Deloitte Is the Latest Target of a Cyber Attack With Confidential Client Data at Risk

Global accountancy firm Deloitte has been hit by a sophisticated hack that resulted in a breach of confidential information and plans from some of its biggest clients, Britain’s Guardian newspaper said on Monday.

Deloitte—one of the big four professional services providers—confirmed to the newspaper it had been hit by a hack, but it said only a small number of its clients had been impacted.

The firm discovered the hack in March, according to the Guardian, but the cyber attackers could have had breached its systems as long ago as October or November 2016.

The attack was believed to have been focused on the U.S. operations of the company, which provides auditing, tax advice, and consultancy to multinationals and governments worldwide.

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman told the newspaper. “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.”

A Deloitte spokeswoman declined immediate comment, saying that the firm would issue a statement shortly.

Tech

Top-level domain expansion is a security risk for business computers

The explosion of new generic top-level domains (gTLDs) in recent years can put enterprise computers at risk due to name conflicts between internal domain names used inside corporate networks and those that can now be registered on the public Internet.

Many companies have configured their networks to use domain names, in many cases with made-up TLDs that a few years ago didn’t use to exist on the Internet, such as .office, .global, .network, .group, .school and many others. Having an internal domain-based namespace makes it easier to locate, manage and access systems.

The problem is that over the past two years, the Internet Corporation for Assigned Names and Numbers (ICANN) has approved over 900 gTLDs for public use as part of an expansion effort. This can have unexpected security implications for applications and protocols used on domain-based corporate networks.

To read this article in full or to leave a comment, please click here


All articles

NSA director just admitted that government copies of encryption keys are a big security risk

NSA chief Michael S. Rogers speaks at Fort Meade.

The director of the NSA, Admiral Michael Rogers, just admitted at a Senate hearing that when Internet companies provide copies of encryption keys to law enforcement, the risk of hacks and data theft goes way up.

The government has been pressuring technology companies to provide the encryption keys that it can use to access data from suspected bad actors. The keys allow the government “front door access,” as Rogers has termed it, to secure data on any device, including cell phones and tablets.

Rogers made the statement in answer to a question from Senator Ron Wyden at the Senate Intelligence Committee hearing Thursday.

Screen Shot 2015-09-24 at 2.06.46 PMWyden:  “As a general matter, is it correct that anytime there are copies of an encryption key — and they exist in multiple places — that also creates more opportunities for malicious actors or foreign hackers to get access to the keys?

Screen Shot 2015-09-24 at 2.07.12 PMRogers: Again, it depends on the circumstances, but if you want to paint it very broadly like that for a yes and no, then i would probably say yes.”

View the exchange in this video.

Security researchers have been saying for some time that the existence of multiple copies of encryption keys creates huge security vulnerabilities. But instead of heeding the advice and abandoning the idea, Rogers has suggested that tech companies deliver the encryption key copies in multiple pieces that must be reassembled.

From VentureBeat

Get faster turnaround on creative, more testing, smarter improvements and better results. Learn how to apply agile marketing at our roadshow in SF.

“The NSA chief Admiral Rogers today confirmed what encryption experts and data scientists have been saying all along: if the government requires companies to provide copies of encryption keys, that will only weaken data protection and open the door for malicious actors and hackers,” said Morgan Reed of the App Association in a note to VentureBeat.

Cybersecurity has taken center stage in the halls of power this week, as Chinese president Xi Jinping is in the U.S. meeting with tech leaders and President Obama.

The Chinese government itself has been linked with various large data hacks on U.S. corporations and on U.S. government agencies. By some estimates, U.S. businesses lose $ 300 billion a year from Chinese intellectual property theft.

One June 2nd, the Senate approved a bill called the USA Freedom Act, meant to reform the government surveillance authorizations in the Patriot Act. The Patriot Act expired at midnight on June 1st.

But the NSA has continued to push for increased latitude to access the data of private citizens, both foreign and domestic.


All articles

Use SAP’s mobile platform? Patch now to avoid these ‘high risk’ vulnerabilities

Three high risk vulnerabilities in SAP Mobile could give attackers access to encrypted information stored in mobile devices, security firm Onapsis reported Wednesday.

All three vulnerabilities were recently fixed by SAP, but systems are only safe if the patches are applied.

“SAP runs so many of the world’s largest enterprises that any vulnerability must be taken very seriously,” said Nicholas Taylor, CEO of Netlogx, another security provider.

One of the flaws enables keystream recovery and could allow an attacker with access to a vulnerable device to decrypt credentials and other sensitive information stored within, Onapsis said. The attacker could then potentially connect to other business systems to access additional data.

To read this article in full or to leave a comment, please click here


All articles

Feds: Cloud Computing Doesn't Increase Security Risk

Cloud Computing Summit Brasil 2010 10/08/10

Image by rafaeldesigner
O Cloud Computing Summit Brasil é um evento com participação dos principais players do mercado mundial que abordarão tendências do Cloud Computing e seu impacto sobre o mercado de TI e negócios.

Weblog: www.rafaeldesigner.com.br/blog/
Twitter: www.twitter.com/rafaeldesigner/

Feds: Cloud Computing Doesn't Increase Security Risk
By Elizabeth Montalbano InformationWeek Federal officials defended their move to adopt cloud computing, stressing steps federal agencies are taking to ensure the technology does not present greater cybersecurity risks than already exist today, …
Read more on InformationWeek

Cloud computing 'removes technology headaches for businesses'
… could assist in getting companies up and running quickly, as well as putting any security measures in place to ensure data is protected and disaster recovery plans are established. Cloud computing ' removes technology headaches for businesses '
Read more on Hostway

Singapore Polytechnic Pioneers Next Generation Educational Cloud Computing Center
(ENP Newswire Via Acquire Media NewsEdge) ENP Newswire – 10 October 2011 Release date- 07102011 – SINGAPORE – With the launch of the SPE3C3 (Singapore Polytechnic Electrical and Electronic Engineering Cloud Computing Center) today, …
Read more on TMC Net