In my best Wipro-excuse voice: "... see, thing is:..." ... they have a process for everything. It's just a very convoluted, silo'd, circuitous process that takes several days to get anything done, with several steps including: throw a support ticket over the wall, and let a subprocess pick it up. On and on we go, until we have a lax process that is impossible to fix, on to which, all we can do is pump more, cheap, low skilled talent. But hey, it's creating a middle class somewhere.
Whelp, life comes at you fast: https://www.bankinfosecurity.asia/interviews/wipros-new-ciso...
"India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker. "Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems."
Well, I suppose it's the step you'd expect but a state-actor engaging in a broad fishing trip still seems like a new thing. Can we expect whatever state will be installing their official botnet in whatever country next?
Might be interesting to annotate the biggest data breaches with each victim's outsourcing partner.
Site down ATM, Google Cache doesn't have it, but good old Wayback machine has it: https://web.archive.org/web/20190415214511/https://krebsonse...
"State-sponsored attacker": A euphemism to deflect blame for your own inadequate security practices.
I know of at least one very large customer where management of the VPN appliance and firewall controlling access of Wipro vendors was outsourced... to Wipro.
A few years ago I worked with Wipro as they would contact me (technical support for some products) on behalf of their customers.
The incompetence was astounding, and I worked in support for a long time, and Wipro was really astounding. Everything from security to just understanding what we were telling them was mindbogglingly bad. It wasn't a language barrier, they simply didn't have many / sometimes anyone who understood the technology on the most basic level.
Wipro would open tickets dozens at a time claiming there was some sort of technical issue, but they often couldn't explain what if anything they tried. We would find the equipment at factory defaults, last boot time was when it was in the factory.... but now it was a P1 ticket because "it didn't work and it needs to be up and running by the end of the day". Then we'd ask what how they wanted it configured and they ... wouldn't know. Then they'd escalate through sales and the executives claiming we had been "working with them for weeks and were not helping".
Then they would go silent and not respond for days or weeks only to reappear later as angry as ever that we hadn't done anything when our last questions to them might be as simple as "what isn't working?".
It was worse when they actually tried configuring things as they were masters at nonsensical configurations, looping cables back into the same equipment they came from and etc. You could look at their systems that were "working" and it was errors everywhere and you couldn't trust anything you saw.
Even internally Wipro would tell us that they "can't tell" the "other team" (another team inside Wipro working with the same customer) that they need to change their configuration. They would just repeat that they can't tell them that ... and we'd be stuck because it's obvious the "other team" is configured wrong. I'd tell them to let me be the bad guy and tell them on a call, but nope. So things would just not work.
It was a common occurrence as things got worse that we would eventually end up on a conference call with Wipro and their end customer and their customer's perception was entirely off. There was no way it was miscommunication, they were straight lying to their customer all along. Often we'd have to break the news to the customer that we haven't been working on the issue for weeks, we just heard about it today, nobody can tell us how they want the product configured on the most basic level...
The only thing worse than that situation was to look up these customer's of Wipro and see they scrapped their own IT departments in favor of outsourcing, and I'm not sure they had more than a couple people who understood what was really going on.
How do we understand these kind of threads of HN?
In the last 6 months there have been security breaches at Facebook [1] Google [2] Cisco [3] and look at those threads and some of these breaches are extremely amateurish and the general consensus is these things happen and the top voted responses mirror this attitude.
Yet on the same site on the threads about India, China and non US companies we see some kind of dissonance where these are reframed as showhow affecting these companies uniquely because of 'poor standards' and 'mediocre engineers' and the top voted responses reflect this.
Far from informed discussion this not only demonizes entire groups but creates and perpetuates prejudice that will no doubt impact everything from recruitment to general behavior. And this continues on discussions beyond security to things like corruption, surveillance and other issues.
[1] https://news.ycombinator.com/item?id=19565918
With the increase in MSP style operations with an IT companys systems having root access across all their client's systems IT companies are going to be massive targets for bad actors. There's already been a few cases of all of a compaies clients being ransomwared.
What doesn’t surprise me is Wipro refusing to comment. This would have never come out if they weren’t targeting from inside the house.
would we classify this as a friction-less security breach?
Can any of the security folks on here tell me what good secure systems really look like? If I wanted to build a company infrastructure from scratch what would "default secure" look like? I am fairly sure I know what a good software engineering process looks like, but if I guessed a secure infrastructure I would be concerned I am missing basics. (Hence no examples to get us started)
If you've ever had the pleasure to work with people from wipro,ipsoft,atos etc to name a few this should not surprise you.
> "The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks."
Somehow I don't think this is a phishing attack.
This surprises me... not one bit.
I have yet to find the first multibillion outsourcing company that was any good.
All the great people are immediately hired by the company they’re actually working for, so they’re always left with the mediocre and terrible.