Mandarin Oriental Hotel Group Credit Card Breach

The Mandarin Oriental Hotel Group admitted that their credit card system at an unknown number of their hotels was hacked and credit cards compromised AFTER they were outed by Krebs On Security.  The upscale hotel chain, where rooms at the New York property start at $850 a night, would be a great target for hackers since credit cards are likely to have very high limits.

Krebs is reporting that sources say that the attack started before Christmas 2014, so the time to detect is about 75 days.  That is going to become a metric to determine the effectiveness of a company’s cyber security program – how quickly you detected the hacker, boxed the hacker in and determined what the hacker got.  What the hacker got in this case has not been publicly announced.

What is interesting to me is the wording of their press release below.

Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law.

Of course the hackers broke the law.  Is that supposed to make me feel better that the people who stole my credit card broke the law?  Are they next going to stomp their feet and hold their breath?  We expect hotels to know that hackers are out there and protect us anyway.

We take the protection of customer information very seriously. Unfortunately incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry.

This whole paragraph is fluff;  do they think that their competitors are not aware that hotels everywhere are suffering credit card breaches?  Does the fact that breaches are becoming more common mean they have less responsibility?  Or are helpless to do anything to stop them?

Mandarin Oriental moved swiftly to address this issue by working with forensic experts and has removed offending malware. While the Group has leading data security systems in place, this malware is undetectable by all anti-viral systems. Guests can be confident that security protocols are being thoroughly tested at all hotels to protect guest information and prevent a recurrence of such an attack.

This is probably the most honest statement in the press release;  I hope that they are testing their security protocols now – given that they failed.  The better question to ask is when they last tested their security protocols chain wide.  That would be very telling.

While it is fun to beat up on the hotels, in one sense, they are victims.  But in another sense, they are likely accomplices since they most likely did not spend a whole lot of effort in making life hard for the hackers.  The hospitality industry (hotels and restaurants) are hot targets for hackers for many reasons and they must know that.  Still, their controls are inadequate.

From a PR standpoint, they need to try and calm their high end guests.  Those are the people that have the resources to sue them and the staff around them to cancel all future reservations and move to a different hotel chain.

I can whine about their press release, but if it was me that was hacked, I would probably do something very similar. In fact, many of the words are identical from other company’s press releases after a breach.  It will be interesting to see how many cards were compromised.  From the hotel and credit card company’s perspective, getting this under control quickly is important.  While they might be able to steal $400 from my credit card before it is maxed out, they may be able to steal $4,000 or $40,000 from some of these credit cards.  Ouch!

Mitch

Facebooktwitterredditlinkedinmailby feather

Anthem Refused Audit Required As Part Of Contract

The Register is reporting that Anthem refused to allow U.S. government auditors to audit their systems as required as part of a contract that Anthem has with the U.S. government.  This news is coming out after Anthem was hacked of some 88 million customer records.

The Office Of Personnel Management Inspector General audits insurers who provide insurance to government employees under the Federal Employees Health Benefits Program.

OPM has a particular audit protocol that is somewhat intrusive but not out of the ordinary and Anthem told them no, they could not do that.

I have been a vendor to several of the world’s largest banks and they used to audit my firms on a regular basis.  If we told them to go away, they would have told us to go away as well.

It is not at all clear why OPM allowed Anthem to continue to do business with the government under these circumstances.  It is the difference between private industry and government.

OPM wrote a report on Wellpoint (now Anthem) that said, in part:

Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Given this report, it is totally unimaginable that, in private industry,  they would have been allowed to continue as a supplier.

After the breach, OPM again tried to audit Anthem and they again said no.

And, they continue to collect checks from the government.

This should be interesting fodder for the lawsuit machine.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Uber Is Uber Bad

Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem.  Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub.  GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.

Only one tinsy, weensy problem.

This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.

Oops!

Now Uber is trying to get GitHub to tell them every single person who accessed that code.  I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.

This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted.  Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.

Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).

A similar search for WordPress came up with 2,000,000 matches.

While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords.  For obvious legal reasons, ars did not try to log in to any of those servers.

Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.

20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.

This search was hardly exhaustive and GitHub is only one such public repository.

THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.

Mitch

Facebooktwitterredditlinkedinmailby feather

A Different Perspective On Lenovo – It Is A Supply Chain Problem

While everyone is off beating up Lenovo and Lenovo, in turn, is beating up Komodia, I suggest everyone is missing the real problem.

First of all, to make sure that no one is confused, this problem is not limited to Lenovo consumer laptops.  Komodia has over a hundred customers developing software, all of which put your network at the exact same risk.  Lenovo just happened to get caught.

It is also not limited to Komodio.  Privdog, made by AdTrustMedia and sold by Comodo (no relation to Komodia), behaves in a very similar way.  And there are probably many more.

The problem is a supply chain problem.  Lenovo did not check out Superfish’s software very well and Superfish did not check out the library that they licensed from Komodio very well.

I assert that there are millions of developers who use software libraries that have no clue regarding the security practices of the libraries that they use.  Most of the time, the developers check to see that the libraries do what they want them to do – and that is all they check for.

