Infosec Cloud
Solutions. Services. Training.

Deloitte hacked by stealing admin password

It was revealed last week that Deloitte was hit by a major cyber attack that compromised its email system and certain client records.

The attack was achieved by knowing the password of a single system administrator.

With that simple piece of information, the hackers were able to gain access to Deloitte’s email services and, according to some reports, extract several gigabytes of data containing the content and details of clients’ email messages and attachments.

The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”

 Well-respected security journalist, Brian Krebs, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts.

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for ‘a long time’ and that the company still does not know exactly how much total data was taken.

Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.

For a key system to rely simply on user name and password for access is a fundamental failure of security, and one that could easily have been fixed by the addition of multi-factor authentication (MFA).

MFA provides maximum flexibility and ease of use, and can be rapidly introduced – thereby ensuring that a lost password no longer offers hackers an easy way into your organisation. Read our guide to choosing the right MFA solution to meet your specific needs.

Request the MFA Buyer’s Guide:

Full Name (required)

Business Email (required)

Job Title

Company Name (required)

Phone Number

Enter these characters below: captcha

 

  • Employee GDPR Awareness Training

  •  Identity-as-a-Service (IDaaS) solution

  • Tokenless Strong Authentication (MFA)

  • Next Gen Endpoint Security

  • Enquiry LinkedIn Spiceworks

    Multi factor authentication made easy

    There was a time when two-factor authentication was a major undertaking. New servers had to be installed, security tokens had to be purchased, distributed and registered to their owners and then Support Desks had to be created to handle queries from users and to service requests for replacements for lost tokens.

    The whole process was expensive, and took a great deal of time and planning. It could take months or years to put in place and then required a substantial level of support to keep going.

    But since SecurEnvoy launched Tokenless authentication, that has all changed. Now it is possible to set up authentication for a whole organisation in just an hour or two.

    No more Specialist Tokens

    Instead of needing to carry specialist tokens, users can nominate the device of their choice – usually a mobile phone or tablet they already possess – to receive their one-time passcodes.

    In addition, user registration is done using information already stored in the organisation’s own network directory. So there is no need for new special servers to run the service. This means that from a standing start, it is possible to register up to 100,000 users per hour.

    Single Sign-on

    The SecurEnvoy service also integrates easily with a wide range of commonly used applications, such as Salesforce. This means that when a user logs on remotely from anywhere in the world, having keyed in their username, password, and their one-time passcode, they gain access to the full range of corporate applications.

    In other words, a single sign-on gives them full access as if they were sitting in the office on the corporate network.

    Simple User Registration

    For the individual user, registration is perfectly simple. Each user receives a 6-digit code to their nominated device which they key in when logging on for the first time, and the process is complete. If they later decide to change their phone or switch to a tablet, they can manage the process themselves easily without having to call a support desk.

    Dual Protection from Password Thieves

    Most 2FA providers create cryptographic keys called seed records when they distribute OTPs, and these keys contain fundamental security loopholes. In contrast SecurEnvoy has added an extra level of security where they do not themselves generate or save the seed records at any time.

    Find out why SecurEnvoy is ‘The Lord of the Keys’

    Access the whitepaper to read how two-part seed records solve all safety concerns regarding two-factor authentication.

     

     

    Request your copy of the Whitepaper:

    Full Name (required)

    Job Title (required)

    Company Name (required)

    Business Email (required)

    Phone Number

    Enter these characters below: captcha

     

    2FA: One swipe and you’re in

    Good security should be secure, of course, but it should also be easy to use. If security becomes too cumbersome or difficult to use, then it either gets in the way of people doing their job, or it tempts them into finding ways around it.

    That is the thinking behind SecurEnvoy’s new feature set in SecurAccess v8.1. With OneSwipe Push, user authentication is simplicity itself.

    When the end-users log in at their PC and enter their password, a notification message with “Accept” or “Deny” buttons is immediately sent to their smart phone.

    All they have to do is hit the “Accept” button, and they are logged in. They don’t even have to key in a passcode. (If they get a message when they haven’t logged in, of course, they can quickly press the “Deny” button to stop an imposter using their identity)

    If their phone doesn’t have a data connection and so can’t use online push, after a short timeout (configurable by the system administrator), the PC prompts them to enter a passcode on their phone using the SecurEnvoy app. The app can display passcodes offline in the same way as older hardware tokens or fobs and provides the user with a six-digit code to enter.

