands, can result in quite nasty attacks ('here are some bits of your children, please authorise this change or I will post more') which now may be in the process of leaking to people who are willing to undertake such attacks. If you think that's a good thing then, well.

Clive Robinson tried to argue that we don't really need to worry about the security of organisations like banks because plenty of countries don't have a functioning banking system. This seems to be an example of what Erik Naggum called 'one-bit-mind thinking', which is the notion that there are only two states: absolutely important, or absolutely unimportant.

And it's dumb, sorry. First of all it's probably worth correlating the prosperity of countries without functional banking systems to ones that have them: yes, you can survive without banking -- humans did for a quarter of a million years, after all -- but only if you don't want things like hospitals, good sanitation, clean water, enough food, to survive to adulthood and not then die in childbirth, and so on. Most people want these things.

Secondly 'living without banking', bad as it is, is not the problem you need to worry about: the problem you need to worry about is an abrupt transition on a large scale between 'banking' and 'no banking'. And this is a nastier problem: if the banks fail tomorrow then the ATMs stop working, your salary and all your bills no longer get paid, and this happens to everyone: money is essentially gone and with it all transactions which involve it. Supply chains collapse and food disappears from the shops: there is looting and worse. Within a few weeks people start dying in large numbers. It's not as bad as nuclear war, but it's a lot worse than anything that has happened to the US since, at least, the civil war (Germans and Russians have experienced events which might be comparable, and in the case of Germans it is still, just, in living memory).

So yes, you care about the security of the banks because you very much do not want them to fail. You may also want them to be less nasty organisations (I certainly do), but you do not want them to fail.

Finally, neill said:

so far our monetary system has not broken down despite all hacks, knock on wood (well if you count the 2008 meltdown as 'man made' by bankers and not hackers)

And there's an important point here. If the financial system threatens to fall over because organisations are not solvent, then governments can fix this by pouring money into insolvent institutions because money is fungible. This is what happened in 2008: it is a terrible long-term fix but it keeps the system running long enough while you deal with the underlying problems. (Or, in the case of the recent crash, while you don't, which is why we're all going to see it happen again in a few years: the politicians responsible for failing to address the underlying problems after 2008 should go to jail for a very long time but no doubt will not.) If the financial system threatens to fall over because of IT problems on the other hand, then you can't pour computers into it to fix it: in fact, it's not clear that there is anything you can do at all.

And it is my belief that the financial system is very vulnerable to attacks on its IT infrastructure and that very little, if anything, is being done to deal with this problem, because it is unglamorous, very hard work, and too hard for politicians with PPE degrees to understand and therefore unimportant.

I just hope that this attack on an obviously technically incompetent organisation does not lead to something bad for its clients, and hence all of us.

neillSeptember 30, 2017 5:58 PM

@clive robinson

thank you for those insights! chatting with NASA folks they said that manned flight is at least 10x more expensive than unmanned, so i'm not really surprised by the costs

RE POTS - recently i was asked to fix a 20 years old nortel meridian system, much to my delight i was looking at a 68008 board, just the powersupply failed :-) good old stuff!

@tim bradshaw

i'm more worried about the SEC hack than equi, just because you'd hope the feds would have more strict rules and procedures - albeit on old hardware that's only replaced by political influence but not tech requirements

TomTrottierSeptember 30, 2017 7:05 PM

Krebs & The Guardian say "administrator accounts" - but it is not clear if computer accounts were hacked vs only email accounts. If only email, that would limit data leaks.

GeorgeOctober 2, 2017 8:26 AM

The cloud is not the enemy here; bad configuration is. Do we conclude for every on-prem incident that someone on-prem was inherently a contributor? (If we did, we'd all be entirely in the cloud by now.)

TatütataOctober 2, 2017 10:09 AM

The Space Shuttle computer couldn't have been based on the Motorola 68000, as that family was only launched in 1979, long after the design had been frozen. (And presumably even longer before space qualified parts eventually became available). The Shuttle's first atmospheric flight was in 1977, and the first space launch occured in 1981, after a long series of postponements.

I thought it could have been based on the MIL-STD-1750A, but it too was only finalised around 1980.

The Shuttle computers were based on a 32 bit IBM architecture used on a number of other platforms. (1, 2). The main engine and SRBs might have used different processors.

I would be careful about the quoted cost per line of code, as it isn't specified what is included in these. This type of development wouldn't have been done with off-the-shelf tools, and I expect that there is a large cost involved for creating and maintaining the development architecture. (e.g: An expensive mainframe, cross-compilers, emulators, validation, etc.). Extensive testing was also involved, and don't forget the paperwork. I was told by friends who had designed satellite hardware of interminable design review meetings with 20+ heads.

A different world altogether.

Regarding the Burroughs machines, I owe them the first peso I ever earned - by running stuff on an IBM mainframe. An acquaintance of my father had developed a piece of kit for this series, and acquired a dataset of potential buyers that came on a nine-track tape and an IBM-flavoured COBOL program. I was 14ish, and spent many hours poring over JCL manuals bound into tables at the time-share computing centre. There were recording errors on the tape, but I quickly managed to get the COBOL cr*p I knew nothing about to run and produce that report.

Regarding Deloitte, I won't shed crocodile tears on them. What happened happened. These make a living acting as corporate hired guns, and many years ago they trained their crosshairs on yours truly (with his co-workers).

GeorgeOctober 2, 2017 10:27 AM

To the idea that this is somehow a omen of Deloitte's end: Verizon Business has had numerous problems, including a large-scale breach. They do similar consulting work, and they publish the big breach report.

The way things stand today, I predict zero problems for Deloitte. A few things could change that, including embarrassing raw data surfacing, clear customer harm, and criminal charges or regulatory interest.

Joseph MOctober 2, 2017 10:43 AM

Tim Bradshaw wrote, "This seems to be an example of what Erik Naggum called 'one-bit-mind thinking',"

Interestingly, sometimes flipping a few bits help getting a clearer look. Unfortunately, most things are a bit more complex than flipping bits. As you pointed out, most of what has to do with trickle-down effects. When the top misses their number projections, they will more than likely dig down below to balance their books, so this cant be good for everyone. Never let a crisis go to waste is a dangerous mindset to serfdom.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.