The top cyber stories of December 2018
Marriott data breach
The Marriott hotel group revealed that the systems of its “Starwood” division had been compromised and could have leaked detailed data on as many as half a billion customers.
The Starwood group includes such major hotel brands as Sheraton, Westin and W hotels, among many others. It was acquired by the Marriott group in 2016, with, it seems a gaping hole in its cyber defenses already penetrated by unknown third parties.
According to a statement released by the hotel group, the hack began as long ago as 2014, and the unwanted guests may have visited the system multiple times during the period the windows were left open, possibly bringing others to the party.
Data available to the hackers could have included complete details of many customers, including not just the usual phishing fodder of names, addresses, and email and phone contacts, but also more valuable PII including passport numbers and dates of birth. Encrypted payment details were included in the haul, but the company has yet to ascertain whether decryption keys were also grabbed during the 4-year-long heist.
Marriott claims that these full details may only have been accessed for a portion of the full 500 million customers, around 327 million in total – still a pretty huge number of people to be subject to data leakage, and either figure would make the all-time top five list of breaches (at least, those known about and linked to numbers affected).
The one possible, albeit rather patchy silver lining came out a few days after the breach, when Reuters reported that unnamed sources were claiming the breach bore all the hallmarks of Chinese government-backed hacking crews – so, there’s a chance the data was stolen purely for political data mining, rather than fraud and theft.
On the other hand, even if spies made the initial entry in the system, there’s also every possibility that once the target data was found, the compromise was passed on to other hacking teams with other objectives entirely.
The Marriott group claims to have first spotted suspicious activity back in September, but it took them until late November to decrypt some data taken by the attackers and figure out it contained customer details, and customer notifications were still ongoing as late as December 6th. With notification much too late to help many of those affected, there’s likely to be a risk of major fines under GDPR.
100,000-strong IoT botnet spreading using long-patched vulnerabilities
Researchers at Chinese security giant Qihoo have unveiled details of a massive IoT botnet comprising upwards of 100,000 compromised devices, many of which may have been infected thanks to a vulnerability discovered, and in most cases patched, back in 2013.
The botnet, rather un-catchily referred to as “BCMUPnP_Hunter”, makes use of a well-known flaw in the Universal Plug and Play features in a range of devices based on Broadcomm chipsets.
The Qihoo researchers found the attack had managed to infect routers from a wide range of manufacturers, including products from Broadcomm, D-Link, Linksys, TP-Link and ZTE in a non-exhaustive list of 116 device models spotted running scans for potential victims on behalf of the botnet.
These scans are run every few days by up to 100,000 hijacked devices, with tracking showing 3.7 million IP addresses have been used for such scans and leading to estimates that more than 420,000 devices may have been taken over. India, China, the US and Brazil seem to be the most likely places to find an infected piece of hardware.
Once infected, each device can act as a proxy allowing the controllers to issue remote commands untraceably. With the majority of traffic other than the routine scanning directed at major webmail providers Hotmail, Yahoo and Outlook.com, the researchers conclude that spamming is the main use of the botnet, at the moment at least.
Information on which of the devices have a patch available is scant, but at least part of the blame for this outbreak must be shouldered by those responsible for running and maintaining all these devices.
Router flaws are a routine problem for network admins, with the devices much less simple to update, and much easier to forget about, than more in-your-face hardware such as PCs pr phones, but this obscurity doesn’t protect them from gaping vulnerabilities which can be exploited from anywhere in the world.
New Yorker charged with $1 million crypto theft
A 21-year-old Manhattan resident has been accused of stealing $1million from a father of two from San Francisco, in the latest incident highlighting the dangers of “SIM swapping”.
According to court papers, San Fran resident Robert Ross noticed his phone lost signal on October 26. By the time he figured out what had happened, two crypto exchange accounts had been drained of $500,000 each – money set aside for college fees for his two daughters.
Manhattanite Nicholas Truglia has been charged with the theft, along with numerous other counts of identity theft, fraud and embezzlement. The case came before a Santa Clara court, which heard that Truglia was suspected of targeting multiple high-flyers in the booming crypto currency industry.
The theft was achieved by a SIM swap attack, in which the attacker typically contacts a mobile service provider (in Ross’ case, AT&T) and requests the transfer of a mobile number to a new device – a common enough occurrence when we’re encouraged to upgrade our phones as regularly as device makers can churn out new models. If the provider doesn’t thoroughly check, it can be simple for crooks to get a number transferred to a device in their control.
This can be irritating, if your phone stops working or if someone else starts making calls on your dime, but gets a whole lot worse when the phone, or at least the number, is used as a trusted means of authentication.
With today’s crypto exchanges routinely holding on to large amounts of funds for their clients, often with much less security and risk-monitoring than traditional banks, this can make such large thefts extremely fast, hard to detect and all but impossible to track. A search carried out in mid-November on Truglia’s 42 Street apartment found $300,000 on a hard drive, but the rest of the funds are likely to have been transferred anonymously via crypto currencies.
The SIM swap issue is becoming a major headache, with new incidents reported regularly despite promises of better security from service providers. As phones become ever more widely used for authentication, especially thanks to the 2FA requirements of the EU’s PSD2 regulations which come into force in 2019, these incidents show that phone numbers alone are not a reliable method of proving identity.