    The new feature makes logging in effortless, and also provides a back-up in event of a poor mobile signal – just another example of SecurEnvoy’s commitment to business-grade two-factor authentication. OneSwipe Online Push is a brand-new feature for SecurEnvoy’s new Version 8.1

    Read more about SecurEnvoy tokenless 2FA >>

    SecurEnvoy launches 2FA with NFC ‘tap and go’ and biometric fingerprint login

    Infosec Cloud partner, SecurEnvoy, the global leader of multi-device Tokenless® two-factor authentication (2FA), has today further increased the convenience of security with the launch of SecurAccess v8.1.

    This latest version of SecurAccess extends availability of 2FA to over 10 billion ‘everyday’ devices – including wearable devices, such as smartwatches.

    SecurAccess v8.1 offer a range of authentication options, including:

    *  NFC ‘tap and go’
    *  Biometric fingerprint login
    *  Push
    *  SMS
    *  Smartphone apps
    *  Tablet apps,
    *  Laptop apps
    *  QR codes

    Similar to ApplePay and SamsungPay, SecurEnvoy has patented the authentication equivalent of ‘tap and go’ using NFC technology, resulting in two factor authentication now being even quicker than passwords, both online and offline.

    From logging into VPN, SSL, remote desktop, Wi-Fi and web, SecurAccess v8.1 allows users to move their identity between devices whilst prioritising security.

    Two-factor authentication brings two of the following together providing a stronger level of security, should one of these methods become compromised:

    *  Something you know: Such as a password or PIN
    *  Something you are: Such as a fingerprint
    *  Something you own: Such as a mobile device or wearable device

    SecurEnvoy’s 2FA technology is built upon a ‘zero knowledge’ foundation using split keys where the second part is the device’s unique characteristics. Only part of a key is ever stored on the device thus malware cannot copy a key that isn’t present and cannot call external API’s as none are available. No customer sensitive data or keys are ever stored by SecurEnvoy.

    The solution can be implemented as an on premise software solution or hosted as part of a manged service or in the cloud. The solution is available to businesses at a fixed annual cost, flexible on a per user basis.

    Contact Infosec Cloud for more information and to arrange a short demo >>

    Tokenless 2FA Secures Vulnerable Public WiFi

    Guest Post: SecurEnvoy.

    WiFi has become a necessity of the digital age, and like everything, everyone loves it even more when it is free. Whether it’s used to access a presentation at a new client meeting, to host a video conference call, or edit and email important documents, public WiFi means nearly anywhere can become an office. Couple this with the fact that there are as many mobile devices on the planet as there are people, and businesses now have the most flexible and tech-saturated workforce in history.

    Recent studies have found that 37 per cent of office workers are regularly working remotely two or more days a week.

    Hotels, cafés, restaurants, trains and airlines allow visitors to remain online. Flexible working has put demands on employees to be connected to corporate systems for as long as possible – even 24/7. Yet these inviting and convenient free hotspots are plagued with vulnerabilities, leaving huge security implications for both users and businesses.

    The belief that employees aren’t capable of being trusted to remain secure at work is outdated and the days of scribbling passwords on Post-it notes are long gone. Yet there is still a need to educate when it comes to public WiFi and it remains one of many cyber threats to corporate systems and information.

    Most employees are now well aware of the dangers of bad password management and endpoint security, even if it is on a subconscious level, as they are used to undertaking their banking, shopping and multiple daily social interactions online. Problems arise when they simply don’t know how to remain secure when working and accessing company systems remotely or if they are not provided with an appropriate security method. By logging in to free WiFi networks – often mindlessly – employees are making information susceptible to yet another form of attack.

    The emergence of 2FA has allowed businesses to empower their staff when it comes to corporate security, and acts as an extra layer of protection.

    2FA requires not only a username and password, but also something that only the user has on them (i.e. a physical token) to generate a one-time passcode (OTP). With digital crime and internet fraud an increasing concern, such methods of authentication have become increasingly prevalent.

    However, whilst physical 2FA tokens can be easy to lose and expensive for companies to distribute and maintain, tokenless 2FA solutions just need an existing device, such as a phone or tablet, to provide employees with passcodes via e-mail, SMS or an app. In other words, workers don’t need to worry about carrying around an additional physical token; they can just make use of the devices they already have.

    Yet this is not just a convenience issue; this is a security one too. 2FA doesn’t necessarily guarantee bullet-proof security as any manufacturer that creates cryptographic keys, also known as a seed records, must trust that their copy of the keys can’t be accessed by hackers. This is why a zero knowledge foundation is important, as it makes it impossible for malware on a smartphone to capture the seed records because they are split into two parts: one created on the client server and one generated using characteristics of the mobile device.

    With the steep growth of remote working and online communication becoming a necessity, using public WiFi is sometimes a temptation employees can’t ignore, however by using tokenless 2FA employees are equipped with a consistent authentication method to remain protected against cybercrime, so that sensitive corporate information is no longer put at risk.

    Read more about tokenless 2FA >>