'Deloitte' site 'Test your Hacker IQ' leaked access data to user database

[German]I guess that went a little wrong. In 2015 a website (attributed to Deloitte) 'Test your Hacker IQ' was launched. There you could do a quiz about your knowledge of hacking techniques. The site remained online, and a security researcher was now able to retrieve a YAML configuration file, which contained the access data for accessing the used mySQL database in plain text. A little Friday story about a marketing campaign that fell on people's feet five years later


Advertising

There is a German saying 'Dumber than the police allows' that went through my mind (and of course that 'could have happened to you', nobody is without fault). I've become aware of this funny fact on Twitter these days, which The Register made public. Thought I would present this story for your weekend reading.

Deloitte 'Test your Hacker IQ' leak
(Deloitte 'Test your Hacker IQ' leak)

Who is Deloitte?

Deloitte  is an international company in the business sector and provides services in the areas of auditing, risk consulting, tax consulting, financial consulting and consulting for companies and institutions from all sectors of the economy. With a global network of member firms in more than 150 countries and around 312,000 employees, Deloitte generated revenues of 46.2 billion US dollars in the 2018/2019 financial year.

When marketing goes wrong

Someone at Deloitte came up with the idea of setting up a website called 'Test your Hacker IQ' and putting it online. On the website, users could take a quiz and test their knowledge of hacking techniques. The website asked visitors to enter a user name. It then asked a series of multiple-choice questions on techniques used by hackers to obtain company information.

What bothered something: The site was running under the insecure HTTP URL *http://deloittehackeriq.com/ – is somehow suboptimal if you do anything about security testing. But no matter. Apparently the site didn't contain any questions about 'how do hackers get access data from websites'. And in this tradition, security researcher Tillie Kottmann was able to retrieve a YAML configuration file, which contained the access data for accessing the used mySQL database in plain text.


Advertising

Access data to mySQL database in plain text

The Swiss based IT consultant and developer, Tillie Kottmann, is no stranger to the subject, as in May 2020 he disclosed the Git repository leak at Mercedes (see my blog post Security incident: Source Code for Mercedes OLU leaked). Kottmann Kottmann had also disclosed a leak at Intel with internal documentation (see my German blog post Daten von LG, Xeros und Intel geleaked, Canon von Ransomware befallen). Kottmann seems to be a bright fellow, because his name appears here in a German blog post also in connection with a puzzle of the Google I/O 2019, which he had solved quite fast.

Anyway, he accidentally came across the 'Test your Hacker IQ' page and then discovered the YAML configuration file on Wednesday, which he could download from the website. As expected, this file contained the access data for accessing the mySQL database in plain text. Kottmann then asked Deloitte on Twitter how his hacker IQ should be evaluated.

hey @Deloitte, what exactly is my hacker IQ now? pic.twitter.com/Bqv25kdDsU

— Tillie Kottmann (@antiproprietary) November 4, 2020

The above tweet has been deleted in the meantime, because it violated the Twitter rules. The Twitter account @deletescape has also been blocked by Twitter. The Register wrote in reference to Kottmann that the domain deloittehackeriq.com was registered in 2015 by Tank Design, a Massachusetts-based digital marketing company. The website includes a copyright notice Deloitte Development LLC dated 2015 and Kottmann has told The Register that the last committal to the .git repo was in 2017. It is also not clear how actively the website is used.

The website was first captured by the Internet Archive's Wayback Machine in 2018. The quiz site was hosted on an Ubuntu Linux 14.04 system, although this Linux version has not received security patches since April 2019 and is potentially vulnerable to 11 known bugs. In the meantime the website has been shut down.

Deloitte: We have nothing to do with it

In a message to The Register, which was sent after the article was published, a spokesman for Deloitte distanced the company from the now removed hacking contest website: 

We are aware of an incident involving unauthorized access to an interactive game/website developed for a cyber security event in 2015. The platform is hosted by a third-party vendor and is different from any other Deloitte system; there is no impact on other Deloitte systems.

The website has not been actively used since 2015 and has now been shut down. We remain vigilant in assessing this incident and other potential cyber threats. We are determined to maintain a cyber defense based on best practices, invest heavily in protecting confidential information, and continually review and improve our cyber security.

Powerful statement – McMurphy has struck again. I think it's good to see that Deloitte is doing something. Or how do you see this whole story?


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).