It is a very unusual developer who will do a full scale cyber risk assessment on each and every third party software component that they license.

The result is Lenovo.  We happen to actually be very lucky that we caught this one after only a couple of months.  While we have seen some indications that this might have been exploited, there is only smoke and no fire.

What about the hundreds of thousands or millions of software libraries that other developers, big and small, incorporate into their software – blindly assuming that there are no security holes?

Even good developers typically only audit THEIR code and not the libraries they license.  In part, this is because they usually don’t get the source code to these libraries which makes auditing them very difficult.

As part of a cyber risk assessment, these potential vulnerabilities will be identified so that the organization can make a decision regarding how to mitigate these risks – and there is more than one way.

The alternative is like driving a car with a blindfold on – a scary thought.

And, it is important to understand that while the Lenovo’s of the world are being sued, they can only hope to collect something from Komodio.  Komodio is not even a U.S. company, so if Lenovo wants to go after them, they may have to do it in Israeli courts according to their laws.  And, I have no clue how big they are.  It could be that Komodio is two guys in a garage – I have no idea.

The reputation that gets clobbered is yours, so you need to protect it.  It is very difficult to repair after the fact.

The supply chain problem is not limited to tech or to software.  For example, the U.S. Department Of Defense has discovered many counterfeit parts for weapons and vehicles that were not made to spec and so may put soldiers at risk.  This is a huge problem that will not be easy to solve.

Mitch

Facebooktwitterredditlinkedinmailby feather

Apple Pay Hacked (well, sort of)

As I suspected when Apple Pay was released, the hackers did not just give up and say “this is too hard” and all get jobs at Burger King.

No, instead they said, what vulnerabilities does Apple Pay have?

The first one (at least that we know of) is something called yellow path.  The hackers have figured out that they can set up an iPhone with stolen personal information and then call the bank to authorize the card.  Apparently, Apple has a red, yellow, green process for doing this where red is rejected and green is approved, but yellow requires additional verification to add the card to the phone.

At least some banks are being lax about this and just asking for the last 4 of the social and if the hacker has that, the bank sets up the card on the phone.  Since the hacker controls the phone, they pass the fingerprint check and run bogus charges on the card.

The karmic part of this is the crooks are often buying Apple products at Apple stores with the bogus iPhone/Apple Pay setup.

Apparently this is a REALLY BIG problem.  Card issuers had expected about 2 or 3 cents of fraud per hundred dollars of charges.  Instead they are seeing about 6 dollars of fraud per hundred dollars of charges.  That is a good way to go broke.

The fraudsters are way better at conning the bank’s call centers than the banks are at detecting the fraud.

And, has been the case since the beginning of time, since the banks are much more worried about not offending customers than having good security (hence the $12 billion a year in credit card fraud), we have a problem.  For example, how often does a clerk in a store really examine the signature panel on your credit card.  I have some cards that are not signed and I have seen many clerks look at the signature panel, see that it wasn’t signed, and hand me back the card rather than ask me for ID – they don’t want to offend anyone.

In any case, given the fraud rate is about 200 to 300 times what they planned for, they are going to be forced either to do something about it or discontinue accepting Apple Pay.  Talk about a rock and a hard place for banks.

See this article for more information.

Mitch

Facebooktwitterredditlinkedinmailby feather

Dentists (and Doctors) A Target For Cyber Criminals

DentistryIQ, a web site for dental professionals ran a piece last week talking about dentists (and while the article didn’t talk about it, doctors as well) being a target for cyber criminals (see article).

If you think about it, it makes a lot of sense.  Think about all the non public personal information that a dental or other health care practice keeps.  Social security numbers, names, addresses, birth dates, phone numbers and even client banking information.  That, of course, is in addition to all of the health care (HIPAA protected) information.

Fines for loss of HIPAA protected information can be staggering – up to $1,500,000 a year in some cases, but even the small fines hurt.  A practice can be fined up to $25,000 year even if the person did not know of the violation and reasonably would not have known (reference).

That of course does not include costs for investigating the breach, notifying patients, remediating the problem, lawsuits, legal costs, etc.

Some dentists, the article says, don’t think small offices are attractive targets.  Think about it.  If I were a crook, would I want to go after a large company with an in house IT team and a lot of security hardware and software?  Or would I rather go after a small office with no in house IT and weaker security?

Again, according to the article, health care organizations make up 33% of all breaches and is the single most breached industry.  More than half of the organizations that are breached have less than 1,000 employees.

In fact, 55% of all breaches compromise less than 1,000 records (see post here).  If a practice has only 300 families as patients and each family has 3+ members, that is 1,000 records.  That would be a small practice.

This means that health care practices need to consider the risks and take appropriate, cost effective actions.  Many times employees accidentally do things (like clicking on links or surfing at compromised web sites) that cause a breach.  Many actions to reduce risk are inexpensive and not terribly painful.

In addition, having an incident response plan is very important.  Other wise, you will be flailing if something occurs.

Plan now so you don’t have to panic later.

Mitch

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed