🔐 Man-in-the-disk attacks: A cheat sheet 🔐

A flaw in Android external storage opens up legitimate apps to being hacked and gives illegitimate ones a window to exploit. Learn more about man-in-the-disk attacks, including how to avoid them.

📖 Read

via "Security on TechRepublic".

<b>&#9000; Marriott: Data on 500 Million Guests Stolen in 4-Year Breach &#9000;</b>

<code>Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.</code><code>Media</code><code>Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.</code><code>Marriott said the intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.</code><code>“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.</code><code>Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.</code><code>The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.</code><code>Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.</code><code>However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data. In Dec. 2016, KrebsOnSecurity broke the news that banks were detecting a pattern of fraudulent transactions on credit cards that had one thing in common: They’d all been used during a short window of time at InterContinental Hotels Group (IHG) properties, including Holiday Inns and other popular chains across the United States.</code><code>It took IHG more than a month to confirm that finding, but the company said in a statement at the time it believed the intrusion was limited to malware installed at point of sale systems at restaurants and bars of 12 IHG-managed properties between August and December 2016.</code><code>In April 2017, IHG acknowledged that its investigation showed cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data — including those used at front desks in certain IHG properties.</code><code>Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.</code><code>Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) progra…

❌ Newsmaker Interview: Katie Moussouris on Improving Bug Bounty Programs ❌

The bug bounty "queen" Katie Moussouris discusses the biggest mistakes that companies launching these programs are making.

📖 Read

via "Threatpost | The first stop for security news".

🔐 Marriott reveals data breach affecting 500 million hotel guests 🔐

Hackers have had access to the Starwood guest reservation database since 2014.

📖 Read

via "Security on TechRepublic".

🕴 Threat Hunting: Improving Bot Detection in Enterprise SD-WANs 🕴

How security researchers tracked down Kuai and Bujoi malware through multiple vectors including client type, traffic frequency, and destination.

📖 Read

via "Dark Reading: ".

🕴 39 Arrested in Tech Support Scam Crackdown: Microsoft 🕴

Law enforcement officials in India raided 16 call center locations that conned primarily American and Canadian victims.

📖 Read

via "Dark Reading: ".

⚠ Huge Marriott breach puts 500 million victims at risk ⚠

The Marriott hotel empire's Starwood guest reservation database has been subject to unauthorised access since 2014.

📖 Read

via "Naked Security".

🔐 Top 4 security threats businesses should expect in 2019 🔐

Cybercriminals are developing more sophisticated attacks, while individuals and enterprises need to be more proactive in security practices.

📖 Read

via "Security on TechRepublic".

🕴 Massive Starwood Hotels Breach Hits 500 Million Guests 🕴

Starwood parent Marriott International disclosed the breach today with an announcement that provided some details but left many questions unanswered.

📖 Read

via "Dark Reading: ".

🔐 Marriott faces massive data breach expenses even with cybersecurity insurance 🔐

Marriott's total tab for a data breach affecting as many as 500 million consumers is going to cost billions of dollars over the next few years, based on the average cost of megabreaches.

📖 Read

via "Security on TechRepublic".

❌ Bing Warns VLC Media Player Site is ‘Suspicious’ in Likely False-Positive Gaff ❌

After identifying the official VLC media download page as "unsafe" with its Bing search engine, Microsoft now suggests it was done in error.

📖 Read

via "Threatpost | The first stop for security news".

🕴 Retailers Make Big Strides In Offering Clear Unsubscribe Links 🕴

Fifth annual Online Trust Alliance survey said retailers get good marks for offering clear unsubscribe links, using tools like SPF and DKIM and honoring unsubscribe requests.

📖 Read

via "Dark Reading: ".

🕴 Retailers Make Big Strides In Offering Clear Unsubscribe Links 🕴

Fifth annual Online Trust Alliance survey said retailers get good marks for offering clear unsubscribe links, using tools like SPF and DKIM and honoring unsubscribe requests.

📖 Read

via "Dark Reading: ".

❌ Podcast: Breaking Down the Magecart Threat (Part Two) ❌

In part two of our podcast series on Magecart, we talk to expert Yonathan Klijnsma, who has been tracking the threat for years.

📖 Read

via "Threatpost | The first stop for security news".

🕴 Holiday Hacks: 6 Cyberthreats to Watch Right Now 🕴

'Tis the season for holiday crafted phishes, scams, and a range of cyberattacks. Experts list the hottest holiday hacks for 2018.

📖 Read

via "Dark Reading: ".

<b>&#9000; What the Marriott Breach Says About Security &#9000;</b>

<code>We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.</code><code>TO COMPANIES</code><code>For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.</code><code>It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.</code><code>The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.</code><code>This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.</code><code>The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.</code><code>They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.</code><code>Media</code><code>TO INDIVIDUALS</code><code>Likewise for individuals, it pays to accept two unfortunate and harsh realities:</code><code>Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.</code><code>Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.</code><code>Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.</code><code>Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand…

⚠ Monday review – the hot 21 stories of the week ⚠

From Black Mirror-esque social ratings IRL to the guy who had his car stolen by hackers - twice, and everything in between. It's weekly roundup time.

📖 Read

via "Naked Security".

⚠ Faster fuzzing ferrets out 42 fresh zero-day flaws ⚠

A group of researchers has found 42 zero-day flaws in a range of software tools using a new take on an old concept - fuzzing.

📖 Read

via "Naked Security".

⚠ Microsoft cracks down on tech support scams, 16 call centers raided ⚠

Police raided 16 Indian call centers last week - a second big raid sparked by Microsoft filing complaints about tech support scammers.

📖 Read

via "Naked Security".

⚠ Router attack exploits UPnP and NSA malware to target PCs ⚠

The UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.

📖 Read

via "Naked Security".

⚠ Printers pulled into 9100 port attack spew PewDiePie propaganda ⚠

Printers worldwide printed messages urging people to subscribe to the vlogger's YouTube channel in a demo of a well-known vulnerability.

📖 Read

via "Naked Security".